Massachusetts Data Protection Law

201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth Massachusetts will require businesses which own, license, store or maintain personal information about a resident of the Commonwealth to follow comprehensive information security requirements. The goal is to safeguard personal information contained in both paper and electronic records. Any and all organizations with operations and/or customers in the state of Massachusetts must adhere to these standards by March 1, 2010.

In order to comply with the Computer System Security Requirements of this new Massachusetts Data Protection law, organizations must:

  • Control passwords to ensure they are kept in a location and/or format which will not compromise the security of the data they protect
  • Encrypt all personal information stored on laptops or other portable devices
  • Ensure reasonably up-to-date firewall protection and operating system security patches, designed to maintain the integrity of the personal information
  • Ensure up-to-date versions of system security agent software, which must include malware protection and up-to-date patches and virus definitions
Achieving Compliance with Massachusetts Data Protection Law 201 CMR 17.00

Overview

Lumension’s Security Management Solutions Ensure Protection of Personal Information

Lumension’s security management software addresses 201 CMR 17.00 compliance challenges, protects personal information and improves operational efficiencies. These solutions include:

  • Lumension® Patch And Remediation - Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks.
  • Lumension® Scan - Complete network-based scanning solution enables assessment and analysis of threats impacting all network devices.
  • Lumension® Security Configuration Management - Out-of-the-box regulatory and standards-based assessment to ensure endpoints are properly configured.
  • Lumension® Content Wizard - Create custom remediation packages to address configuration issues, remove unauthorized files and applications, address Zero-day threats, patch custom software and more.
  • Lumension® Enterprise Reporting - Robust data warehouse that enables easy creation and sharing of reports on all aspects of your remediation efforts in support of policy compliance.
  • Lumension® Application Control - Policy-based enforcement of application use to secure your endpoints from malware, spyware and unwanted or unlicensed software.
  • Lumension® Device Control - Policy-based enforcement of FIPS 140-2 Level 2 validated encryption of data being moved onto removable devices (such as USB Flash Drives) or media (such as CDs / DVDs) from your endpoints.

Lumension solutions can help protect against targeted attacks, prevent data loss or theft, enforce security policies, prepare organizations for compliance audits, and lower the cost of IT security.
 

The Cost of Non-Compliance

The new Massachusetts data security laws are stricter than past regulations and those of other states, which only required businesses to notify people when personal information was lost. The provisions of this new law are subject to enforcement via Massachusetts General Law (MGL) chapter 93A, section 4 which provides for a civil penalty of $5,000 for each violation, and may require that violators pay the “reasonable costs of investigation and litigation of such violation, including reasonable attorneys’ fees.” In addition, the new law establishes a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent.