The Massachusetts Data Protection Law (201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth) went into effect over five years ago on March 1, 2010. The goal of the law is to help prevent identity theft and it applies to all business and non-profits who have personal information for any Massachusetts resident including a combination of first name or initial and last name with bank account numbers, credit card numbers, social security numbers, etc.
Security breaches are in the news just about daily, and the threats are only getting more sophisticated. Data security is an ongoing process, and the anniversary of the law is a good time to review the requirements. What many people don’t know is that even the smallest businesses and organizations need to follow these rules. Also, ongoing training is required by the MA Data Security law, as well as other industry specific security regulations such as HIPAA (Health Insurance Portability and Accountability Act), so this is a good time to review the requirements.
Here are the eight technology requirements included in this law:
1. Secure user authentication protocols including control of User IDs and passwords, and blocking access after multiple failed attempts: Use of “strong” passwords is required (uppercase letters, lower case letter, numbers, and symbols) and never put your password on a post-it by your monitor, or under your keyboard or anywhere else that's easily accessible! Vendor supplied default passwords should never be used, and if your password is 123456, this is the most popular password in the world and you should change it immediately!
2. Secure access control measures that restrict access to records and files containing personal information to those who need the information to perform their jobs: If multiple employees use the same computer, its important to make sure that protected information can only be accessed by the employees who need that information to do their jobs.
3. To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted over a wireless network: Typically, when you connect to a bank or payroll company, the connection is encrypted with “SSL” and you’ll see https:// before the web site name. NEVER email protected personal information unless you have the capability to encrypt the email. Many people don’t realize that sending an email is the equivalent to sending a postcard by regular mail instead of using a sealed envelope. The contents of the message can be read along the way.
4. Reasonable monitoring of systems, for unauthorized use of or access to personal information: Many applications report on access logs and system logs can also be checked. Check to see what’s possible with your systems.
5. Encryption of all personal information stored on laptops or other portable devices: Laptops must be encrypted if they contain protected information. Other portable devices such as USB hard drives and flash drives also need to be encrypted. The Windows Password you use to log into your laptop is just a password and doesn’t meet the encryption standard.
6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information: Every month Microsoft releases security patches on “Patch Tuesday” and these need to be applied by law. In addition, about half of threats are related to other applications like Adobe Flash, etc so don’t forget these vendor supplied updates as well.
7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis: Do you know if every computer in your office has up to date antivirus protection? New threats are circulating daily, so its not enough to just install software and assume its running properly. It needs to be monitored.
8. Education and training of employees on the proper use of the computer security system and the importance of personal information security: Users often unknowingly break basic rules for “convenience” so they can get their work done faster.
So much about how we do business revolves around technology, and our daily actions can help keep our data more secure. Is your data secure? Are you protecting your customers and your employees? Are you protecting your business? Be sure to review security on a regular basis.