Data Security and Safety Regulations in Massachusetts know as 201 CMR 17 were revised in August of 2009 . The first change is that the regulation will take effect on March 1, 2010. The following are some of the key FAQ questions that the Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulations have addressed regarding 201 CMR 17 and personal information safety. This blog is part 1 in a series addressing important questions and issues regarding these regulations.
For more information about how to prepare for 201 CMR 17 please visit our website CLICK HERE. You can also visit Small Business Compliance Solutions at www.bizcompliancesolutions.com for more information on how to protect your company.
Part 1: 201 CMR 17 FAQ’s
What are the differences between this version of 201 CMR 17.00 and the version issued in February of 2009?
There are some important differences in the two versions. First, the most recent regulation issued in August of 2009 makes clear that the rule adopts a risk-based approach to information security, consistent with both the enabling legislation and applicable federal law, especially the FTC’s Safeguards Rule. A risk-based approach is one that directs a business to establish a written security program that takes into account the particular business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security. It differs from an approach that mandates every component of a program and requires its adoption regardless of size and the nature of the business and the amount of information that requires security. This clarification of the risk based approach is especially important to those small businesses that do not handle or store large amounts of personal information. Second, a number of specific provisions required to be included in a business’s written information security program have been removed from the regulation and will be used as a form of guidance only. Third, the encryption requirement has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements. Fourth, the third party vendor requirements have been changed to be consistent with Federal law.
To whom does this regulation apply?
The regulation applies to those engaged in commerce. More specifically, the regulation applies to those who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment. The regulation does not apply, however, to natural persons who are not in commerce.
Does 201 CMR 17.00 apply to municipalities?
No. 201 CMR 17.01 specifically excludes from the definition of “person” any “agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.” Consequently, the regulation does not apply to municipalities.
Must my information security program be in writing?
Yes, your information security program must be in writing. The scope and complexity of the document will vary depending on your resources, and the type of personal information you are storing or maintaining. But, everyone who owns or licenses personal information must have a written plan detailing the measures adopted to safeguard such information.
What about the computer security requirements of 201 CMR 17.00?
All of the computer security provisions apply to a business if they are technically feasible. The standard of technical feasibility takes reasonableness into account. (See definition of “technically feasible” below.) The computer security provisions in 17.04 should be construed in accordance with the risk-based approach of the regulation.
To see the complete FAQ list you can go to Small Business Compliance Solutions CLICK HERE or visit the Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulations. You can visit their website at www.mass.gov/consumer
