Archive for October, 2009

Many small businesses believe that they are exempt from the Massachusetts Data Privacy Act (201 CMR 17); the perception is that the law is geared to retailers and financial institutions, whose day to day operation involves the gathering and sharing of large amounts of personal information.   A few simple questions should convince you that you are most likely NOT exempt, and that your business must comply.

Do you have any employees? 
Do you receive payments from individuals, whether check or credit card? 
Do you need to send out 1099s? 

If you  answered yes to any or all of these questions, then you have personal information in your possession, and therefore must bring your business into compliance.

Massachusetts has recently revised the 201 CMR 17 law, and there is much good news for businesses:

• The  effective date for 201 CMR 17 is now March 1, 2010
• The application of the regulations to those that “own or license” personal information about Massachusetts residents versus their service providers has been more clearly described.
• The Regulations now take a “risk-based” approach that allows a business to take into account their size, scope, amount of resources, nature and quantity of data collected or stored, and the need for security, in determining how to implement the requirements.
• The definition of encryption is now technologically neutral, and all computer security system requirements only need be applied “to the extent technically feasible.” According to the Massachusetts Office of Consumer Affairs and Business Regulation, this means “that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.”
• Businesses must “take reasonable steps to select and retain” third-party service providers capable of maintaining security measures consistent with the Regulations, and bind them by contract to implement and maintain them.

These changes are going to make 201 CMR 17 compliance easier.  However the deadline is now less than six months away.  Businesses may want to start the hard work that needs to be done now. 

• Write a 201 CMR 17 Comprehensive Information Security Program, with the aid of an attorney.  We have provided a model for you to follow. 
• Implement a strong password policy.  Passwords need to be impossible to guess and should include letters, both upper and lower case, numbers and symbols.
• Secure Email so that personal information can not be sent out on the Internet unless it is encrypted.
• Encrypt laptops and other portable devices in a method that doesn’t interfere with a user’s ability to read and create documents.
• Have a system to maintain up to date security patches, antivirus, malware, and firewalls for all computer equipment.

Then ask who what why when where:

• WHO:  Choose a point person.  Having a designated driver will make the complicated process more efficient and more effective.  And make sure they have the resources needed to get the job done. 
• WHAT:  What are the potential risks?  Identify any foreseeable risks to Personal Information and come up with a plan to eliminate or reduce those risks
• WHY:  Educate and Train all employees about the importance of protecting Personal Information and Computer Network Security
• WHERE:  Identify where Personal Information comes from, where it is stored, how it is utilized– and by whom.
• HOW:   How are you going to get this done?  Decide if internal resources are enough or is an outside network firm needed to create a reasonable secure network
• WHEN:  Now is the time to start tackling these tasks.  We have compiled a check list to help you through the process. 

There are a number of resources available to help small businesses with their questions and concerns on this law that aims to protect them, their customers and their employees.  The Massachusetts Office of Consumer Affairs and Business Regulation created these regulations and can be helpful. 

We have put together several documents to view or download, including a 201 CMR 17 compliance checklist; a sample 201 CMR 17 Comprehensive Information Security Program to help you understand the type of document that needs to be created;   a 201 CMR 17 Personal Information Discovery Form to help you and your team determine where and in what form personal information may exist; and a copy of the 201 CMR 17 Regulations.
 
Please call me at 781 362 1199 or toll free at 800 696 2309.  Or you can email me at rokeefe@nengroup.com.  I will be happy to set up an appointment to guide you through this process. 

For more information:

NENGroup 201 CMR 17 Compliance Page
NENGroup 201 CMR 17 Press Release

New England Network Group, Inc’s (NENGroup) array of IT solutions can help local companies comply with Massachusetts’ Comprehensive Identity Theft Prevention Regulation – 201 CMR 17.

The 201 CMR 17 personal data protection law outlines stringent new rules for companies to develop and implement computer security safeguards, including setting up a comprehensive written information security plan, protecting against anticipated threats to the security of personal information, and developing policies to regulate employees’ ability to access records outside work.

Regardless of their size, all Massachusetts companies and businesses that compile or maintain personal information records, including employee data, are subject to 201 CMR 17’s regulations. Many local companies may find themselves ill-equipped to internally implement the required security strategies.

Fortunately, (NENGroup), as one of the leading full-service IT companies in the Boston area, can help local companies meet the regulations set forth by the new personal data protection law. As part of their IT solutions services, NENGroup offers comprehensive computer security services, including secure user authentication protocols, secure access control measures, encryption tactics and firewall protection. Companies can enjoy peace of mind knowing NENGroup will set up a system that provides the utmost protection for their customers’ personal information as well as adheres to the new state law.

Though Massachusetts companies have until March 2010 to comply with the 201 CMR 17, new regulations also require businesses to complete internal and external security risk assessments prior to the effective date. In light of this, NENGroup encourages companies to reach out to one of their skilled IT specialists as soon as possible.

NENgroup can be reached at: govirtual@nengroup.com or (800) 696-2309. More information available at: http://nengroup.com or http://nengroup.com/the-basics/products-and-services/ma-201-cmr-17/.

About NENGroup:

New England Network Group, Inc. (NENGroup) has been a full-service managed IT service provider to hundreds of New England area businesses for nearly 15 years. NENGroup’s technical expertise, passionate customer service, highly trained staff, industry certifications, responsiveness, business savvy and ability to think outside-the-box provides their customers with the Technical Peace of Mind that permits them to keep their minds on their businesses, instead of on their computer equipment.