Monday, January 5, 2009

New Data Security Law - Massachusetts – Personal Information Compliance Assessment

75 Kneeland Street, Suite 201, Boston, MA 02211
Tel: 617.303.0480
Fax: 617.303.0481

Are you aware of the new Massachusetts General Law (M.G.L.) Chapter 93H?
(201 CMR 17.00: M.G.L. c. 93H)
201 CMR 17.00: Standards for the Protection of Personal information of Residents of the Commonwealth.
This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the
Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in
connection with the safeguarding of personal information contained in both paper and electronic records. Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information


We have a new program that will handle your company's Personal Information that is covered under the electronic records of this new law.

The New Program is Called:
M-PICA (Massachusetts - Personal Information Compliance Assessment)

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:

Secure user authentication protocols including:
1. Control of user IDs and other identifiers;

2. A reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

3. Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

4. Restricting access to active users and active user accounts only;

5. Blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

Secure access control measures that:
1. Restrict access to records and files containing personal information to those who need such information to perform their job duties;
2. Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
3. To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly.

4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;

5. Encryption of all personal information stored on laptops or other portable devices;

6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.


17.05: Effective Date
These regulations shall take effect on May 1, 2009.

1 comment:

  1. This is a complicated Law from the Data aspect and will require changes to existing practices. NSK (www.nskinc.com) is prepared to sift through the complexities and assist companies with defining and implementing these changes.

    Tim Lasonde

    ReplyDelete