IT Governance Blog on IT governance, risk management, compliance and information security.

You are probably aware of the new data protection law and that every organization who collects, owns or licenses personal information about a resident of Massachusetts must now be in full compliance.

Did you know – ISO/IEC 27001:2005 directly covers 95% of the 201 CMR 17.00 requirements without modification and with a few specific requirements added to support the prescriptive requirement to encrypt personal information, the 201 CMR 17.00 & ISO 27001 Toolkit provides a truly comprehensive solution!
(more…)

Many organizations accross the state of Massachusetts and organizations outside of Massachusetts, who collects, owns or licenses personal information about a resident of Massachusetts, are struggling to meet the requirements of the new Data Protection Law (201 CMR 17.00), which came into force on March 1st this year.

If you fall into this category, or need to build a case for management buy-in, consider:
Massachusetts General Law, Chapter 93A, section 4 specifically authorizes the Attorney General to seek injunctive relief against the organization involved in the unauthorized act or practice. In addition, section 4 allows a court to impose a $5,000 civil penalty for each violation and if ‘violation‘ is interpreted to mean the unauthorized access to a single individual’s personal information, the potential damages could be enormous.

Did you know – ISO/IEC 27001:2005 directly covers 95% of the 201 CMR 17.00 requirements without modification and with a few specific requirements added to support the prescriptive requirement to encrypt personal information, the 201 CMR 17.00 & ISO 27001 Toolkit provides a truly comprehensive solution!

(more…)

Every organization who collects, owns or licenses personal information about a resident of Massachusetts will have to be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

The term “personal information” is defined so broadly that nearly every Massachusetts business must comply with the regulations.

Specifically, personal information is defined as an individual’s name, accompanied by one or more of the following:

• Social Security number,
• driver’s license,
• state ID number, or
• financial account number (bank accounts, credit cards).

It is hard to imagine any Massachusetts businesses that do not handle or maintain personal information!
(more…)

Comply with the Massachusetts Data Protection Law – 201 CMR 17.00

Do you have an information security management system which complies to ISO27001?

The The 201 CMR 17.00 Upgrade Toolkit will help you to avoid regulatory noncompliance with the 201 CMR 17.00 Law!

Buy the The 201 CMR 17.00 Upgrade Toolkit

to assure success at your next surveillance audit and/or state examination.
(more…)

Comply with the Massachusetts Data Protection Law – 201 CMR 17.00

The 201 CMR 17.00 & ISO 27001 Toolkit Will save you months of work, help you avoid costly trial-and-error dead-ends, and ensure everything is covered to current 201 CMR 17.00 / ISO 27001 standard.

This ISMS (201 CMR 17.00/ISO 27001) Documentation Toolkit contains:

(more…)

The Law is Real -

Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00

The Law is Here

Every organization who collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

The Law has Teeth -

If you need motivation to move towards compliance, Massachusetts General Law, Chapter 93A, section 4 specifically authorizes the Attorney General to seek injunctive relief against the organization involved in the unauthorized act or practice. In addition, section 4 allows a court to impose a $5,000 civil penalty for each violation and if ‘violation‘ is interpreted to mean the unauthorized access to a single individual’s personal information, the potential damages could be enormous.
(more…)

In 2010 there will be two important compliance laws introduced which will affect the majority of North American organizations and many global organization too.

45 US States followed California when they introduced “SB1386“, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.

1. From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.
2. Every organization who collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 (The Massachusetts Data Protection Law) on or before March 1, 2010.

(more…)

Avoid Re-Inventing Existing Wheels

Every organization who licenses personal information about a resident of Massachusetts shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

ISO/IEC 27001:2005 directly covers 95% of the 201 CMR 17.00 requirements without modification and with a few specific requirements added to support the prescriptive requirement to encrypt personal information, ISO/IEC 27001:2005 provides a truly comprehensive information security program that will stand-up to the next round of state and/or federal regulations.
(more…)

The Law is Real

201 CMR 17.00, described by many as “one of the toughest in the nation”, require ALL entities that licence, store or maintain personal information about a Massachusetts resident to implement a comprehensive information security program – even if the business or entity does not have offices in the state.

As it stands, businesses that have Massachusetts residents’ information will have to have a comprehensive written security program, and heightened security procedures, including encryption.

The Law is Here

Every organization who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.
(more…)