Mass. Data Protection Law… What do I need to do?
If you’re a business owner(regardless of where you are located) and your company has personal data for Mass. residents who are your EMPLOYEES or CLIENTS/CUSTOMERS then this law pertains to you.
As Jaikumar Vijayan wrote in his ComputerWorld article - available here - next week (March 1st) is the deadline for companies to “ensure that their contractors, suppliers, technology providers and other third parties comply with a provision of a state data breach law that went into effect in March 2010″
The law MA 201 CMR 17.00 (download PDF) is a set of guidelines that businesses in MA need to follow in order to avoid fines, penalties or even being shut down.
You’re probably wondering: “well I’m not an IT guru so what am I supposed to do?”
Well for starters download the law. Review the list and see what you already have and what you need. Start with a WISP (Written Information Security Policy). Include measures that you will take to protect any data from security breaches. Both from employees as well as from the internet.
Keep your employees up to date with the rules, make sure they are trained and reminded to take every measure possible to prevent loss of data. Have their passwords changed every 4 months, and make sure they don’t write their passwords down and leave it laying around the office.
In that WISP include the requirements that you ask from third parties, what measures they will be taking to protecting any data that you share with them.
How are you sharing personal data? Email? Is your email encrypted? Are you using SSL (Secure Socket Layers)?
Install Anti-Virus & Malware programs installed on all your devices, and have a program in place to monitor your system. Have your system provide access control, so that if someone tries to log-in to the system with the wrong information that it blocks their access after so many tries.
And finally, make sure you only share personal information on a need to know basis, especially to third-parties. Ask your contractors, suppliers, technology providers and other third parties what their policies are in regards to handling your data and if they don’t have policies I suggest you start looking for other partners.
What’s you thought on the Mass Data Protection Law? Feel free to comment.
If you need help creating a WISP or need help getting your systems and data protected properly feel free to contact Sentinel Digital Systems.
Subscribe to our blog now to receive e-mails when new articles are posted.
About Edson Monteiro.
Edson is a compliance & security specialist, as the President of Sentinel Digital Systems and author of Tech-Source blog, he helps small businesses meet guidelines and saving them big bucks on penalties.