Basics of the New Massachusetts Data Privacy Regulation
Last week I gave a lightning talk on this topic at Boston Ruby Group. There was nothing new in the technical part of my presentation; everyone in the audience was a professional developer and was already following good security practices.
However, I was impressed by the number of people who were not aware that now it's not only good practice; it's the law. And if you don't do it, you're subject to penalties.
I decided to write this short post with the highlights in order to help spread the word. You can get the full presentation from SlideShare. I also provide several links below to get more information and resources to help your small business become compliant.
The official name of the regulation is 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
The regulation became effective March 1, 2010
Any individual, company, or organization, that stores personal information of residents of the Commonwealth of Massachusetts must comply
What is Personal Information?
Person's first name (or initial) and last name and anyone of these:
- Social Security number
- Driver’s license number
- Account number: credit card, bank account, etc.
The regulation requires one to maintain a comprehensive written information security program (WISP). This document must analyze the risks to security and describe how they'll be prevented. Some of its elements are:
- Designate one person to be in charge of security
- Security policies
- Restrictions upon access to personal information
- Keeping audit trails
- Overseeing service providers
The most important are:
- Firewalls, anti-virus, keeping software updated
- User authentication: passwords or biometrics
- Access control (permission is granted when needed only)
- Encryption is mandatory for:
- Email containing personal information
- Wireless networks
- VPN for remote access
- Laptops and other portable devices
The simplest way to comply with the regulations is not maintaining any personal information (PI) at all. However, this is rarely the case. If you own a business with 2 employees and keep their Social Security numbers, you must comply.
It's easy to use web-based services to do payroll, this way the PI won't be saved in your computer, but with your service provider. Keep paper records in a locked file cabinet inside a secure office. You still need the WISP though (see link to sample below).
If You Need Encryption
The encryption requirement is what has created more problems among small businesses, because they don't have the expertise to implement the technology.
The easiest way to comply is again: don't do it. If you need to send documents containing personal information to your customers, use fax, FedEx, even first class is compliant. And don't save personal information in your laptop, this way there's no need to encrypt it.
The problem with GPG is that it's complicated for non-technical users, especially the part that involves handling the cryptographic keys.
There are several products that provide easy to use solutions to send and receive secure messages with your customers. I like to recommend the one I developed: Solid Secure. There's no software to install. It's very easy to use because it works just like Gmail or Yahoo Mail. But as the owner of your business, you control who becomes a user.
Resources and Additional Information
- Complete content of 201 CMR 17.00 from the official website of the Commonwealth of Massachusetts
- Frequently Asked Questions Regarding 201 CMR 17.00 by the Office of Consumer Affairs and Business Regulations
- Compliance checklist by the Office of Consumer Affairs and Business Regulations
- Article by a Boston lawyer explaining 201 CMR 17.00
- A Sample WISP you can adapt to your organization needs
- Encryption guides, how to use GPG and TrueCrypt
Disclaimer: I am not a lawyer and this is not legal advice