Posts filed under ‘Privacy/Data Security’
Massachusetts Passes Aggressive New Data Security Law
Do you own or license personal information about a resident of Massachusetts? If so, then a new data security law, 201 CMR 17.00, applies to you. You must develop, implement and maintain a comprehensive information security program that includes a security system covering computers, including any wireless system. Among other requirements, you must ensure that, where technically feasible:
- All data containing personally identifiable information (PII) must be encrypted on the wire and as its transmitted across public networks or wirelessly. This means, for example, that PII must be sent over HTTPS, not HTTP and must be encrypted when stored in SQL Server. This rule has significant implications for database applications.
- All PII data stored on laptops or other portable devices, such as smartphones and USB drives must be encrypted.
- Backup tapes must be encrypted on a prospective basis.
Penalties for noncompliance are enforced through Massachusetts General Law Title XV: Regulation of Trade, chapter 93A, section 4. Civil money penalties may be assessed of up to $5,000 per breach or lost record, as well as reasonable costs of investigation and litigation, including attorneys fees. Any data breach must be reported to both the Office of Consumer Affairs and Business Regulation and the Attorney General.
The law became effective March 1, 2010 and can be found here: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.
Answers to Frequently Asked Questions regarding the rule can be found here: http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf.
