In Part 4 of our review the Data Security and Safety Regulations in Massachusetts know as 201 CMR 17, we look at several more important questions that address attorneys. monitoring obligations and whether all businesses will be judged the same under these regulations.
These new regulation take effect on March 1, 2010, so that leaves less than four months to prepare from the writing of this article. This blog is Part 4 and final in a series addressing important questions and issues regarding these regulations.
For more information about how to prepare for 201 CMR 17 please visit our website CLICK HERE. You can also visit Small Business Compliance Solutions at www.bizcompliancesolutions.com for more information on how to protect your company.
Part 4: 201 CMR 17 FAQ’s
I am an attorney. Do communications with clients already covered by the attorney-client privilege immunize me from complying with 201 CMR 17.00?
If you own or license personal information, you must comply with 201 CMR 17.00 regardless of privileged or confidential communications. You must take steps outlined in 201 CMR 17.00 to protect the personal information taking into account your size, scope, resources, and need for security. I already comply with HIPAA. Must I comply with 201 CMR 17.00 as well? Yes. If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 17.00, even if you already comply with HIPAA.
What is the extent of my “monitoring” obligation?
The level of monitoring necessary to ensure your information security program is providing protection from unauthorized access to, or use of, personal information, and effectively limiting risks will depend largely on the nature of your business, your business practices, and the amount of personal information you own or license. It will also depend on the form in which the information is kept and stored. Obviously, information stored as a paper record will demand different monitoring techniques from those applicable to electronically stored records. In the end, the monitoring that you put in place must be such that it is reasonably likely to reveal unauthorized access or use.
Is everyone’s level of compliance going to be judged by the same standard?
Both the statute and the regulations specify that security programs should take into account the size and scope of your business, the resources that you have available to you, the amount of data you store, and the need for confidentiality. This will be judged on a case by case basis.
To see the complete FAQ list you can go to Small Business Compliance Solutions CLICK HERE or visit the Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulations. You can visit their website at www.mass.gov/consumer
