CIO has a story detailing new privacy and security laws in Massachusetts and how they affect US companies.
Massachusetts has enacted data privacy and data security regulations that will make it eke out California for the most wide ranging state privacy and security laws — laws that are likely to impact the policies, practices, procedures, contracts and training used by companies nationwide. […]
Beginning on January 1, 2009, all businesses that collect personal data from or about Massachusetts residents will need to adopt a comprehensive written security program, conduct internal and external security reviews and complete employee training regarding their programs. While the efficacy of a security program will be determined based on the relative size of a company and the type and amount of data a company maintains, the standards clearly state that a security program needs to contain, at a minimum:
- […] Identify and assess the internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information. […]
- Develop security policies that set forth whether and how employees should be allowed to keep, access, and transport records containing personal information outside of business premises.
- Prevent terminated employees from accessing records containing personal information by immediately terminating access.
- Take reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information, including:
- […] Limiting the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected; limiting the time such information is retained to that reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to know such information in order to accomplish such purpose or to comply with legal requirements
- Require an audit/inventory to identify paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, unless the security program provides for the handling of all records as if they all contained personal information. […]
- Regularly monitor to ensure that the security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrade information safeguards as necessary to limit risks.
- Review the scope of the security measures on at least an annual basis or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
- Document incident responses involving a breach of security, and changes in business practices resulting from the incidents.
“The standards also provide the following minimum technical requirements for computer systems that electronically store or transmit personal information regarding Massachusetts residents,” including secure user ID protocols, secure access controls, data encryption, and monitoring of systems of unauthorized access or use.
I discussed Massachusetts and other states’ new laws on privacy and security a few weeks ago.