Summarizing points form the Presentation of Joh Moynihan on Mass Law focusing on incident response -
The Mass Law -201 CMR 17 is effective from March 1, 2010. It applies to any entity collecting "personal information (PI)" of Massachusetts residents. In order to comply with it all entities processing Massachusetts resident’s personal information should have preventive measures in place. The law imposes severe penalties for violations. It requires having Incident Response Plan and applies to handling employee and customer records, avoid internal threats for employee or vendor data.
There are Administrative, Technical and Physical Requirements to comply with the law.
The organizations should adhere to administrative requirements by performing assessment of internal and external risk, have written Information security program, and develop policies to protect PI. This can be accomplished with ongoing employee training, having incident response plan, formal disciplinary standards, and third party controls.
Adherence to technical requirements requires that the PI to be encrypted, have updated virus protection and firewalls, have controls for password protection and measures to disable account after failed logon attempts. This can be accomplished with monitoring to detect unauthorized access, having patch management, and access controls in place.
Adherence to Physical requirements requires restricted physical access to PI, monitoring of areas housing PI and applies to both electronic and paper records.
It’s evident from the requirements that having an incident response plan is essential. It must be organized in a timely and efficient manner with engagement from independent participants. Organizations should adapt to change and evolve toward a pro active approach to data protection.
