[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Do you have clients or customers in Massachusetts? - THE OFFICIAL BLOG OF THE SBS "DIVA"
Sun, Mar 7 2010 1:08 bradley

Do you have clients or customers in Massachusetts?

Do you have clients or customers in Massachusetts?

Do you hold key info about them like name and social security number?

You know what went into effect March 1st?

http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

In a nutshell... if you have Massachusetts customers.

If you have name and SSN or credit card number or something that would lead to identity theft in the wrong hands

You need a written security program

You also need:

(1) Secure user authentication protocols including:

(a) control of user IDs and other identifiers;

(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

(d) restricting access to active users and active user accounts only; and

(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and

(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

Oh yeah, and you needed it in place by March 1st.

Got all that?

 

Filed under:

# re: Do you have clients or customers in Massachusetts?

Sunday, March 07, 2010 7:38 AM by Greg Charland

I'm based in Mass so we've been working on this for a while. I have set up a page with some small business guidance and resources at www.charlandtech.com/mass201cmr17.aspx

Most of the requirements of the law are closely aligned with our best practices. If you're in good shape then the "real" work is appointing your Info Security Manager; writing your Written Info Security Program; and setting up compliance monitoring/auditing.

In reality there are no resources to enforce this law, and lots of ambiguities and unanswered questions. The key at this point: If you suffer a data loss event because you're not properly protected you can expect multiple fines and lawsuits.

# re: Do you have clients or customers in Massachusetts?

Sunday, March 07, 2010 8:03 AM by David Moisan

SATV is, of course, in Massachusetts and serves MA client, to wit, the membership and community of Salem.  We charge for membership, but we're a cashbox economy;  our executive director is allergic to plastic.  

We got some LOB software recently for making equipment reservations.  One of the options is to identify members by SSN.  Eeeeeeepppp!   THAT I consider radioactive.  We've never done that and don't even have ID photos on our membership cards.

The gist of my analysis is that SATV falls just outside the new privacy laws since we do not keep SSN or credit card info.

However, as we are already in compliance with the rules in many ways, I'm going all the way for SATV to be fully compliant.  I only now need to write a privacy policy, and a report for our board, and send them along so the former can be put on our website.

Without even talking to others in MA, it's a certainty that many businesses aren't yet compliant.  Some, like ourselves, are very close to compliance.  Others are "We've heard of it" and still others, "LOLWHUT?!"

# re: Do you have clients or customers in Massachusetts?

Sunday, March 07, 2010 1:49 PM by Justin

This rule set actually came about from the DISA STIGs that the military uses (iase.disa.mil/.../index.html). While they're a pain, implementing a policy like this should be in every businesses best interest. Note: I was a DoD contractor for a few years.

At home and work, I ues a lot of the STIG info to help with security. So far, I haven't had any type of infection.

I've managed to switch a few of my customers as well and while it's painful for the first two weeks or so, they understand the need for it and have been pretty happy with the security it provides.