What is the 201 CMR 17.00?
The Massachusetts Office of Consumer Affairs and Business Regulation have established new standards with regards to the protection of personal information (PI) about a resident of the Commonwealth of Massachusetts. The 201 CMR 17.00 mandates security standards that must be met by all persons and organizations that own or license personal information about a resident of the Commonwealth in either paper or electronic forms. The regulation applies equally to all private and public sector organizations regardless of whether the entities or the data resides inside state borders.
Personal Information is defined as a resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to the resident:
- Social Security number
- Driver's license number or state-issued identification card number
- Financial account number
- Credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account
This regulation has been created to insure the confidentiality and security of personal information in a manner consistent with industry best practices. The objectives are to protect against security threats and unauthorized access to such information that create risk of identity theft or fraud against any consumer.
What you need to be 201 CMR 17.00 compliant
The key element of the 201 CMR 17.00 is the requirement for organizations to develop, implement, maintain and monitor a comprehensive Written Information Security Program (WISP). The regulation goes further than any other state privacy laws by specifying the administrative, physical and technical controls required to be implemented in the written information security policy. The Office of Consumer Affairs and Business Regulation have published the 201 CMR 17.00 Compliance Checklist as an aid to organizations.
The regulation requires the participation of IT professionals, HR departments, in-house employment, procurement, commercial teams and legal counsel in order to effectively implement the procedures, protocols and training programs mandated.
The extensive nature of these obligations, together with the significant undertaking required to develop such a written policy has forced the Massachusetts regulators to extend the deadline for full compliance to March 1, 2010.
How Safe Side Compliance Helps
While this may seem like an overwhelming process, Safe Side Compliance can help by:
- Identifying the current state of your company's compliance with the regulation
- Developing best practice policies, processes, and procedures to meet the requirements of the regulation
- Assisting in the development of your Written Information Security Program (WISP)
- Conducting employee training on-site, at a training facility, or remotely through online presentations
- Providing a Safe Side Certificate of Opinion Letter certifying your organization has implemented security best practice policies, processes, and procedures. This letter provides security certification assurance to employees and relevant parties including prospective customers, business partners, board members, and regulators.
For additional details on the Massachusetts 201 CMR 17.00 see our FAQs section or if you have any questions regarding the implications of the Massachusetts Regulations for your business or require advice on your information security program Contact Us 978-340-6400