How to Comply with New Massachusetts Privacy RegulationsBy Matthew J. Putvinski
If your organization has as little information about a customer, member, employee, or donor as a first initial with last name, combined with a Social Security number, state issued identification number, financial account, credit, or debit card number, you must comply with the new law, commonly referred to as CMR 17.
Your organization will also be held accountable in the event of a security breach, and therefore you should be able to demonstrate that you complied with the regulations.
Here are ways to help your organization comply with CMR 17.
Document ways in which you may have access to or store the personal information of Massachusetts residents. That includes:
You must ensure that the contract with vendors who share this information includes clauses stating that they will be in compliance with CMR 17. This will be required in all contracts by March 1, 2012. Ask the vendors to provide you assurance that they are meeting the regulations in the form of a simple letter attesting to the regulation or by providing a copy of their written information security program.
Lock Down the Paper
Consider where paper documents are stored and if they can be locked down #147; a locked cabinet with a key nearby doesnt count. Employees should clean their desks at night, and your agreement with the cleaners should stipulate their accountability if their employees take your information.
Destroying your documents is important. Using standard garbage bins is unacceptable. If you find yourself disposing of a minor amount of data, utilize a good shredder. Larger amounts of paper should be handled by professional shredding companies.
Protect Your Files
If you outsource your information technology (IT) function, its important to ask whether their company is sufficiently compliant with the regulation.
Servers and desktops in your office collect a variety of activity data. Its imperative that you work with your IT administrator to collect and review this information. This is helpful for two reasons:
The encryption requirement is probably one of the most costly elements of the regulation. If data that contains social security numbers, drivers license numbers, or financial account numbers reside on a portable device such as a laptop, smartphone, flash drive, or backup tape, it should be encrypted.
Wireless access is an extremely cost effective tool but if it is not set up properly, someone can simply sit outside your office and collect your data. Encryption is critical on these devices.
The law requires that you inform employees of their responsibilities for securing your information. Its important that as a part of this training you not only educate them on what they must do, but also help them understand why. You need to build a culture around the office where security is on the minds of employees.
Prepare for a Breach
Its not a matter of if a breach occurs but when it will occur, so right now identify: