UBP blog

07/15/2009

Are you aware of all subtleties of the upcoming Massachusetts identity theft legislation (201 CMR 17.00)?

As some of you may already know, the Commonwealth of Massachusetts has passed the strictest information security legislation in our nation to date (201 CMR 17.00)  in order to protect citizens against identity theft. This law goes into effect January 1, 2010 and takes a far more proactive approach than the “data breach notification” laws that 40 other states have put into place.

The law requires organizations that collect, maintain and transmit the personal information on any Massachusetts resident to digitally encrypt it to the extent technically feasible. The law also requires organizations to develop, implement and monitor a Written Information Security Plan. As you would expect, this law is highly complex. We would like to alert you to the many many subtleties that may prove challenging to your organization.

Process Monitoring Requirements:

The upcoming Massachusetts law requires organizations to monitor systems containing personal information for the purpose of tracking who, what and when such information was accessed. This is done to help diagnose and prevent unauthorized access of such information and can be done either electronically or manually.

Revised regulations regarding assurance from third-party providers:

When the law was originally passed, it would have required all third-party service providers and vendors that have access to the personal information of any Massachusetts resident to provide written certification of their compliance. This requirement has since been abolished and now, organizations are required to do the following:

“(1) verify that its third-party providers have the capacity to protect the personal information that you give them access to, and (2) ensure that such third- party providers are applying protective security measures that are at least as stringent as those required under the new Massachusetts regulations.”

It is still essential for you, as an employer, to evaluate the way in which all of your third-party service providers handle your most sensitive information.

As you can probably already see from just the few subtleties we’ve mentioned thus far, many organizations will have to adjust many procedures and re-think the way they do business in just a short time.

Universal Benefit Plans has broken down the Massachusetts Information Security Legislation and will be presenting free 30-minute webinars throughout the month of June on this topic.

To view upcoming webinar dates and register for one, you can view the Events calendar on our website and click on the link for the date of the webinar you want to attend.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: