Simon Says – Musings of a Technology CTO

Though the deadline for MA 201 compliance has been extended until the end of the quarter, it’s a good time NOW to review what this regulation means to you and your business.

I must start with the usual “ask Gary” disclaimer – I’m not a lawyer, but the regulation is pretty easy to read (compared to many others) and I reccomend anyone subject to it prints it out and pays attention.

So, how do you know if you’re subject to MA 201 CMR 17 or not? Lets start from the top of the regulation itself:

The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth.

So no, you don’t have to be doing business in MA, you don’t have to live in MA yourself, you don’t have to have a bank in MA etc. If you’re a rutabaga farmer in Sendaria (David Eddings reference), and for some obscure reason you have PII of someone in Massachusetts, you are undeniably subject to this regulation.

Now that’s out of the way what do you have to do?

1. Create a comprehensive information security policy for your organization which includes items such as training, measurement of compliance to policy, audit and detection of failures, restriction and access controls, documenting responses etc.

2. If you handle data electronically, your policy needs to include items such as user ID controls, access controls, unique identifiers and passwords,

3. You need to encrypt all information sent over public networks or wirelessly and encrypt all data on laptops and other mobile devices, up to date anti-virus etc.

That’s all there is to it. Scott D. Schafer, chief of the consumer protection division for Massachusetts Office of the Attorney General said:

“What we don’t want to read about in the [newspapers]is a breach that we should’ve been notified about, That’s going to cause problems.”

So as usual, and as covered by other MI laws, the duty to report breaches is as necessary as ever.