State Privacy Regulation Surveys
Massachusetts Privacy Regulations Surveys
Complying With State Personal Information
Privacy Regulations and Federal Privacy Regulations
Quantisoft's State Privacy Regulation Surveys assess how companies and other types of organizations currently handle employee and consumer personal information as part of their effort to comply with state privacy regulations. We conducted a comprehensive State Privacy Regulation Compliance Survey for a leading biotechnology company, enabling them to comply with the Massachusetts Privacy Regulations 201 CMR 17:00.
Quantisoft's Massachusetts Privacy Regulation Survey focuses on gathering comprehensive information required to identify what needs to be done to comply with the Massachusetts Privacy Regulations. The survey collects a wide range of information from employees located both in Massachusetts and across the U.S. Survey reports provide data about the handling of private customer and employee information for the organization overall and for each organizational unit. We customize surveys to meet your company's specific needs.
Achieving compliance with the Massachusetts and many other state personal information privacy regulations and federal privacy regulations requires knowing which employees in your organization receive, handle, store (including on-site and 3rd party off-site storage), transmit and perform other processes with personal information in electronic and paper formats. You are also required to know the sources and where, how and how frequently personal information is received, handled, stored and transmitted. The Massachusetts Privacy Regulations also require having control over document/data retention/destruction schedules where personal information is included. You additionally need to know which automated and manual systems are used for storing and transmitting personal information.
Quantisoft's Privacy Regulation Surveys enable companies and other types of organizations to comply with federal and state privacy laws. The surveys also help avoid costs and negative publicity associated with breaches in personal information privacy due to personal information theft and carelessness on the part of employees while handling personal information of customers and employees.
Following is information that describes the Massachusetts Privacy Regulations in detail and other state privacy regulations in general. This information provides an understanding of what needs to be done to comply with federal and state privacy regulations:
Background - State Privacy Regulations
State privacy regulations safeguarding personal information have been established by over forty states. One of the most recent states to establish privacy regulations and security breach notification requirements is Massachusetts. The Massachusetts Privacy Regulations appear to be the most comprehensive set of state regulations, and they are likely to become the model for other states. The Massachusetts Privacy Regulations require businesses and other holders of personal information to ensure that consumers' information is kept safe. The regulations may affect how your business protects certain confidential personal information, even if you are not located in Massachusetts.
The impetus for the Massachusetts Privacy Regulations included over 450 reported cases of stolen or lost personal information that affected nearly 700,000 Massachusetts residents during 2007-08.
Businesses and other organizations should achieve compliance with at least the minimum requirements of the Massachusetts Privacy Regulations. Doing so will likely minimize future compliance efforts as states and the federal government strengthen their requirements for protecting personal information.
Massachusetts Privacy Regulation 201 CMR 17:00
The Massachusetts Privacy Regulations apply to all businesses and legal entities that collect or store confidential personal data regarding consumers and employees residing in Massachusetts. The regulations also apply to consumers with no physical presence in Massachusetts.
The Massachusetts Privacy Regulations preserve the privacy of consumers and employees by increasing the level of security on personal information held by businesses and other types of organizations. The regulations mandate that personal information, including a combination of a name along with a Social Security number, bank account number, or credit card number be encrypted when stored on portable devices, or transmitted wirelessly or on public networks. Encryption of personal information on portable devices carrying identity data including laptops, PDAs and flash drives must also be implemented by Jan. 1, 2010, ensuring increased protection of personal information.
The majority of personal information security breaches involve the theft of portable devices. Data encryption significantly neutralizes consumer risk if information is lost or stolen. Accordingly, the regulations require businesses to encrypt documents containing personal information sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data, and utilize up-to-date firewall protection that creates an electronic gatekeeper between the data and the outside world and only permits authorized users to access or transmit data.
The Massachusetts Privacy Regulations require businesses and other organizations to prepare and maintain an up to date Written Information Security Program (WISP) to achieve compliance with the Regulation and to prepare for compliance audits. Conducting a State Privacy Regulation Compliance Survey is a highly effective way to gather comprehensive information required for creating a WISP. Personal Information Privacy Compliance Surveys collect information from your company's employees about their handling of employees' and customers' personal information.
