Guidance for business’ implementation of M.G.L. 93H can be found in 201 CMR 17.00, and creates an affirmative duty to every person that “owns, stores or maintains personal information about a resident of the Commonwealth” to “develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing . . . personal information.” In determining whether such comprehensive security program complies with M.G.L. 93H and accompanying 201 CMR 17.00, a court will consider:
(a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program;
(b) the amount of resources available to such person;
(c) the amount of stored data;
(d) the need for security and confidentiality of both consumer and employee information.
Any business must have a written information security program (“WISP”) that establishes security policies for the firm’s computers and wireless system, and all personal information contained therein. All personal information stored on laptops or “other portable devices” must be encrypted. All records and files, including emails, containing personal information that is transmitted across public networks or wirelessly must be encrypted “[t]o the extent technically feasible.” The written security program must include plans for systems monitoring for unauthorized use, up-to-date firewall protection, and up-to-date system security software that is set up to receive regular security updates.
Authentication protocols must include a “reasonably secure method of assigning and selecting passwords.” 201 CMR 17.04(1)(b). Assigning random complex passwords to clients would be a preferable defensive strategy. Such passwords must be controlled “in a location and/or format that does not compromise the security of the data they protect.”
With that in mind, businesses should develop a policy which includes:
(a) Encryption of all emails that contain personal information.
(b) Encryption of all personal information stored on portable devices
(c) Installation of system security agent software that is set up to receive security updates
(d) Maintenance of firewall protection for all files on a system connected to the internet.
(e) Implement a termination/Disciplinary policy for misuse of personal information.
(f) Education/Training of employees on proper use of computer security system and importance of personal information security.
Attorney Trask of Kelsey & Trask, P.C. was a cryptologic materials manager in the U.S. Marines, and has experience planning and implementing encrypted communications (voice and data) networks. If you have any questions regarding M.G.L. 93H, contact us at (508) 655-5980 or click here.