WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS

Similar documents
Massachusetts Identity Theft/ Data Security Regulations

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Wellesley College Written Information Security Program

CONNECTICUT RIVER WATERSHED COUNCIL, INC. DOCUMENT MANAGEMENT & WRITTEN INFORMATION SECURITY POLICY

Navigating the New MA Data Security Regulations

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA Richmond, Virginia Tel. (617) Tel. (804)

Page 1. Copyright MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

Automation Suite for. 201 CMR Compliance

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Massachusetts Residents

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

MFA Perspective. 201 CMR 17.00: The Massachusetts Privacy Law. Compliance is Mandatory... Be Thorough but Be Practical

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Designation of employee(s) in charge of the program; Identifying and assessing risks/threats and evaluating and improving

The Massachusetts Data Security Law and Regulations

ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010

Massachusetts MA 201 CMR Best Practice Guidance on How to Comply

A Practical Guide to Understanding and Complying with Massachusetts Data Security Regulations. February 2010

HELPFUL TIPS: MOBILE DEVICE SECURITY

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Estate Agents Authority

FINAL May Guideline on Security Systems for Safeguarding Customer Information

February 22, (Revision 2)

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

PCI DSS Requirements - Security Controls and Processes

Supplier Information Security Addendum for GE Restricted Data

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Best Practices for Protecting Sensitive Data in an Oracle Applications Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Third-Party Access and Management Policy

How Much Do I Need To Do to Comply? Vice president SystemExperts Corporation

NCUA LETTER TO CREDIT UNIONS

10/29/2012 CONSUMER AFFAIRS AND BUSINESS REGULATION AND DATA SECURITY LAW

HIPAA Security Alert

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

REMOTE WORKING POLICY

WHITE PAPER: FIXED-INCOME BEST EXECUTION

New Employee Orientation

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Security Policy

Cyber Self Assessment

Small Business IT Risk Assessment

Information Technology Branch Access Control Technical Standard

Subject: Safety and Soundness Standards for Information

Service Children s Education

MOBILE DEVICE SECURITY POLICY

Responsible Access and Use of Information Technology Resources and Services Policy

IT Security Procedure

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

NETWORK SECURITY GUIDELINES

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Did you know your security solution can help with PCI compliance too?

Cyber Security Best Practices

Ohio Supercomputer Center

SAFEGUARDING PRIVACY IN A MOBILE WORKPLACE

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover

BERKELEY COLLEGE DATA SECURITY POLICY

Table of Contents INTRODUCTION AND PURPOSE 1

How To Protect Your Data From Being Stolen

Newcastle University Information Security Procedures Version 3

California State Polytechnic University, Pomona. Desktop Security Standard and Guidelines

DMA Information Security Management Requirements January DMA Standard: produced for the protection of electronic information.

Patient Privacy and Security. Presented by, Jeffery Daigrepont

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

BUSINESS ONLINE BANKING AGREEMENT

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

OSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Information Technology Security Procedures

Vice President of Information

05.0 Application Development

Authorized. User Agreement

Data Management Policies. Sage ERP Online

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

P Mobile Device Security.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Research Information Security Guideline

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART (b) AND BANK MANAGEMENT

DATA PRIVACY ENFORCEMENT EFFORTS BY STATE ATTORNEYS GENERAL

DHHS Information Technology (IT) Access Control Standard

Payment Card Industry Data Security Standard

Transcription:

WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS

Introduction Massachusetts regulations set forth minimum requirements for both the protection of personal information and the electronic storage or transmittal of personal information. These dual requirements recognize the challenge of conducting business in a digital world and reflect the manner in which most investment advisers presently conduct their advisory business. The Standards for The Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) establishes a duty to protect personal information (defined as a combination of a name along with a Social Security number, bank account number, or credit card number); sets forth standards for the protection of such personal information and mandates the development of a security system covering a company s computers. In brief, the Massachusetts data security regulations require businesses that own or license personal information about Massachusetts residents to develop a comprehensive information security program that contains administrative, technical and physical safeguards for the protection of personal information. These measures must (i) be commensurate with the size and scope of their advisory business and (ii) contain administrative, technical and physical safeguards to ensure the security of such personal information. In addition, companies that store personal information on portable devices (e.g., laptops, PDAs and flash drives) or transmit personal information wirelessly on public networks must deploy encryption and protect against data leakage. The regulations define the phrase owns or licenses as receiving, maintaining, processing or otherwise having access to personal information. 2

Standards for Protecting Personal Information The Massachusetts regulations are quite specific as to what measures are required when developing and implementing an information security plan. Such measures include, but are not limited to: Designating one or more employees to maintain the comprehensive information security program; Identifying and assessing internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing personal information and evaluating and improving, where necessary, current safeguards for minimizing risks, including, but not limited to: (i) ongoing employee (including temporary and contract employee) training; (ii) employee compliance with policies and procedures; and (iii) means for detecting and preventing security system failures; Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises; Imposing disciplinary measures for violations of the comprehensive information security program rules; Preventing terminated employees from accessing records containing personal information; Taking reasonable steps to select and retain third-party services providers that are capable of maintaining appropriate security measures to protect such personal information consistent with the regulations and any applicable federal regulations; Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; 3

Reasonable restrictions upon physical access to records containing personal information and storage of such records and data in locked facilities, storage areas or containers; Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks; Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information; and Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information. Computer System Security Requirements The Massachusetts regulations require that an information security program include security procedures that cover a company s computer systems. Pursuant to Massachusetts law, any business that uses computers to store personal information about Massachusetts residents must, at a minimum, have the following elements in its information security program: Secure user authentication protocols including (i) control of user IDs and other identifiers; (ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (iv) restricting 4

access to active users and active user accounts only; and (v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system; Secure access control measures that (i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and (ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls; To the extent technically feasible, encrypt all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly; Reasonably monitor systems for unauthorized use of or access to personal information; Encrypt all personal information stored on laptops or other portable devices; For files containing personal information on a system that is connected to the Internet, install reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information; Install reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis; and Educate and train employees on the proper use of the computer security system and the importance of personal information security. 5

As can be seen from the above list, what the Massachusetts regulations have generously provided to advisers is, in effect, a shopping list that they can take to their nearest computer consultant. Investment advisers would be well-advised to turn each of the above listed elements into a computer security checklist, find a reputable computer specialist and outsource the project to those people who have the expertise to equip your computer system with the requisite security capabilities. 6

About the Author Scott Gottlieb is the founder and President of U.S. Compliance Consultants. Mr. Gottlieb brings to U.S. Compliance Consultants more than 17 years of experience in developing, implementing, and monitoring compliance programs for investment advisers and hedge funds. U.S. Compliance Consultants is a fullservice consulting firm that specializes in registration and compliance support services for investment advisers. U.S. Compliance Consultants services include investment adviser registration, development of written compliance and supervisory procedures, compliance training, annual compliance reviews and mock compliance audits. U.S. Compliance Consultants can customize a compliance solution to fit the exact needs of your advisory firm. 15 East Putnam Avenue, Suite 286 Greenwich, CT 06830-5424 Phone (888) 798-2930 Fax (203) 702-5420 www.uscomplianceconsultants.com 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information