Quantisoft has experience helping companies to assess how they are currently handling employee and consumer personal information as part of their effort to comply with state privacy regulations. We conducted a comprehensive personal information privacy compliance survey for a leading biotechnology company, enabling them to comply with the Massachusetts Privacy Regulations 201 CMR 17:00.
Massachusetts Privacy Regulations Compliance Deadlines
- The general compliance deadline for 201 CMR 17.00 has been extended from January 1, 2009 to May 1, 2009. The date is consistent with a new FTC Red Flag Rule, which requires financial institutions and creditors to develop and implement written identity theft prevention programs. Businesses addressing the new FTC requirements can now address the state regulations during the same time frame.
- The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so will be extended from January 1, 2009 to May 1, 2009, and the deadline for requiring written certification from third-party providers will be further extended to January 1, 2010. This tiered deadline for requiring certification will ensure proper consumer protection and facilitate implementation without overburdening small businesses during harsh economic times.
- The deadline for ensuring encryption of laptops was extended from January 1, 2009 to May 1, 2009, and the deadline for ensuring encryption of other portable devices was extended to January 1, 2010. Many data security breaches reported to date relate to laptop computers and laptops are more easily encrypted than other portable devices such as memory sticks, DVDs and PDAs.
201 CMR 17.00 - Answers to Frequently Asked Questions (FAQs)
- Your information security program must be in writing. The scope and complexity of the document will vary depending on your resources, and the type of personal information you are storing or maintaining. But, everyone who stores or maintains personal information must have a written plan detailing the measures adopted to safeguard such information.
- You are responsible for independent contractors working for you. You have the duty to take all reasonable steps (1) to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00; and (2) to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00.
- You do not have to inventory your paper and electronic records. However, you do need to identify which of your records contain personal information so that you can handle and protect that information in a manner that complies with the regulations. Most small companies already know which files contain this kind of information, and can quickly determine where in the company's paper and electronic systems this information exists.
- You are going to need outside help or in-house IT staff to determine if your current computer system complies with the encryption requirements. Although the definition of encryption is technology neutral, you do need to make sure that the encryption process you are using is transforming the data so that it cannot be understood without the use of a confidential key or process. Free encryption software is available, but unless you are computer savvy, you are going to need an outside IT consultant to help with setup (unless, of course, you have your own IT staff).
- Both the statute and the regulations specify that compliance is to be judged taking into account the size and scope of your business, the resources that you have available to you, the amount of data you store, and the need for confidentiality. This will be judged on a case by case basis.
- You will need to do enough training to ensure that employees with access to personal information know what their obligations are regarding the protection of that information as defined by the regulations.
- The Massachusetts regulations require limiting access to personal information only to those individuals who are reasonably required to have access in order to accomplish a legitimate business purpose, or to comply with other state of federal regulations. Whatever is needed for compliance with state or federal laws/regulations is automatically authorized. Otherwise, you should identify your business needs, determine what tasks are reasonably necessary to satisfy those business needs, and identify who must have access to carry out those tasks.
- The correct approach for limiting the amount of personal information collected involves determining your legitimate business needs, identifying the kind of personal information reasonably needed to perform the tasks required to satisfy those business needs. Collection of personal information needed for compliance with state or federal laws/regulations is permitted.
- Your need for new computer software or equipment will depend on whether your current equipment meets the minimum requirements for running the software that will secure any electronic records containing personal information. The versions of the security and operating system that you currently have must be supported to receive security updates, and your computer equipment must meet the minimum requirements for running the needed software. If not, you will need new software, new hardware, or both.
- The level of monitoring necessary to ensure your information security program is providing protection from unauthorized access to, or use of, personal information, and effectively limiting risks will depend largely on the nature of your business, your business practices, and the amount of personal information you are maintaining or storing. It will also depend on the form in which the information is kept and stored. Obviously, information stored as a paper record will demand different monitoring techniques from those applicable to electronically stored records. In the end, the monitoring that you put in place must be such that it is reasonably likely to reveal unauthorized access or use.
- Businesses that store or maintain electronic records, and do not have in-house IT resources or regular access to providers of IT services, will probably need to hire someone to set up user identification protocols, secure access control measures, and firewalls, even if only on a one-time or part-time basis.
