IT Governance Blog on IT governance, risk management, compliance and information security.

The Law is Real

201 CMR 17.00, described by many as “one of the toughest in the nation”, require ALL entities that licence, store or maintain personal information about a Massachusetts resident to implement a comprehensive information security program – even if the business or entity does not have offices in the state.

As it stands, businesses that have Massachusetts residents’ information will have to have a comprehensive written security program, and heightened security procedures, including encryption.

The Law is Here

Every organization who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

The Massachusetts regulation came about after several high-profile data breaches that impacted residents, such as the TJX case in 2007. The Massachusetts government didn’t believe that a data breach notification law, such as California’s SB1386, alone was sufficient to protect its citizens.

Key Elements of 201 CMR 17.00:

• The personal information requiring protection has been specifically defined;
• All records of “personal information” must be protected and are defined as any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics;
• A “breach of security” is defined as “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information that creates a substantial risk of identity theft or fraud against a resident of the Commonwealth;
• When a breach of security occurs, notice must be given to the Attorney General and to the Director of Consumer Affairs and Business Regulation and to the individual whose personal information was acquired without authority;
• Every organization that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive written information security program that is “consistent with industry standards” and contains “administrative, technical, and physical safeguards to ensure the security and confidentiality” of records containing personal information;
• Safeguards must be consistent with the safeguards for protecting personal information which are “set forth in any state or federal regulations by which the organization who owns, licenses, stores or maintains such information may be regulated;
• Each comprehensive ‘written’ information security program requires the organization to develop a number of written policies and procedures.

Sound Familiar?

It Should … ISO/IEC 27001:2005 directly covers 95% of the 201 CMR 17.00 requirements without modification and with a few specific requirements added to support the prescriptive requirement to encrypt personal information, ISO/IEC 27001:2005 provides a truly comprehensive information security program that will stand-up to the next round of state and/or federal regulations.

Compliance and Certification to ISO/IEC 27001:2005 makes more sense now than ever before. Especially since IT Governance’s ISO/IEC 27001 ISMS Documentation Toolkit, version 2.1 has been revised to include all the requirements from 201 CMR 17.00.

The 201 CMR 17.00 & ISO 27001 Toolkit Today!

Tags: 201 CMR 17.00, Information Security, ISMS, ISO 27001, ISO27001

This entry was posted on Wednesday, November 4th, 2009 at 3:11 pm and is filed under Information Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.