MASS CMR 201 17.00

New Regulations for Protection of Massachusetts Residents’ Personal Information

Code of Massachusetts 201 17.00 deals with the protection of personally identifying information. These guidelines were enacted as law, and deal with information security standards and notification of security breaches. The laws apply to businesses that “own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts “. Massachusetts is not the first state to enact such laws, but rather has followed along with the new trend- creating regulations based around information security and the protection of state residents.

Personally Identifiable Information (referred to as PII) is loosely defined as a data entity including the first name or first initial, last name and combined with other non-public information such as financial account numbers, social security numbers, driver’s license numbers, or PIN numbers that when combined, create a unique profile of a person. The combination of these factors would be useful in assuming an identity or committing fraud using another party’s name. The Commonwealth of Massachusetts declares that lawfully obtained publically accessible information is excluded from being categorized as PII, as is information gathered in good faith. Oddly enough, Mass CMR 201 17.00 does not apply to state government, but a separate executive order (501) does.

Compliance with Mass CMR 201 17.00 was originally slated to be implemented by January 1, 2009, but this deadline had been moved back until May 1, 2009 . Recently, the implementation due date was moved even further back – the new date of required compliance has been declared to be January 1, 2010 . Some have speculated on the need for these delays. Reasons commonly found include lack of awareness, implementation costs and a lack of clarity in the regulations. With any new law, time is needed to research the requirements mandated by the legislation, and resources need to be applied to meet the criteria specified. In the case of Mass CMR 201 17.00, many of the objectives overlap with computer security best practices and other computer security standards that an organization may already have in place.

The Mass CMR 201 17.00 regulations consist of two subcomponents: The duty to protect personally identifying information of Massachusetts residents, including the standards for protecting PII, and computer security requirements for the safe storage and transmission of PII.

Duty to Protect and Standards for Protecting Personal Information

This section is mainly administrative, outlining the overall plan to identify a business’ data assets and data security needs. As with almost any computer security audit, the written policy document is the key piece of the puzzle- without it, there is no mark to measure against and no metric that success can be judged against. By having this baseline in place, the organization can identify shortcomings in its procedures and policies. The requirements address the need for awareness of the policies as well as the need for training of staff to comply with the requirements in daily practice. In practice, many of these items may be in place due to other business requirements imposed by federal guidelines, industry associations or third party requirements. For example, a good SAS70 certification will call for a written plan that touches upon all of the items below, but may not specifically address the personal information of Massachusetts residents. In Massachusetts terminology, this plan is called the WISP -Written Information Security Program.

  • The policy should take into account the size, scope, resources available, the data stored and the need for performance of the duty to protect the information.
  • The policy should designate who is responsible for the maintenance of the information security policy
  • The policy should identify data environment risk.
  • The policy should define data policies, including approved transport methods, approved data storage and approved data access methods.
  • The policy should address the security of physical media, retention and disposal of such.
  • The policy should account for employee data standards training and compliance with the policy.
  • The policy should include language on handling termination of employee accounts and access.
  • The policy should include disciplinary measures for noncompliance with the policy.
  • The policy should provide for a method of testing the effectiveness of security measures.
  • The policy should include language that specifies periodic review and updating the policy to meet the changing data environment.
  • The policy should include validation of the requirements in the case of service providers.
  • The policy should include information on how to react to a breach of security.

Computer System Security Requirements

This section is more technical in nature, and deals with the implementation of data protection methods. The user account controls are in line with best practices, but notably ignore password strength and complexity rules. Specific to Mass CMR 201 17.00, transport of data is addressed. Notebooks that contain PII of Massachusetts residents require encryption, but the rules do not specify that the laptop use whole disk encryption. Also in this section is language addressing the need for system and software patch policy, antivirus/antimalware and the use of a firewall.

User accounts in the data environment must:

  • Be unique to the user
  • Have a secure method of user access control- passwords, biometrics, or tokens.
  • Use account lockout to prevent password guessing
  • Have a method of terminating inactive user accounts
  • Restrict access, based on user account, to those accounts that need access for performance of duties.
  • Monitoring for unauthorized access must be performed.

Data transport:

  • When sending information over the public internet, use encryption technologies.
  • When using wireless access, the transmission of PII must be encrypted.

Computer Systems

  • Must be up to date with system software patches and use an up to date firewalling technology.
  • Must have up to date antivirus software, including a malware component.
  • Laptops must encrypt PII data
  • Keep control of password files or hashes.

The Massachusetts Office of Consumer Affairs and Business Regulation have produced a handy checklist that can be used when determining if an organization is in compliance or trying to implement a compliance plan. This handy resource can be found at http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf .

Mass CMR 201 17.00 has been called the “most comprehensive ” of the security policy laws that states have passed. Nevada’s Rev. Stat. § 597.970(1) demands encryption when passing customer’s personal information between entities, and Connecticut’s laws deal mainly with protecting social security numbers. By designing a corporate infrastructure and corporate policy base compatible with Mass CMR 201 17.00, an organization is preparing itself to deal with lesser laws in other states, and also to prepare for any other laws which may be based on the Mass 201 17.00 standard.

Obviously, having individual state laws apply to the information resources maintained by a nationwide business, the process of implementing the differing controls becomes convoluted. Although requirements do overlap in some areas, the specifics of each set of laws are worded differently and do have facets that are unique. A better implementation would to be to compile the varied state requirements into a single document, and have the federal government pass these requirements on to each state for ratification – ensuring that all PII is covered with a nationwide standard.

Data is an asset. With the right information and the right connections, personally identifiable information can be sold to those who would use it to commit financial or identity fraud. With more and more information finding its way onto the Internet, it has become a common occurrence to find massive data breaches occurring frequently. Datalossdb.org, a compiler of information having to do with loss of data, has identified 559 separate incidents covering 83,495,271 records in 2008 alone . As the issue of data loss has gained public attention, our government agencies have answered the call to implement laws to protect its citizens.

As of March 2009, only 6 states do not have a law regarding data loss notification- Alabama, Kentucky, Mississippi, Missouri, New Mexico and South Dakota. All other states have enacted laws regarding data breaches. Most states require notification of affected parties when a data breach occurs. These notification laws are separate from data protection laws, but it is easy to imagine that they could be combined with forthcoming data security measures in those states that have not enacted such legislation.

The Massachusetts Office of Consumer Affairs and Business Regulation have issued a statement on the costs that may be incurred by a company implementing a compliance effort. The study has determined that implementation for their model small business (around 10 employees) should cost in the neighborhood of $3000.00, with an additional $2000.00 benchmark for implementing encryption. These numbers are highly suspect, as each business has a unique situation in regards to the data stored, existing controls, business processes and other factors.

The question of whether or not Mass CMR 201 17.00 will be effective is unanswered. Some feel that the regulations will be overshadowed by “…by a federal law in the next several years, which makes them, and 201 CMR 17.00, obsolete…” The system regulations enacted in Mass CMR 201 17.00 are really basic security best practices, and as previously noted, have a large amount of crossover with other standards that many organizations already need to comply with. As a counterpoint, it should be considered that a good amount of businesses do not have these procedures in place, and being forced to comply with the regulations imposed by Mass CMR 201 17.00 is a positive step in the right direction. At the very least, forcing an organization to create a written security policy creates a need to consider the business procedures and practices as they relate to protecting corporate information assets.