Tuesday, September 14, 2010

Privacy & data protection - the long reach of the (Massachusetts Data Protection) law

While your company may not be physically or operationally doing business in Massachusetts, you should know about the recently enacted Massachusetts Data Protection Law (Massachusetts 201 CMR 17). This law should interest you for two reasons:

  • Your company is subject to this law if it handles or stores the personal information of any Massachusetts resident; and
  • The law establishes certain requirements of a security program that your company should consider implementing, regardless of where you do business.

These regulations finally went into effect on March 1, 2010. The law requires that every person or business that has the "personal information" of a Massachusetts resident develop, implement and maintain a "comprehensive information security program." Among the specific requirements that a company must have addressed as part of its information security program, it must include, without limitation:

  • Adoption of a written information security program. Appointment of someone accountable for the information security program.
  • Adoption and implementation of comprehensive security policies and training of employees thereon.
  • Encryption of personal information across public networks and when transmitted wirelessly.
  • Encryption of portable devices that store personal information, where reasonable and technically feasible.
  • Encryption of backup tapes on a prospective basis.
  • Limitation of the amount of personal information collected, the length of time the information is retained and the number of individuals who are permitted to access and use it.
  • Regular monitoring of the security program and an assessment of the security measures on an annual basis, or when there is a material change to the business practices of the company, whichever is earlier.
  • Requirements that third party service providers maintain appropriate safeguards, including contractual representations, respecting the protection of personal information.
  • Deployment of security system controls such as malware protection, patches and virus definitions that receive security updates on a regular basis.
  • Documentation of actions taken in connection with the occurrence of a security incident with lessons learned incorporated back into the security program.

To Continue Reading: Click Here
---------------------------------------------------------
Source: lexology.com

By: Amy E. Yates
Posted by at

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)