CCZ

CONSULTING

The requirements of the Massachusetts Privacy Regulations (201 CMR 17) are specific.  Private Information of a Massachusett’s resident is defined as a Massachusetts resident’s first and last name or first initial and last name plus one or more of the following:  Social Security number, driver’s license number or state-issued ID card number, or financial account number, credit or debit card number .  One this threshold is met, a non-governmental organization, no matter where it is based, is required to comply. 

Key requirements include:

1. Insure a business need for private information

2. Identify and assess risks to private information.

3. Develop, implement, maintain & monitor a comprehensive written information security program (WISP)

4. Train employees with access to private information to ensure legal obligations are met

5. Encrypt laptops and other portable devices. Also encrypt when transmitting information wirelessly or on public networks

6. Monitoring and enforcement

7. Deal with breaches per regulations

 

On November 4, the Commonwealth issued what it said were the Final Data Security Regulations.  The principal difference was to clarify the deadline for third-party compliance.  If an entity uses a third party to handle data, the contract must include safeguard provisions by March 1, 2012. Existing contracts are not required to be updated before March 1, 2012, but new or renewal contracts executed after March 1, 2010, must include the provision. We have a copy of the final regulations  and a comparison of the August version and final regulations.

 

We have more details available in a free Powerpoint.  Please complete the entries below and we will send it to you:

 

 

 

 

 

 

 

 

 

 

 

 

 

Mass Privacy Basics

Serving Boston, New York and the Northeast from Holliston, Massachusetts