An overview of the Massachusetts 201 CMR 17 Data Privacy Law which goes in to effect on March 1. Contact information is available for each presenter in the slidedeck.
Please contact any of us with questions.
4. Regulatory Compliance Which Organizations are required to comply with the new law? Verbiage: Organizations, “who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” Personally Identifiable Information (PII) Includes: Electronic Transaction and Billing Data (cc #s, bank data, etc) Identity-Theft Target Data (ss#, identification, etc) Customer Records
5. What is Required? Four Main Components: Risk Assessment and WISP Data Privacy Awareness Policy Security (A/V, Firewall, Encryption) Vendor WISP or Sign-Off
23. Need for security and confidentiality of both consumer and employee information
24. All persons, businesses, agencies must destroy records containing Personal Information “such that the data cannot be practicably read or reconstructed after disposal or destruction”The Program = Your WISP
37. Review Scope of security measures at least annually, or whenever there is a material change in business practices
38. Document responsive actions taken after any breach and conduct post-incident review of events and actions takenIn case of breach, REACT IMMEDIATELY (see addendum for directions to be followed)
39.
40. Assign unique ID’s plus Passwords – that are NOT vendor supplied defaults passwords
95. Costs of providing written notices shall exceed $250,000Substitute notice consists of: email notice to affected consumers Clear and conspicuous notice on the company's home page; and Publication in statewide media
99. Security Breaches: G.L. ch. 93H COMMON MISTAKES made in Notices to Affected Mass residents Notice is too general Fails to include the four (4) Mass specific requirements Fraud Alert vs. Security Freeze References to websites rather than providing information in letter itself – thereby putting burden on affected residents to find information Provides a range of fees relating to security freeze when in fact amount is set by statute G.L. 93 ss 56 and 62A
100. Discovery of a Breach Typical situations: Stolen or Laptop, flash drive or other portable media Unauthorized activity on the network Missing, lost or stolen paper files Actions of departing employee Complaints from customers or employees 3rd Party Vendor breach In any of these cases, REACT IMMEDIATELY (see addendum for directions to be followed)