Businesses Must Develop Security Plan
Effective January 1st of 2009, new laws went into effect in Massachusetts governing the safe handling of private data by “all persons that own, license, store or maintain personal information about a resident of the Commonwealth.” Massachusetts General Laws Chapter 93H (93H) requires all such businesses or individuals to develop and maintain a comprehensive information security program applicable to any records containing personal information. “Personal information” is defined as a person’s first and last name or first initial and last name in combination with any of the following: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. Exempt information is anything that is lawfully obtained from public records.

The security program must cover a number of topics, including identifying one or more people responsible for assuring compliance, risk identification and mitigation, employee training, disciplinary actions for non-compliant employees, limiting access to information, and monitoring and auditing activities, among others.

The regulations further mandate that computer systems used by any person or agency that collects or maintains private information must meet a number of criteria. For example, user access must be controlled and secure passwords have to be enforced. User access to data must be limited to the minimum necessary to perform assigned job duties. Additionally, all personal information that is to be transmitted across public networks (if “technically feasible”) or stored on laptops or other portable devices must be encrypted. All data that is transmitted wirelessly has to be encrypted as well.

Finally, the rules stipulate that “reasonably up-to-date” protections must be in place, including firewalls, security patches, and malware protection agents. Such agents should be configured to receive updates automatically.

State Government Has To Comply, Too
Subsequent to the passing of this legislation, last September, Massachusetts Governor Deval Patrick signed a new Executive Order mandating that all State agencies (executive offices, boards, commissions, agencies, departments, divisions, councils, bureaus, and offices) adopt and implement the same security measures as stipulated in 93H. All state employees are directed to take “immediate, affirmative steps to ensure compliance with this policy…”

The Bottom Line
This basically means that all businesses and state offices that use or store personal information must develop an information security plan. Since this includes any company that accepts credit cards as payment, nearly all businesses larger than road-side produce stands will be affected. For publicly-traded companies, this won’t be much of a burden since they already have to comply with similar regulations like the Sarbanes-Oxley Act. For many others this will present new challenges, and some may find these challenges prohibitive. Outsourcing part or all of their IT processes and the related security requirements can take some of the burden off small to mid-sized businesses, as long as they remember to require 3rd party service providers to certify that they are compliant with 93H.

Tags: , ,

Author: Christopher