As discussed in earlier alerts (Additional Guidance on the Massachusetts Privacy Regulations, Privacy and Security Alert: Massachusetts Has New Data Security Regulations and New Massachusetts Privacy Laws), starting on January 1, 2009, businesses will be held to a higher standard regarding the protection of Massachusetts residents’ personal information. The regulations set out in detail the required minimum standards to be met by persons or businesses who own, license, store, or maintain personal information about a Massachusetts consumer or employee 201 CMR 17.00. The Standards apply to paper as well as to electronic records.
The regulations have some very specific requirements for computer system security 201 CMR 17.04:
- Secure user authentication protocols
- Secure access control measures
- Encryption of transmitted records and files (to the extent feasible)
- Reasonable monitoring of systems (for unauthorized access to personal information)
- Encryption of all personal information stored on laptops or other portable devices
- Reasonably up-to-date firewall protection for files containing protected information on a system that is connected to the Internet
- Reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions
- Education and training of employees on the proper use of the System and the importance of personal information security
- Features required for secure user authentication protocols and secure access control measures.