What is 201 CMR 17.00 and should I be concerned?

MA 201 CMR 17.00 is widely considered the nation's most comprehensive data protection and privacy law. After multiple delays, it goes into full effect on March 1st, 2010. In short, the law mandates that businesses, non-profits and other non-government entities follow a set of "minimum standards" to protect the personal information of Massachusetts residents. This includes personal information in connection with the provision of goods and services OR for the purposes of employment. This law comes hard on the heels of several security breaches in Massachusetts from such companies as TJX Corporation and BJ's Wholesale club, and is sure to set the standard for protection in other states.

The problem is that many small businesses don't have the time, money, or resources to devote to 201 CMR 17.00 compliance and still others either have not heard of this regulation or feel they should not be subject to it.

There will certainly be many factors that will determine whether the AG's office pursues enforcement action following a data breach, including the specifics of the breach and how many Massachusetts residents may be affected. Signs of intentional criminal theft and the steps the victim organization takes following the breach would also prompt enforcement of the new law. Other factors will include the breached organization's size, resources available, adherence to its written information security policy (WISP) - a top requirement of MA 201 CMR 17 - and whether it was technically feasible for it to have implemented measures to prevent the breach.

While the compliance standards may seem overwhelming, there are checklists, guidelines, and frequently asked questions available at the Massachusetts Office of Consumer Affairs.

For those not yet in compliance, we recommend a fast-track approach by following three steps:

1. Appoint a person in your office to act as the Information Security Manager (ISM).
   
   
2. Write, Implement, and Approve a Written Information Security Policy (WISP). This is the core of the new regulation.
   
   
3. Have the ISM train your staff on the new ISP (Information Security Policy) and audit compliance on a regular basis.

Having a WISP in place is very much like having a written business plan. It takes a lot of work up front, but ultimately will be the best thing you can do for your business, employees, and clients. It will be far less effort to maintain in the long run and help both organize and protect your data.

Your IT department (internal or outsourced) can help you with the technical requirements, but for those who lack the time or resources to write and implement such a plan, please call our office at 888-IT4-USA1 and speak to one of our compliance consultants.