Welcome to 201cmr17.com, a website designed to help you learn about the new Massachusetts data safety regulations.
This site is named for the official number of the regulations, which is 201 CMR 17.00. “CMR” stands for Code of Massachusetts Regulations, and 201 are the regulations issued by the state Office of Consumer Affairs. You can see some of the regulations issued by this Office at http://www.lawlib.state.ma.us/201cmr.html. When you look at this list, you can click on 201 CMR 17.00 to read all about these new regulations for data safety in Massachusetts.
Our site, 201cmr17.com, is sponsored by Computer Care and Learning, a Boston-based computer helping company (you can read about us at http://www.computerCareAndLearning.com.) Material on this site is not endorsed by the Office of Consumer Affairs, although we hope they will appreciate our efforts here and find the site helpful in their outreach work.
Legal disclaimer: Our goal is to help you comply with the Massachusetts data privacy regulations (201 CMR 17.00). Since these regulations have legal and computer implications, we strongly recommend you consult with your attorney and your computer helpers, as you strive to comply with these rules. The suggestions and other information in this site are not intended to replace the advice of your attorney and computer professionals, and the information provided here is presented “as is”, and no warranty is made as to fitness to your situation.
Massachusetts since its founding has many times been at the forefront of progressive change. People from Massachusetts played a major role in initiating and succeeding in the break from Great Britain and the founding of a representative democracy. The state was home to important leaders of the abolition movement, and more recently was the first state to recognize that same-sex couples have the right to full protection of the law. (Neil Savage’s book, Extraordinary Tenure, explores some of the reasons for Massachusetts’s leadership role in the nation’s history).
Very much in that tradition, this year Massachusetts issued the most advanced data safety rules in the country. Partly due to the growing global problem of identity theft, and partly due to a major information breach at a local company, the state has developed rules to help protect sensitive information from being misused.
The state used the term “Personal Information” to define the information we must protect. If your organization stores social security numbers, drivers license numbers, or credit card or other financial account numbers, you must develop strong systems to protect this information, and you must have a written security plan which you check regularly to make sure the plan is being carried out well. You must appoint someone on your staff to be responsible for carrying out the plan, and the plan must include staff training in the security procedures.
You also have to make sure that if you share any of this information with vendors or business partners, they must be in full compliance with the rules.
Virtually all organizations in Massachusetts store these numbers. For example, if your organization has just one part-time employee, you must have her I-9 and W-4 form in your files permanently, and these forms have social security numbers on them. When you receive a check in payment from a customer, this check has the customer’s name and bank account number on it. If you are a landlord and you do a credit check on your tenants, you will have to store their social security numbers.
So the state is asking all organizations, from the smallest home office to the largest corporation, to develop strong data safety programs.
Our goal at this site is to help you do this in a sensible, economical way.
An Attitude Adjustment Moment
A number of people we’ve talked with about these new rules have complained about what a hassle they are, and how the last thing Massachusetts businesses need right now is an expensive and time-consuming new mandate from the state.
We want to urge you to view these regulations a little differently. The state is requiring you, your competitors, and everyone else to get their data safety act together. Yes this will take work and money, but the net effect should be to make your computer systems safer and better, and to protect you from the severe consequences of a serious data breach or loss. The state requires you to insure your car, workplace health, and to enforce safe building codes; now, late but better than never, the state is requiring us to make our information handling safe.
We think that if you pursue compliance in that spirit, you will value the process more, and see it as a welcome part of your business development. We’ll try to help you through the process with this in mind.
Helping your computer system grow up
The best way to comply with these regulations, in our view, is to take steps to make your system healthy and safe. You will then be compliant, but also can reap the benefits of having a strong, secure system.
At the beginning of War and Peace, Prince Vasili asks the famous Anna Pavlovna, friend of the empress, how she is feeling. She responds, How can a person be healthy when you are suffering so from nerves? Is it possible, in our time, to be peaceful? She is talking about her anxiety over the international political and military situation, the French revolution and the looming war with Austria.
Looking at our computer system, we might respond similarly. Strong? Secure? How can such thing be possible in our time? Even a computer running the best antivirus program can be hit by a virus that generates incessant popups and disables the antivirus program. With employee loyalty at an all-time low, the risk of embezzlement and internal data theft gets higher and higher.
Here is our basic approach to this anxiety-creating situation:
1. Regularly backup all your data, and keep some copies of the backup in the hands of trusted people outside the company.
2. Use industry-standard computer safety procedures.
3. Track all Personal Information and sensitive information as it enters the organization, is used by the organization, and is finally disposed of. Lock it up or encrypt it, giving keys only to people who need access.
4. Train and supervise your staff in your security procedures, from the moment they join the organization, to the moment they leave.
5. Create a library of how-tos to document, enforce, audit and prove your security policy.