Does your business receive, store, maintain, process or otherwise have access to personal information (e.g., generally defined as a Massachusetts resident’s name (first name or first initial and last name) in combination with his/her social security number, driver’s license, state ID card number, passport number, or financial account or credit/debit card number that would permit access to the resident’s financial accounts.) in connection with the provision of goods or services OR in connection with employment? If yes, you must develop, implement, maintain and monitor a comprehensive written information security program (“WISP”) applicable to that information. Your WISP must contain administrative, technical and physical safeguards that are appropriate to (i) the size, scope and type of your business; (ii) the amount of resources available to you; (iii) the amount of stored (electronic or paper based) data; and (iv) the need for security and confidentiality of both consumer and employee information. The WISP safeguards must be consistent with safeguards for protection of personal information and information of a similar character set forth in any state or federal regulation by which you may be regulated (e.g., Health Insurance Portability Protection Act (“HIPPA”), Gramm Leach Bliley Act (“GLB”), Payment Card Industry Standards (“PCI”), etc.).
What steps should I undertake to develop a WISP?
The Massachusetts Office of Consumer Affairs and Business Regulation (the “Office”) issued regulations that require you to perform the following. Note that the following can be used effectively as your guide towards compliance.
(a) Designate one or more employees to maintain the WISP;
(b) Catalogue all of the personal information you collect and where it is;
(c) Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
- ongoing employee (including temporary and contract employee) training;
- employee compliance with policies and procedures; and
- means for detecting and preventing security system failures.
(d) Develop security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.
(e) Impose disciplinary measures for violations of the comprehensive information security program rules.
(f) Prevent terminated employees from accessing records containing personal information.
(g) Oversee service providers, by:
- Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and
- Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information.
(h) Implement reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers.
(i) Implement regular monitoring to ensure that the comprehensive WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.
(j) Review the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
(k) Document responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
The Office also has specific computer system security requirements. Your WISP must cover computers, including any wireless system, which, at a minimum, and to the extent technically feasible, shall have the following elements:
- Secure user authentication protocols including:
- control of user IDs and other identifiers;
- a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
- control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
- restricting access to active users and active user accounts only; and
- blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
- Secure access control measures that:
- restrict access to records and files containing personal information to those who need such information to perform their job duties; and
- assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
- Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
- Reasonable monitoring of systems, for unauthorized use of or access to personal information;
- Encryption of all personal information stored on laptops or other portable devices;
- For files containing personal information on a system that is connected to the Internet there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
- Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
- Education and training of employees on the proper use of the computer security system and the importance of personal information security.
The Office of Consumer Affairs and Business Regulation also published “A Small Business Guide; Formulating a Comprehensive Written Information Security Program”. This is a great template to use as you progress towards compliance.