Massachusetts Privacy Regulation (201 CMR 17.00) Compliance Checklist
The State of Massachusetts Office of Consumer Affairs and Business Regulation compiled a checklist to help businesses in their effort to comply with 201 CMR 17.00. They emphasize that the checklist is not a substitute for compliance with 201 CMR 17.00. The checklist should be used by businesses and individuals that handle personal information to conform with the Regulations.
Businesses and other organizations should have a Written Information Security Program (WISP) to achieve compliance with the Regulation and to prepare for compliance audits. The following checklist is adapted from the Massachusetts Office of Consumer Affairs and Business Regulation's checklist. Each item identifies an aspect of the regulations that requires attention for a plan to be compliant.
Comprehensive Written Information Security Program (WISP) Checklist
- Your business/other type of organization should have a comprehensive, written information security program (WISP) applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts.
- Include administrative, technical, and physical safeguards for personal information protection in your WISP.
- Designate one or more employees to maintain and supervise WISP implementation and performance.
- Identify the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices that contain personal information.
As an alternative, you should treat all of your records as if they all contained personal information.
- Identify and evaluate reasonably foreseeable internal and external risks to paper and electronic records containing personal information.
- Evaluate the effectiveness of current safeguards.
- The WISP should include regular ongoing employee training, and procedures for monitoring employee compliance.
- Include disciplinary measures for violators in the WISP.
- Include policies and procedures for when and how records containing personal information should be allowed to kept, accessed or transported off your business premises in the WISP.
- Include immediately blocking terminated employees' physical and electronic access to personal information records (including deactivating their passwords and user names) the WISP.
- Take all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00.
- Take all reasonable steps to ensure that your third party service providers with access to personal information are applying to personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00.
- The amount of personal information that you have and continue to collect should be limited to the amount reasonably necessary to accomplish your legitimate business purposes, or to comply with state or federal regulations.
- The length of time that you are storing records containing personal information should be limited to the time reasonably necessary to accomplish your legitimate business purpose or to comply with state or federal regulations.
- Access to personal information records should be limited to employees/contractors who have a need to know in connection with your legitimate business purpose, or in order to comply with state or Federal regulations. Customers/patients should only have access to their own personal information.
- Specify the manner in which physical access to personal information records is to be restricted in your WISP.
- Store records and data containing personal information in locked facilities, storage areas or containers.
- Implement a process for regularly monitoring the WISP to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and for upgrading the WISP as necessary.
- Review security measures at least annually, or whenever there is a material change in business practices that may affect the security or integrity of personal information records. Conducting a Personal Information Assessment Survey is an effective way to gather information for achieving initial and ongoing compliance with the Massachusetts and other state personal information privacy regulations.
- Implement a process for documenting any actions taken in connection with any breach of security. The procedure should require post-incident review of events and actions taken to improve security.
Additional Requirements for Electronic Records
- Implement secure authentication protocols that provide for:
- Control of user IDs and other identifiers
- A reasonably secure method of assigning/selecting passwords, and for use of unique identifier technologies (such as biometrics or token devices)
- Control of data security passwords such that passwords are kept in a location and/or format that does not compromise the security of the data they protect
- Restricting access to personal information to active users and active user accounts
- Blocking access after multiple unsuccessful attempts to gain access
- Implement secure access control measures that restrict access, on a need-to-know basis, to personal information records and files.
- Assign unique identifications plus passwords (which are not vendor supplied default passwords) to each person with computer access. IDs and passwords should be reasonably designed to maintain the security of those access controls.
- To the extent technically feasible, encrypt all personal information records and files that are transmitted across public networks, and that are to be transmitted wirelessly.
- Encrypt all personal information stored on laptops or other portable devices.
- Implement ongoing monitoring to alert you to the occurrence of unauthorized use of or access to personal information.
- On all systems connected to the Internet, install reasonably up-to-date firewall protection for files containing personal information; and operating system security patches to maintain the integrity of personal information.
- On an ongoing basis ensure that you have reasonably up-to-date versions of system security agent software (including malware protection) and reasonably up-to-date security patches and virus definitions.
- Implement ongoing training for newly hired employees and refresher training for current employees on the proper use of your computer security system, and the importance of personal information security.