Code of Massachusetts Regulations
201 CMR - OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION
Title 201 CMR 17.00 - Standards For The Protection Of Personal Information Of Residents Of The Commonwealth
Section 17.03 - Duty to Protect and Standards for Protecting Personal Information
Universal Citation: 201 MA Code of Regs 201.17
Current through Register 1531, September 27, 2024
(1) Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to:
(a) the size, scope and type of business of
the person obligated to safeguard the personal information under such
comprehensive information security program;
(b) the amount of resources available to such
person;
(c) the amount of stored
data; and
(d) the need for security
and confidentiality of both consumer and employee information. The safeguards
contained in such program must be consistent with the safeguards for protection
of personal information and information of a similar character set forth in any
state or federal regulations by which the person who owns or licenses such
information may be regulated.
(2) Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:
(a) Designating one
or more employees to maintain the comprehensive information security
program;
(b) Identifying and
assessing reasonably foreseeable internal and external risks to the security,
confidentiality, and/or integrity of any electronic, paper or other records
containing personal information, and evaluating and improving, where necessary,
the effectiveness of the current safeguards for limiting such risks, including
but not limited to:
1. ongoing employee
(including temporary and contract employee) training;
2. employee compliance with policies and
procedures; and
3. means for
detecting and preventing security system failures.
(c) Developing security policies for
employees relating to the storage, access and transportation of records
containing personal information outside of business premises.
(d) Imposing disciplinary measures for
violations of the comprehensive information security program rules.
(e) Preventing terminated employees from
accessing records containing personal information.
(f) Oversee service providers, by:
1. Taking reasonable steps to select and
retain third-party service providers that are capable of maintaining
appropriate security measures to protect such personal information consistent
with
201 CMR 17.00 and any
applicable federal regulations; and
2. Requiring such third-party service
providers by contract to implement and maintain such appropriate security
measures for personal information; provided, however, that until March 1, 2012,
a contract a person has entered into with a third party service provider to
perform services for said person or functions on said person's behalf satisfies
the provisions of 201 CMR 17.03(2)(f)2. even if the contract does not include a
requirement that the third party service provider maintain such appropriate
safeguards, as long as said person entered into the contract no later than
March 1, 2010.
(g)
Reasonable restrictions upon physical access to records containing personal
information, and storage of such records and data in locked facilities, storage
areas or containers.
(h) Regular
monitoring to ensure that the comprehensive information security program is
operating in a manner reasonably calculated to prevent unauthorized access to
or unauthorized use of personal information; and upgrading information
safeguards as necessary to limit risks.
(i) Reviewing the scope of the security
measures at least annually or whenever there is a material change in business
practices that may reasonably implicate the security or integrity of records
containing personal information.
(j) Documenting responsive actions taken in
connection with any incident involving a breach of security, and mandatory
post-incident review of events and actions taken, if any, to make changes in
business practices relating to protection of personal information.
Disclaimer: These regulations may not be the most recent version. Massachusetts may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.