In Part 2 of our review of some of the key changes that took place during the August 2009 amending of the Data Security and Safety Regulations in Massachusetts know as 201 CMR 17, we loo at six more important questions addressed by the Office of Consumer Affairs and Business Regulations.
These new regulation take effect on March 1, 2010, so that leaves less than four months to prepare from the writing of this article. This blog is Part 2 in a series addressing important questions and issues regarding these regulations.
For more information about how to prepare for 201 CMR 17 please visit our website CLICK HERE. You can also visit Small Business Compliance Solutions at www.bizcompliancesolutions.com for more information on how to protect your company.
Part 2: 201 CMR 17 FAQ’s
Does the regulation require encryption of portable devices?
Yes. The regulation requires encryption of portable devices where it is reasonable and technically feasible. The definition of encryption has been amended to make it technology neutral so that as encryption technology evolves and new standards are developed, this regulation will not impede the adoption of such new technologies.
Do all portable devices have to be encrypted?
No. Only those portable devices that contain personal information of customers or employees and only where technically feasible The “technical feasibility” language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, blackberries, net books, iphones and similar devices. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops.
Must I encrypt my backup tapes?
You must encrypt backup tapes on a prospective basis. However, if you are going to transport a backup tape from current storage, and it is technically feasible to encrypt (i.e. the tape allows it) then you must do so prior to the transfer. If it is not technically feasible, then you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information. For example, if you are transporting a large volume of sensitive personal information, you may want to consider using an armored vehicle with an appropriate number of guards.
What does “technically feasible” mean?
“Technically feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.
Must I encrypt my email if it contains personal information?
If it is not technically feasible to do so, then no. However, you should implement best practices by not sending unencrypted personal information in an email. There are alternative methods to communicate personal information other through email, such as establishing a secure website that requires safeguards such as a username and password to conduct transactions involving personal information.
Are there any steps that I am required to take in selecting a third party to store and maintain personal information that I own or license?
You are responsible for the selection and retention of a third-party service provider who is capable of properly safeguarding personal information. The third party service provider provision in 201 CMR 17.00 is modeled after the third party vendor provision in the FTC’s Safeguards Rule.
To see the complete FAQ list you can go to Small Business Compliance Solutions CLICK HERE or visit the Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulations. You can visit their website at www.mass.gov/consumer
