5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 4/5. I’m OK.

Welcome to my continuing series about the Massachusetts data protection laws 201 CMR 17.00. At this time the rules take effect on March 1, 2010. In discussions with my clients I have heard many of the same questions (or mis-statements) many times.

If you’re just joining us, please take a few minutes and look over the first three entries in the series.

5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 1/5. Not Me!
5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 2/5. Not Me, really!
5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 3/5. It’s a tech thing!

Another good stop is Charland Technology’s Mass Data Protection Laws landing page.

To summarize, YES the law will apply to your business. For real, yes. We do not expect any further “push-back” of the enforcement date. And while technical safeguards are important to the protection of electronic records (i.e. stuff on your computer), there are many training, paper-records, and disciplinary matters that also need attention.

Today’s misconception:

I’m okay because my <accountant, tech guy, lawyer, uncle, brother-in-law, spiritual advisor> said so.

Answer: Maybe, maybe not. As a business owner or other person-in-charge you need to ensure this yourself, because you’re the one on the hook if there are problems.

How do I know if I’m compliant?

If you as a business have not taken steps to be compliant, then you are not.

There are three key steps to compliance:

• You must name an Information Security Manager.
• You must draft a Written Information Security Program.
• You must implement and provide for ongoing maintenance, auditing, and follow-up of your WISP

Got all three? Sounds like you’re good.

Missing something? There’s still time.

No idea what I’m talking about? You’re in trouble. Here’s an overview:

Information Security Manager: This should generally be an employee (office manager, owner) of your company rather than a contractor or consultant. The ISM is ultimately responsible for construction, startup, training, and auditing of your…

Written Information Security Program: The WISP is a document that describes WHAT personal information is collected by your organization, WHERE and HOW it is used and stored, WHO may access it HOW and WHEN, WHAT protections are in place against unauthorized access, HOW compliance is monitored and audited, and WHAT to do in the event of a problem. Most WISP documents are based on templates and samples, but it’s important to have this document reviewed by business ownership (C-level and corporate board), legal counsel, HR/personnel management, and IT/technical leads.

Implementation takes many forms and must be considered part of the WISP. Most of the heavy lifting is done during the development of the plan. By the time implementation comes around it’s a matter of executing the plan.

You need to train your people so they know that file cabinets must be kept locked, computer files are saved in the right places, that disciplinary action will result from failure to comply with the plan. Employees need to be told who is responsible for answering questions about the plan…and how to report any problems, failures, or possible exposure of protected information. Contractors and consultants need an addendum in writing that they will be held to the same standards and that all work done must be compliant with the law and the policy.

You need to set up the work environment with the right stuff. Make sure you have keys for the locking file cabinets, encryption configured on portable computers, antivirus and firewalls in place, and working shredders near printers and filing areas.

You must monitor and maintain the Plan. The WISP itself must be reviewed each year, or with any major changes in the business. Monitoring of computers and networks must be implemented. Office alarm systems need to be maintained and tested. Audits and spot-checks of the key parts of the plan must be scheduled, carried out, and documented.

This sounds like a lot. And a medium-sized business to be starting the process in February will find itself with a very busy Information Security Manager. But there is still time, and smaller companies should be able to come up to speed quickly.

But that’s another post for another day.