| Home |
| About CT |
| Case Studies |
| Products - Solutions |
| News, Updates, Blog |
| Partners |
| Other Sites |
| Contact Us |
 |
Charland Technology on Facebook |
What does it mean to My small business? Schedule a no-cost, no-obligation consultation today! Or call 888-928-3336
Perspective
Within the past five years there have been several cases of large-scale "data loss," where millions of credit card numbers have been stolen or otherwise misused. BJ's Wholesale Club, Heartland Payment Systems, and TJX are the best-known examples but by all means not the only cases.
While the obvious criminals in these cases have been investigated, the law did not specify penalties for those who share at least some responsibility for these data loss events: The merchants and others whose lax security policies, circumvention of security policies, and lack of monitoring and oversight made these "hacks" or breaches possible.
After all, it makes a difference if someone steals your car...with the keys in the ignition...still running. Or if someone takes your cash...that you left on your kitchen table...visible from the street...with the doors unlocked...and no one home.
Who's Covered?
Any person, partnership, corporation, or other legal entity other than the government (they are already covered under different regulations)
who owns or licenses "Personal Information."
"Personal Information" is defined as a combination of name plus:
Social Security Number
Driver's License Number
Credit or debit Card Number with or without PIN, CCV, password or other security code
Bank Account Number
To clarify...
If you have employees, you must comply.
If you use subcontractors you must comply (as you should have a Taxpayer-ID-Number (TIN) on file).
If you accept credit cards, you must comply.
If you accept checks as payment you must comply.
Only sole proprietor, cash-only businesses are reasonably excluded.
According to the law, out-of-state entities that collect "personal information" about Massachusetts residents are also covered. It is beyond our expertise to speak to the legality or likelihood of enforcement actions outside Massachusetts.
What you need to do
1. Appoint an Information Security Manager (ISM).
2. Draft a Written Information Security Program (WISP).
3. Implement the WISP, monitor compliance, and review the plan yearly...or whenever changes are needed.
Simple! (Well, not quite.)
What IS an Information Security Manager?
The Information Security Manager is the person responsible for maintaining and executing your information security program. This should generally be an employee (office manager, IT director, or owner) of your company rather than a contractor or consultant. The ISM is ultimately responsible for construction, startup, training, and auditing of your…
Written Information Security Program
The WISP is a document that describes WHAT personal information is collected by your organization, WHERE and HOW it is used and stored, WHO may access it HOW and WHEN, WHAT protections are in place against unauthorized access, HOW compliance is monitored and audited, and WHAT to do in the event of a problem. Most WISP documents are based on templates and samples, but it’s important to have this document reviewed by business ownership (C-level and corporate board), legal counsel, HR/personnel management, and IT/technical leads.
Schedule a no-cost, no-obligation consultation today! Or call 888-928-3336
Links and other references
The Massachusetts Office of Consumer Affairs is charged with determination of requirements and enforcement of the law.
The Law Itself can be read in PDF format on the MASS.GOV site.
Security, Privacy, and the Law contains a detailed descriptions of the public hearings and evolution of the law.
Uncommon Sense Security is Jack Daniel's security blog, with a very detailed discussion of tech aspects of the law.
CIO Magazine's Mass 201 CMR 17.00: A Survival Guide for the Anxious presents the case that many businesses are already following the "Best Practices" described in the law.
Charland Technology is presenting a series of blog postings:
5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 1/5. Not Me!
5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 2/5. Not Me, really!
5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 3/5. It’s a tech thing.
5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00: Part 4/5. I'm OK.
Mass 201 CMR 17: A Survival Guide for the Anxious - Network World
Are you already protecting Personal Information? Need Help? Learn more about our services, solutions, and partnerships, or Contact Us today!
This page and our blog postings provide a summary of the Massachusetts Data Protection Law 201 CMR 17.00 and our interpretation of the law as it applies to small business. This is for general information purposes and should not be taken as "legal advice." You should discuss these regulations and any questions with a competent attorney.
 |
 |
 |
|
||
 |
|
 |
|
||