There continues to be frantic analysis of 201 CRM 17 - the Massachusetts regulation for Protection of Personal information. The regulation requires not only thorough data protections measures, but also requires documentation and auditing of those measures. As with any new sweeping regulation, there is much speculation as to the effects. Here we've boiled down the verbiage to help clarify the top line requirements.The implications for online backup?
Backed up data requires the same processes that the original data requires. Data must be encrypted and transit and at rest and secured using a comprehensive password policy. Specific personnel must be assigned to manage the process. The days of unencrypted backup devices and tapes will soon be over.
(17.02) The regulation applies to those who have personal information about residents of the Commonwealth of Massachusetts. That information is defined primarily as name with one or more of these: social security number, driver’s license number, financial account number, credit or debit card, or access codes that would permit access to financial accounts.
(17.03) Some highlights of the plans include: (letters match corresponding paragraphs in the regulation)
Developing and maintaining a plan with these aspects
a. Designating specific employees to design and maintain the plan
b. Identifying assessing internal and external risks to the data or the overall security of the plan.
c. Have specific policies for telecommuters
d. Impose measures for violation of the rules
e. Prevent terminated employees from accessing records
f. Make sure third party providers have the capacity to protect data
g. Collect the minimal amount of personal data required and give access to the smallest number of persons
h. Keep an inventory of where the data is kept
i. Regularly monitor and audit employee access
j. Revue the plan at least annually.
k. Document responsive actions taken in connection with any incident.
(17.04) On the technology side of the equation, there are additional requirements that describe user identification ID. passwords and the control of those.
If you want the research, see these links. The deadline for compliance was recently extended from January 2010 to May 2010.
Links:
The actual regulation 201 CMR 17
FAQ Issued by the Office of Consumer Affairs and Business Regulation (dated 11/2009)
Article on 201 CMR 17 in CSO Magazine
Posts
No comments:
Post a Comment