Massachusetts Privacy Law - 201 CMR 17 Compliance

Implement security controls to protect systems containing Massachusetts resident’s personal information from data loss

What is Mass 201 CMR 17?

In an effort to protect Massachusetts residents from the rising incidence of fraud and identity theft from data loss, the State of Massachusetts has implemented aggressive regulatory requirements to protect personal information. The state now requires mandatory compliance with 201 CMR 17.00 - Standards for the Protection of Personal Information of Residents of the Commonwealth (also known as just 201 CMR 17, or the Massachusetts Privacy Law). Building on California’s landmark security regulation SB-1386, Massachusetts Privacy Law establishes a minimum standard to be met for the protection of Massachusetts resident’s personal information (PI) contained in both paper and electronic records. For the purpose of being compliant with the new Massachusetts data privacy law, PI is defined as a resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to the resident:

• Social Security number;
• driver's license number or Massachusetts identification card number;
• financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password that would per-mit access to a resident's financial account; or
• a biometric indicator.

The Massachusetts data privacy law has set a new level in state security laws by regulating both private and public sector entities that handle Massachusetts resident’s sensitive data, regardless of where that entity is located. The law is intended to bring entities into alignment with both federal and industry security laws, including the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) enforced by the Federal Trade Commission (FTC) and Payment Card Industry Data Security Standards (PCI-DSS) security standards overseen by the PCI Security Standards Council. Its process and technical controls are aimed at preventing criminal activity from causing data breaches of either paper or electronic records containing PI. The requirement of securing electronic records includes PI on databases, laptops, applications, portable devices, and just about any other system in which electronic PI data can be either in transit or at rest.

Who needs Mass 201 CMR 17?

All persons, corporations, associations, partnerships or other legal entities with systems containing Massachusetts resident’s personal information in transit or at rest are responsible for complying with the 201 CMR 17 regulations by March 1, 2010. However, the regulations also require businesses to complete internal and external security risk assessments prior to the effective date. The regulation applies regardless of whether the entities or the data is either inside or outside state borders, and applies equally to private and public sector organizations.

Penalties for non-compliance

The penalties for non-compliance with 201 CMR 17 are enforced through Massachusetts General Law Title XV: Regulation of Trade, chapter 93A, section 4. Violators may be faced with a civil penalty of $5,000 for each violation, are required to pay the reasonable costs of investigation and litigation of such violation (including reasonable attorney’s fees), and are subject to additional civil action since 201 CMR 17 creates a baseline standard that allows plaintiffs in civil suits to argue that a business that lost data was negligent. Title XV also requires any data breach be reported to both the Office of Consumer Affairs and Business Regulation (OCABR) and the Attorney General.

What you need to be Mass 201 CMR 17 compliant

The new Massachusetts Privacy Law requires the following criteria be met:

• an internal and external risk assessment of the human, physical, technical environment based on the criteria outlined in 201 CMR 17
• the computer security provisions in the regulation use a risk-based approach that comply to the extent that it is technically feasible, meaning that reasonable means must be used to accomplish a required result if there is a reasonable technology is available
• the results of the internal and external risk assessments must be documented in a Written Comprehensive Information Security Program (WISP)
• the scope of the WISP must be reviewed at least on an annual basis or whenever there is a change in business practices that may impact security controls

The OCABR published the 201 CMR 17 Compliance Checklist as an aid to be used by either organizations themselves or their auditors when conducting their risk assessment. However, additional guidance on how and where to submit risk assessment results is expected from the state prior to the March 2010 deadline

How Rapid7 Helps

Rapid7 provides the only unified threat management solution to help organizations understand risk and adopt best practices to protect their networks, operating systems, Web applications, databases, enterprise applications, and custom applications. Rapid7 helps leading organizations such as the Commonwealth of Massachusetts, Newbury Comics, PAREXEL, and Teradyne to mitigate risk and maintain compliance with Massachusetts security regulations. Whether you operate in the private or public sector, Rapid7 can help your organization secure your infrastructure in compliance with 201 CMR 17.

Use Rapid7’s Massachusetts Privacy Law Compliance Services to:

• Scan entire infrastructure for vulnerabilities
• Monitor access control policies and system logs
• Identify exposures
• Provide remediation plan
• Guide you through writing your comprehensive Written Information Security Program (WISP)

Rapid7 will help you implement sound vulnerability management practices that ensure your entire infrastructure is protected from intruders, while guiding you step-by-step through the security controls required under Massachusetts Privacy Law 201 CMR 17.

To learn more about how Nexpose capabilities meet the requirements to comply with Mass 201 CMR 17, refer to the Rapid7 Massachusetts Privacy Law Compliance Guide.

Contact us to find out more about how Rapid7 can help you incorporate the Massachusetts Privacy Law into your on-going, prioritized, unified security management program.