March 4th, 2010
Massachusetts 201 CMR 17.00 defines specific types of data that need to be properly secured in your environment. That may seem easy until you start looking around at where this data is and how it moves through your organization. The law has a 3 page checklist that covers the types of things you need to be concerned about including items such as:
- Up to date virus and malware software
- Proper screen savers with password on your computers
- Secure backups
- Encrypted drives that store personal information
- Security policies for locking down your firewall
- A written policy signed by all of your employees that says they will treat personal information in a secure manner
While it may seem daunting at first, the worst thing you can do is nothing. This is because they are only looking at organizations if a data security breach happens but the penalties are enormous. They can fine an organization up to $5,000 per incident and an incident is classified as a single person's data being compromised. If you lose a list of 100 people's data, the fine can be up to $500,000. When they look to determine the severity of the fine, they will look at the effort you made to secure the data. If you made a reasonable effort to be compliant even if you were not 100% compliant, there is a better chance your penalties will be lower.
