Question: How can my organization prepare for the new Massachusetts Privacy Law 01 CMR 17.00 and why is it important?
Massachusetts recently passed a new privacy protection law that is strictest in the nation to date. If you are not in Massachusetts you might not think it applies to your business, but if your organization has any employees or customers in Massachusetts then you are affected by Massachusetts Privacy Law 201 CMR 17.00 — Standards For The Protection Of Personal Information Of Residents Of The Commonwealth. In a nutshell, the law states that you need to place safeguards on any personal information (PI) that your company touches, either in electronic or paper form. You will need to be in compliance with the law by 2010, so to get you started, here is a quick tutorial.
First determine if you have any personal information (PI) that needs protection. PI is defined as a combination of a person’s first and last name connected to any one of the following pieces of information: driver’s license number, credit card number or Social Security number. Specifically, you should examine: the number of records, the people and processes that access it, how it is transmitted and where it is stored. Ideally, you want to minimize the amount of information to what is needed to perform your business processes. In addition, you want to keep it for as short a time as possible, and reduce the number of people and processes that access to the data. Following these best practices will reduce your liability and exposure under the law.
Here are some recommended steps to meet the legal requirements:
- Policy – Write a high level policy that indicates your company intends to comply with the spirit and letter of the law, completely.
- Exposure – Give your business leaders and executives a crash course on the ramifications of the law in terms of business risk. A couple of hours should be enough to cover the basics.
- Communication – Inform the company staff that the law is coming and request their help in meeting the compliance obligations.
- Data classification – Create a classification scheme for all the likely PI types of information: Public, Company Private, Company Protected, etc.
- Discovery – Use a search engine on suspected harbors of PI to find out where the PI resides in your data structures. Survey employees to identify PI in the workplace.
- Need to know – Review job descriptions and note if a position requires PI access. Technical security policies can then be adjusted using role based security tools, such as Active Directory groups.
- Lifecycle – Look at your business processes to understand the lifecycle of PI in your enterprise.
- Administration – Assign a senior person to be responsible for compliance and have them assign business line or location deputies for enforcement. Make sure they have the proper authority.
- Technical -Encryption options should be considered, but a policy that prohibits PI from being stored on a vulnerable laptop is a much easier solution.
- Physical – Data centers, network closets and front doors need to be properly secured. This recommendation is just common sense even if you have no PI.
- Training - Everybody, yes everybody, in the company should receive training, reminders and yearly refreshers on what information you are responsible for protecting and why.
Hopefully these recommendations will smooth your path towards compliance and reduce risk. Whatever you do, don’t just ignore Massachusetts Privacy Law 201 CMR 17.00; your business does not need the additional headaches. So what are you waiting for?
David Goldstein, managing partner, and Sean Megley, a consultant at Knowledge Management Associates created this entry.