ATTENTION MASSACHUSETTS BUSINESSES
On March 1, 2010 all Massachusetts organizations “who own or license personal information about a resident of the Commonwealth of Massachusetts” must comply with a new Massachusetts State Law entitled “Standards for the Protection of Personal Information of Residents of the Commonwealth” (also known as Mass 201 CMR 17).
WHAT IS THE PURPOSE OF THE LAW
The Massachusetts law is the first in the nation to require specific technology when protecting personal information. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The purpose of Mass 201 CMR 17 is to:
(a) Ensure the security and confidentiality of personal information;
(b) Protect against any anticipated threats or hazards to the security
or integrity of such information;
(c) Protect against unauthorized access to or use of such information
in a manner that creates a substantial risk of identity theft or fraud
KEY REQUIREMENTS
The regulation requires that to the extent technically feasible, all personal information stored on laptops or other portable devices must be encrypted (“data at rest”), as must all records and files transmitted across public networks or wirelessly (“data in transit”), to the extent technically feasible. To satisfy the requirements of the law encryption means the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.
Personal information is defined as a Massachusetts resident's name in combination with any one of the following data elements– with or without a security code, access code, PIN, or password that would permit access to a resident’s financial account:
- Social Security number
- Driver's license number or state-issued identification card number
- Financial account number or credit/debit card number
WHAT ORGANIZATIONS ARE IMPACTED?
This new legislation affects all organizations that own or license personal information of Massachusetts residents — regardless of the size or location of the business. And, organizations must require and oversee that third-party service providers with access to personal information also comply with the new law. Organizations affected include:
- Businesses that track customers by account numbers (such as healthcare institutions and related vendors)
- Retailers that accept credit cards for purchases by Massachusetts customers
- Financial institutions (such as banks, insurers, or brokerages) with customers residing in Massachusetts
- Companies with branch offices located in Massachusetts
HOW VENYU CAN HELP YOUR BUSINESS BECOME COMPLIANT
As a business grade provider of online backup and disaster recovery solutions Venyu continually secures and protects your confidential data from unauthorized access, ensuring your organization’s compliance with Mass 201 CMR 17.
- Fully encrypted data from ingestion and transmission to storage and recovery. Whether in-flight or at rest, Venyu’s end-to-end backup and recovery solution ensures your data remains fully encrypted at all times. No additional hardware, management or maintenance required.
- Online backup and recovery virtually eliminates onsite theft. Venyu’s online backup and recovery solution substantially reduces the risk of internal theft of tapes for the purpose of identity fraud. To ensure its continuity and integrity, a digital “handshake” confirms the data sent is equivalent to the data received.
- Password protected access controls. Built-in access controls, audit logs and an infrastructure that is backed by a SAS 70 (Type II) audit satisfies regulatory compliance.
- Secure Facilities. Venyu’s geographically diverse, Tier IV data storage facilities including biometric and on-camera controls ensures your data is never at risk from unauthorized access or environmental failures. Venyu’s datacenters are monitored and equipped with redundant power and telecommunication supplies, climate controls and fire suppression systems.
- Redundancy at every level. Venyu provides multiple tiers of firewall and network perimeter defense and 24/7 vault and bandwidth monitoring. In addition, your backup data is replicated to another premier datacenter, separated by over 1,500 miles for the ultimate in business contingency and service continuity.
NEXT STEP RESOURCES
Read the press release from the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) about the new law that takes effect on March 1, 2010.
Download a complete copy of the Massachusetts Privacy Law and the 201 CMR 17.00 FAQ from the Massachusetts OCABR to assess the impact on your organization.
If you are a small business, review the small business checklist published by the Massachusetts Office of Consumer Affairs and Business Regulation (OCBAR) and the Small Business Guide for Formulating a Comprehensive Written Information Security Program.
Call Venyu. Venyu’s technical expertise and unmatched experience in end-to-end encryption is available to help your organization comply fully with this new Law. Contact us at 866-978-3698 for more information or to request a quote.