March is the anniversary of the Massachusetts Data Security Law which went into effect March 1, 2010: 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth. The anniversary is a good time to refresh your team about the requirements!
The goal of the law is to help prevent identity theft and we all have a role to help.
Here are the eight technology requirements included in this law:
1. Secure user authentication protocols including:
(i) control of user IDs and other identifiers;
(ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(iv) restricting access to active users and active user accounts only; and
(v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
Use of STRONG passwords is required (uppercase letters, lower case letter, numbers, and symbols) and NEVER put your password on a post-it by your monitor, or under your keyboard or anywhere else that's easily accessible!
2. Secure access control measures that:
(i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
If an employee doesn't need access to personal information to do their job, make sure they can't get to it. This is very important if multiple users share a system.
3. To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted over a wireless network.
Do not email personal information. Instead use SSL transmission of data to secure web sites.
4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;
Are logs routinely checked? There are several great tools to help you decipher server logs to get the information you need.
5. Encryption of all personal information stored on laptops or other portable devices;
Laptops MUST have encryption technology. Other portable devices such as flash drives must also be protected. Backup tapes (if used) must be encrypted.
6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
Do you know if your security patches and Antivirus definitions are up to date?
8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.
Users often break basic rules for “convenience” so they can get their work done faster. Ongoing education is needed!
In your next team meeting, review these requirements and make sure everyone understands the importance of compliance. For more information, visit the Massachusetts Office of Consumer Affairs and Business Regulations web site. Give us a call if you'd like us to review your site security with you.