The STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF
RESIDENTS OF THE COMMONWEALTH (201 CMR 17.00) were adopted by the State of Massachusetts in 2007 and become effective today, March 1, 2010.
These regulations apply to entities that own or license “persona information” which is defined to include a residents first (or first initial) and last name and (a) their social security number, (b) driver’s license number, or (c) financial account numbers (credit card numbers, debit card numbers, etc.) that would permit access to such persons financial accounts.
The new regulations require that business develop and implement an information security system containing appropriate safeguards which are appropriate to the size and type of business. The new regulations also require that business require that their contract service providers comply with the new regulations. The State of Massachusetts is very proactive and is on the forefront of these issues.
The Office of Consumer Affairs and Business Regulation has created a thorough and comprehensive website section to help businesses comply with the new regulations including posting a Small Business Guide to help create a comprehensive written information security program available here.
The Massachusetts regulations pose an interesting issue for business that are not located in the State of Massachusetts. In this global economy, it is very likely that any business located in the United States may transact business with a Massachusetts resident, have access to their full name and credit card number as a part of a business transaction or the sale of goods or services.
Based upon the Red Flags Rule, these new Massachusetts regulations and various other laws that are pending in other states, it is clear to me that the State and Federal Governments are sending the following message to businesses: Perform an assessment of your data security practices and implement a written plan to safeguard information and records to the extent technologically feasible.
It is a good idea for businesses to have comprehensive written information security program that developed after analyzing the particular risks and vulnerabilities of a their information and records whether or not required by the new Massachusetts regulations, the Red Flags Rule, or otherwise. It is much better to have a written plan that is later determined to be insufficient than to have no plan at all.
http://www.flickr.com/photos/anonymouscollective/ / CC BY 2.0
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.