Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services, CISSP, CISM, CISA, PCI QSA

Massachusetts has introduced a tough new data protection law designed to prevent security breaches and identity theft. The state law is extremely interesting as it is the most comprehensive law surrounding data protection and could well result in other states following suite as in the case of data disclosure laws.

This law addresses standards to be met by persons who own, license, store, or maintain personal information about a resident of the Commonwealth of Massachusetts and this includes any business that handles Massachusetts residents’ sensitive data regardless of where that business is located.

Introduction

Large scale breaches have become increasingly common and the companies that have made the headlines to name a few are; TJX, Heartland, Hannerford, DSW, Forever21 and the list goes on. The UK government lost 25 million British peoples personal details. Massachutes introduced Mass 201 CMR 17 in what will undoubtedly turn out to be the first of many laws ensuring organizations put appropriate controls in place to prevent the loss of personal information. CMR 17 defines personal data as

A Massachusetts resident’s first name and last name or first initial and last name

In combination with any one or more of the following data elements that relate to such resident:

• Social Security number;
• driver’s license number or state-issued identification card number;
• or financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account

Who Must Comply?

The scope includes every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information

Non-Compliance

If an incident occurs, organizations are required to alert the Office of Consumer Affairs and Business Regulation (OCABR) and the Attorney General as well as the affected party. The law also requires that when a company reports a breach that it also provide details of the steps that have been taken to prevent a breach from occurring again.

Every person who owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before January 1, 2010.

Are you ready for CMR 17

The requirements for CMR 17 are based on the need to protect personal data. Organizations need to develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing personal information. Controls need to be in place to ensure that the appropriate security is in place in line with risk. These are some of the questions that organizations need to ask:

• Do you have a written information security program that encompasses protection of personal data?
• Do you know where all your personal data is and have you segregated this information from less trusted network segments?
• Do you have security monitoring?
• Do you run vulnerability scans?
• Do you encrypt sensitive data?

How can BT help?

BT is one of the leading companies providing solutions in the data protection space. BT’s world leading professional services team can provide information and solutions that match the security requirements as outlined by CMR 17. BT is recognized by the Payment Card Industry as being authorized qualified security assessors which displays a proven track record in auditing and providing solutions for organizations that need to protect personal information.