Please visit www.201cmr17.com and then comment here. I hope computer professionals and other interested people will contribute their ideas and approaches.
Please visit www.201cmr17.com and then comment here. I hope computer professionals and other interested people will contribute their ideas and approaches.
201cmr17-- Mass. Data Safety Rules 
I’m hoping computer professionals and other interested people will contribute their ideas and practices to this blog.
I’m very pleased to announce our new website, http://www.MassDataSafety.com (also called http://www.201CMR17.com.)
This is our attempt to introduce you to the new Mass. data protection regulations, and to make some practical suggestions about how to follow them in fruitful and healthy way.
This is very much a work in progress, and I would very much appreciate your suggestions and questions. Please post them to this blog so that everyone can hear what you have to say.
Adam, thanks for putting together such a good resource list about complying with the new regulations.
I want to try out some of the products you mention that I am unfamiliar with. I also want to mention a couple you don’t include. As far as on-line backups, I have used and recommended both Carbonite and Mozy. Both have consumer products for unlimited back-up at $50 a year.
While they use encrypted connections, they count on you to trust these vendors. They do not comply with Adam’s recommendation to encrypt everything yourself first and them post off site. That said, the advantage of having all data backed up continuously, without intervention, seems hard to beat. Mozy has a pro version that will back up server data, and also a beta Mac version.
I also want to put in a plug for higher grade password protection. Software like roboform will automatically generate strong passwords for a site and then preserve them in a convenient format. Password safe is an open source cross platform variant. I have written about this on my blog dbdes.com/blog/steve but am too lazy to find the reference now.
WHAT, ME CYNICAL?
Adam’s web site is useful tips and suggestions. it doesn’t really deal with the policy issues beyond saying that tight security is a good thing and we should appreciate the kick in the butt. for me, this falls into the category, long familiar in mass politics, of an unfunded mandate. The costs to comply will probably grow geometrically with the size of the business or nonprofit. There has been little preparation or public information about it. My guess is that as usual, only lawyers will truly benefit. Few people will find sites like Adams, few will comply, things will go on as before, but litigants will have new tools in their arsenals to use.
Hey Adam,
What great work you have put into this. This is a good info that folks are going to need in order to be compliant with this new law.
Many thanks,
Denis
We’re an IT company who had a lot of clients asking us about 201 CMR 17 — we paid some lawyers to help us write a really good WISP template, and put together our own list of suggestions for small business encryption products, laptop encryption, etc. Right now we are charging for the WISP template as a kit but we are seriously considering giving it away for free…
Your site is a great resource!
Adam,
Great site for helping small businesses get some sort of program together. I believe 201 CMR 17 is the exact law which will put a significant dent in Massachusetts identity theft crises. Here’s my two cents to help your followers with their computer systems risk assessment. As a consultant to larger businesses in regards to 201 CMR 17, and FACTA Red Flags you may want to check out our other site: http://www.WhoComplys.org. If you’re a business owner and who meets all your compliance requirements, we want to hear from you.
Compliance with 201 CMR 17 doesn’t have to be difficult or complex, it requires a plan of attack and a little bit of knowledge or training to accomplish your goals. Below are my procedures to help you begin the development of the Computer Systems Security Portion of your Written Information Security Program (WISP), it starts with the Risk Assessment survey. You should start the process by asking some simple questions. Physically-where is the data kept and how do you protect it from unauthorized access? If it’s on paper or media like a CD or tapes how do you keep track of who has access to it during normal daily operations? How and where do you store it when it’s not in use? How do you decide who has/needs access to it and who doesn’t need access to it? How do you destroy it when it’s no longer needed? Are your team members given security awareness training so they are aware of the threats to your business? Do you check your trash to make sure that protected data is not mistakenly discarded? Logically- If you have some or no established programs at all, you “MUST” conduct a risk assessment survey identifying; what sensitive information you have, where you have it, and how you plan to protect it. If the data is on a desktop or network what protective measures are in place? Do you use a firewall and antivirus protections? What are your policies on patches and hot fixes that the hardware and software manufacturers recommend for known vulnerabilities? Do you have a password policy? Is the physical security of the spaces containing ADP adequate? How often do you read your logs, or audit who has been accessing the protected data and how are they using it? After you complete all the tasks above; you have just completed your ADP risk assessment! Now you implement the procedures necessary for identified risks based on industry best standards. * Document as a policy the procedures how staff members are to utilize ADP in their day-to-day operations. * Train your staff on the procedures established, and what’s expected of them, don’t forget to have them sign an acknowledgement of understanding, which includes disciplinary actions for failure to adhere to the requirements of the policy. Congratulations! You have just created one portion of your Written Information Security Program (WISP). Bottom line is; if you don’t ask questions on how the protection process works, can you have any confidence that your business will survive even if it is never audited? The law just requires that you take common sense steps to protect the information that your customers have entrusted to you. Properly conducting the risk assessment, combined with some solid Lean Six Sigma practices, you will reduce duplicated operations and storage of unnecessary PI which helps to protect your business. If some, none, or all of this makes no sense to some of you reading it, and you’d like to learn more on simplifying the compliance process, visit our website at http://www.TCIPP.com. I Hope this help you get on the right road to compliance! Regards, Tom Considine, CIPP Tom Considine & Associates Information Privacy Professionals
Great site. Could you please revise to update the new deadline:
Massachusetts ID Theft Regulation Revised: Deadline Extended to March 1, 2010 and Compliance Obligations Updated
http://www.hklaw.com/id24660/PublicationId2727/ReturnId31/contentid54375/
Thanks,
Mark