Massachusetts Businesses: Are You in Compliance?

FOR IMMEDIATE RELEASE
(Free-Press-Release.com) August 6, 2009 -- This regulation is inherent to Massachusetts General Law 93H (MGL 93H). It was written to define the security breaches and regulations for safeguarding the personal information of any Commonwealth of Massachusetts resident. This regulation implements the provisions of the law and describes what you need to have in place in your company in order to be compliant.

Why was MGL c.93H created? Why 201 CMR 17.00?
The Department of Consumer Affairs and Business Regluations issued this law and these regulations in response to the following data breaches occurred:

·TJ Max (TJX ) January 17, 2007
-Affected about 100 million account numbers Hacked several different ways
- through wireless connections and kiosks
·Hannaford Supermarkets - between Dec. 7, 2007 and Mar 10, 2008
-More than 4 million card numbers were exposed, and by the time Hannaford publicly announced the breach, on March 17, 2008, about 1,800 fraudulent charges had been made. ·Other Security Threats

-Malware, viruses In response, M.G.L. c 93H was enacted in November, 2007. Within the first 10 months after enactment of M.G.L. c 93H, the office of Consumer Affairs and Business Regulation received 318 notifications of security breaches.

10 involved data that was encrypted
69 involved data that was password protected
Total MA residents affected was 625,365
60% were due to stolen laptops or hard-drives and 40% were employee error or sloppy internal handling.
75% were in the financial services sector.

Massachusetts then took the lead in passing a new regulation -- 201 CMR 17.00 -- that required companies to implement a comprehensive data security plan that incuded encryption of all computer systems with personal information of a Massachusetts resident.

What Does This Mean to Your Business?
It means that the Commonwealth of Massachusetts is setting minimum starndards for the protection of personal information, whether that information is stored in electronic or paper format. It means that if your company owns, licenses, stores or maintains personal information about a Massachusetts resident You MUST take steps to comply with this new regulation.

What is Personal Information?
According to 201 CRM 17.00, personal information is defined as the First Name or First Initial, Last Name and any one or more of the following information:

Social Security Number Credit Card or Debit Card Number State ID Card Bank or Financial Account Number Drivers Licence Number

If you are a business located in Massachusetts or you have employees who reside in Massachusetts and you have copies of driver's licences', employment applications, personnel files or payroll information on those employees YOU MUST take steps to comply.

If you accept credit cards, you have the imprint of the card or the data from the magnetic strip YOU MUST take steps to comply.

Submitted by:
Cathie Briggette
NSK Inc.
617-303-0480

201 cmr 17     Chapter 93H     cmr 17     CMR17     compliance     Data Security     data security law