201 CMR 17.00 Standard for the protection of personal information of residents of the Commonwealth

Do you accept credit cards? Do you store customer information? Do you store information on your employees?

There are many considerations related to Information Security. Start the process now to become compliant with the new MA regulations (201 CMR 17). Non compliance will result in significant penalties to your business and jeopardize your reputation as well as business revenue.

Don’t wait until it’s too late. Let us help you protect your business.

Relia-tech, Inc. can help you:

• Assess your current level of compliance to the law
• Develop a written Information Security program necessary for compliance
• Evaluate your IT Infrastructure
• Recommend IT enhancements that are required

CMR-17 FAQs
How will CMR-17 affect your business?
These regulations apply to all businesses in Massachusetts who store personal information. Companies will need to institute a security process for the protection of personal information. The regulations include: establishing password protocols for every user, encrypt information sent over the Internet or saved on flash drives or laptops, restrict access to personal information, maintain current anti-virus, malware and firewall protection, as well as train every employee on security procedures.

What is a security breach?
A security breach is an unauthorized possession of unencrypted data that may be used to compromise the security or integrity of personal data and creates a significant risk of identity theft.

What happens in the event of a security violation?
If an incident occurs, you are required by law to alert the Office of Consumer Affairs and Business Regulation (OCABR) and the Attorney General as well as the affected party. The law also requires that when a company reports a breach that it also provide details of the steps that have been taken to prevent a breach from occurring again.

What changes will companies need to make?
You will need to develop a written Information Security program and enforce compliance from all employees. You will need to evaluate your IT Infrastructure to make sure your data is encrypted, access to personal information is restricted, passwords are changed regularly, maintain up-to-date hardware and software (firewall, antivirus, Malware, etc.).

How will you know that the vendors you work with are acting in accordance with the regulations?
The vendor will need to sign a document that says that it has a written, comprehensive information security program that is in compliance with CMR-17.

If a company complies with federal HIPAA or Graham-Leach-Bliley requirements, do they have to comply with these new regulations as well?
Yes. These regulations are not pre-empted because both GLB and HIPAA allow state laws to provide for a higher standard of protection.

When do the regulations take affect?
Massachusetts has extended the deadline to March 15, 2010. Prior to the effective date, a company must have a written information security program in place.

Has the state provided guidelines for compliance?
Every company is different and will have requirements specific to the nature of their business. However, the Office of Consumer Affairs and Business Regulation will provide a model plan as a guideline.

Amended Regulations on mass.gov site