What is the purpose of CMR 17?

CMR 17 establishes a standard set of regulations on how businesses protect and store Massachusetts residents’ personal information.  Any security breach must be reported to the Attorney General, the Director of Consumer Affairs and Business Regulation, and the affected resident(s).

Who does CMR 17 affect?

CMR 17 applies to all businesses who compile or maintain records that include personal information. No company is exempt and the Attorney General has the enforcement role under the statute.

When does CMR 17 become effective?

• Effective March 1, 2010 (previously January 1, 2010)
• The general compliance deadline for 201 CMR 17.00 is March 1, 2010
• The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so is     March 1, 2010
• The deadline for ensuring encryption of laptops is March 1, 2010
• The deadline for ensuring encryption of other portable devices (i.e., memory sticks, DVDs, PDAs, etc.) is March 1, 2010

Prior to the effective dates, businesses must complete internal and external security risk assessments and provide employee training.

Personal Information is considered a resident's first name and last name or first initial and last name, and one or more of the following:

• Social Security number
• Driver's license number or state-issued ID card number
• Financial account number or credit or debit card number (with or without any type of security or access code or password)

What are the Main Security Program Requirements:

• Designate one or more employees to maintain the security program
• Evaluate internal and external risks and improving current safeguards against such risks
• Develop policies regulating employees' ability to keep, access and transport records outside work
• Complete Employee training
• Disciplinary measures for violations

What do we need to do?

• Companies must develop and implement a comprehensive written information security plan to create effective administrative, technical and physical safeguards of personal information:
• Ensure the security and confidentiality of personal information
• Protect against any anticipated threats or hazards to the security or integrity of such information
• Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud

Computer Systems Security:

• Secure user authentication protocols
• Secure access control measures
• Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly
• Reasonable monitoring of systems to prevent unauthorized use and/or access
• Encryption of all personal information stored on portable devices (i.e. laptops)
• Up-to-date firewall protection and operating system security patches for systems connected to the internet
• Identify and know location of this information in both structured and un-structured data
• Up-to-date versions of system security agent software which must include malware protection and up-to-date patches and virus definitions
• Education and training of all employees on the proper use of the computer security system and importance of personal information security

Note: Businesses that store or maintain electronic records, and do not have in-house IT resources or regular access to providers of IT services, will probably need to hire someone to provide these services/resources, even if only on a one-time or part-time basis.