| Massachusetts Regulation 201 CMR 17 - The IT Manager's Perspective |
| 2009.12.05 01:01:05 | Rajesh Kanungo |
|
Table of Contents
Protection of Personal Information of Residents of the CommonwealthThis blog captures basic essential aspects of Massachusetts Personal Infomation Law. More details are available in white paper form elsewhere on the site. Massachusetts 201 CMR 17 adopted regulations on Sept. 22, 2008 that will require all organizations that own, license, store or maintain Personal Information of the residents of the Commonwealth of Massachusetts to protect it. Personal Information is defined as the first name, last name, the initials, or any combination of the them and one or more of the following data: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account. The IT Manager must start out by identifying all the forms in which Personal Information exists in the organization and assess the risk of security breach of the information and improve, where necessary, the protection of Personal Information. Improvements include the use of encryption, access controls to limit access to only authorized personnel, ability to revoke access, intrusion prevention systems, intrusion detection systems, monitoring and logging of systems including access to Personal Information, keeping the systems up-to-date with security patches, ensure Personal Information on mobile devices is encrypted, removing access for terminated employees, ensure that Personal Information sent over the Internet is encrypted, etc. Most IT managers are already familiar with the the security measures described above except that the regulation requires a certain amount of administrative and process overhead including training, monitoring, reporting, etc. Encrypted Email and Saving MoneyOne area where the regulation can actually save an enterprise money is the section 17.04(3)to use encryption for sending Personal Information over the Internet. The use of encrypted email can reduce mailing and handling costs for enterprises apart from saving time. For example, encrypted email can contain not only Personal Information but also loan documents, medical reports including x-rays, bills, etc. Email is easy to use and an intelligent email encryption system can use policies to ensure that any thing containing Personal Information gets automatically encrypted. Stealth Email Encryption AppliancesThe TrustTone Stealth Encrypted Email appliances use policies to scan emails for Personal Information and other content that an organization deems confidential and encrypts the emails as required. This automation and ease of use reduces the effort required to train employees, reduces accidental exposure of Personal Information, enables logging of external transmission of Personal Information, etc. The choice is simple: save money and comply with the law by using encrypted email OR don't use any email for fear of violating the law, paying fines, and getting sued for treble damages. SummaryMost IT managers are already familiar with the the security measures described above except that the regulation requires a certain amount of administrative and process overhead including training, monitoring, reporting, etc. There are places where the IT manager can save money for the organization. Tags: 201 CMR 17 | Massachusetts | Privacy law
|
|
Google 
Facebook 
Twitter 
Myspace 
Linkedin 
Yahoo 
Digg 
del.icio.us 
Windows Live 
Furl 
Reddit 
Blogger 
Technorati 