Massachusetts 201 CMR 17 Identity Theft Prevention

Massachusetts State Regulations for Prevention of Identity Theft

201 CMR 17.00 CMR 17 / CMR17

In 2007, the Massachusetts Legislature passed Chapter 93H, a statute entitled “Security Breaches.” Thereafter, the Department of Consumer Affairs and Business Regulation issued regulations relating to the statute (201 CMR 17.00). On multiple occasions, the announced effective date of the regulations has been pushed back. The current scheduled effective date is March 1, 2010.

Once these regulations take effect, the way businesses operate in this Commonwealth will be forever changed. They will be required to abide by a number of procedures and safeguards aimed at protecting “personal information” of Commonwealth residents.

Massachusetts State Press Release 08/17/09

What is CMR 17?

CMR 17 is Identity Theft Prevention Regulations Issued in Massachusetts by the Governor.

What is the purpose of CMR 17?

CMR 17 establishes a standard set of regulations on how businesses protect and store Massachusetts residents’ personal information. Any security breach must be reported to the Attorney General, the Director of Consumer Affairs and Business Regulation, and the affected resident(s).

Who does CMR 17 affect?

CMR 17 applies to all businesses who compile or maintain records that include personal information. No company is exempt and the Attorney General has the enforcement role under the statute.

When does CMR 17 become effective?

Effective 8/17/09, deadline has been postponed until March 1, 2010 (previously January 1, 2010)

The general compliance deadline for 201 CMR 17.00 is March 1, 2010
The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so is March 1, 2010
The deadline for ensuring encryption of laptops is March 1, 2010
The deadline for ensuring encryption of other portable devices (i.e., memory sticks, DVDs, PDAs, etc.) is March 1, 2010

Prior to the effective dates, businesses must complete internal and external security risk assessments and provide employee training.

What is considered "Personal Information"?

Personal Information is considered a resident's first name and last name or first initial and last name, and one or more of the following:

Social Security number
Driver's license number or state-issued ID card number
Financial account number or credit or debit card number (with or without any type of security or access code or password)

What are the Main Security Program Requirements:

Designate one or more employees to maintain the security program
Evaluate internal and external risks and improving current safeguards against such risks
Develop policies regulating employees' ability to keep, access and transport records outside work
Complete Employee training
Disciplinary measures for violations

What do we need to do?

Companies must develop and implement a comprehensive written information security plan to create effective administrative, technical and physical safeguards of personal information:
Ensure the security and confidentiality of personal information
Protect against any anticipated threats or hazards to the security or integrity of such information
Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud

Computer Systems Security:

Secure user authentication protocols
Secure access control measures
Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly
Reasonable monitoring of systems to prevent unauthorized use and/or access
Encryption of all personal information stored on portable devices (i.e. laptops)
Up-to-date firewall protection and operating system security patches for systems connected to the internet
Identify and know location of this information in both structured and un-structured data
Up-to-date versions of system security agent software which must include malware protection and up-to-date patches and virus definitions
Education and training of all employees on the proper use of the computer security system and importance of personal information security

Note: Businesses that store or maintain electronic records, and do not have in-house IT resources or regular access to providers of IT services, will probably need to hire someone to provide these services/resources, even if only on a one-time or part-time basis.

Accountants Professional Liability Insurance	Investment Advisors Errors & Omissions Insurance	Architects & Engineers Professional Liability Insurance
Attorneys Professional Liability Insurance	Home Inspectors Errors & Omissions Insurance	Bookkeepers Errors & Omissions Insurance
Technology Professionals Errors & Omissions Insurance	Miscellaneous Professional Liability Insurance	Employment Practices Liability Insurance
Employee Dishonesty Liability Insurance	Directors & Officers Liability Insurance	Fiduciary Liability Insurance

Massachusetts State Regulations for Prevention of Identity Theft

FREE WEBinar

Compliance solutions

Professionals Beware

Read Article