Massachusetts Standards for the Protection of Personal Information of Massachusetts Residents.
Created by Massachusetts to ensure the confidentiality and security of customer information. It applies to all persons who own or license personal information about a resident of Massachusetts.
What it means for you:
Organizations must anticipate threats to protect against malicious actors obtaining protected information. Unauthorized access to protected information or the use of such information should be prevented to avoid harm or inconvenience the consumer.
Why is it important to you:
Failure to comply may result in legal penalties as it is a mandate. Complying also demonstrates you commitment to protecting customer data to your customers. Breaches can damage your companies reputation and trust, implementation helps you reduce the risk of a breach. These proactive measures also prevent substantial harm to consumers.
What you need to do:
1. Create a COMPREHENSIVE Written Information Security Plan (WISP).
2. Make sure it applies to all protected data.
3. Include administrative, technical and physical safeguards (Security in Layers).
4. Designate an Information Security Manager (ISM), congrats, this is probably you.
5. Know the risks associated to paper records.
6. Regularly audit the WISP, actually do this.
7. Limit the data you collect to the data you need wherever possible.
8. Store the records for the proper time.
9. Ensure any data you get rid of is properly disposed of and destroyed.
10. Properly terminate the access of terminated employees.
11. Ensure third-party service providers with any data access are properly vetted.
12. Ensure any third-party service providers are contractually required to protect the protected data.
13. As always, trust then verify.
What else should I know:
- Massachusetts requires organizations to PROMPTLY detect and report any security incidents or breaches involving personal information.
- You MUST notify the affected individuals and the Massachusetts Attorney General’s Office.
- The Massachusetts Attorney General’s Office will investigate the reported incident, you better have an updated WISP!
- Severity, Impact and Circumstances of the data breach will be investigated.
- If they don’t like what they find you could face fines, corrective measures, injunctions and legal proceedings.
Compliance with 201 CMR 17.00 is essential to protect personal information and avoid legal consequences. Organizations should prioritize security measures to prevent breaches and demonstrate due diligence.
There are many different compliances and regulations happening in the United States. Some have been federal mandates but most have been state level. I expect this to be wide spread and happen more often as more attacks on personal data are happening year over year.