MA 201 CMR 17 Unique Requirements
That’s the number of records involved in security breaches in the US since January 2005, according to the Privacy Rights Organization. In reality, we believe that number should be much high because many cases of exposed records are unknown or just not reported.
Just last week the Educational Credit Management Corp in St. Paul, MN reported personal information (names, addresses and social security numbers) for about 3,000,000 borrowers was stolen. It has since been recovered, but who knows how many people copied the data before the physical CDs were found.
Security breaches like this have prompted states to enhance their data security protection laws. The law with the most force? Massachusetts 201 CMR 17.
MA 201 CMR 17’s Unique Requirements
Identify Risks: Businesses that have MA employees or clients/investors must identify and assess internal and external risks to personal information (PI).
Inventory Location of PI: Find where PI is stored, including electronic, paper and other records, as well as on laptops and mobile devices.
Encrypt Hardware and Data Transmissions: Firms must encrypt all files and records containing PI that are transmitted over public networks. Plus, the reg. requires the encryption of information stored on laptops, flash or USB drives and wireless mobile devices.
Oversee and Obtain Written Guarantees of Adherence from Third-Parties: You have to ensure that your third-party service providers are also compliant with 201 CMR 17.
Routinely Evaluate and Adjust Program: This isn’t a case of set-it and forget-it. You’ve got to monitor the security programs and make sure the scope matches your business and risk profile.
What’s at Stake?
Violators of 201 CMR 17 will face stiff monetary penalties – as much as $5,000 per violation – as well as the less calculable effects surrounding a business’ reputation.
Privacy Compliance Resource Center -- Articles, videos & more