5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 3/5. It’s a tech thing.

Continuing on with my series to clarify misunderstandings with the upcoming data security law, we come to part 3.

If you haven’t read part 1 and part 2, I encourage you to look them over first.

The common perception of this law is that it is in the “tech” realm, that responsibility for compliance falls to the computer fixer or network technician who can follow a checklist, install a new box, and be magically in compliance.

As with any initiative, handling data protection in this way usually doesn’t end well.

This is a problem that must be solved in the entire organization. The directive to hold ourselves accountable must start at the top and filter down through the organization.

The review of “where information is used and stored” but be done top-to-bottom.

We need HR input to define and clarify the policies, which include monitoring and disciplinary actions. Using templates can be a head start but it should be obvious that you are responsible for the content of your employee handbook. Copying someone’s free, web-based template may contain language that leaves loopholes or will get you sued when you need to enforce it.

We need management to make the goals clear and convince the office staff that it’s very important that the file cabinets are locked and procedures are followed.

And yes, we do need tech people to make sure that the firewalls are in place and configured properly; mobile devices are encrypted; systems have appropriate passwords, monitoring, and protection.

Maybe your tech person will be the first to bring up the subject. Maybe your tech person will lead your compliance initiative.

But remember that this is a business problem, not a tech problem.

Post a comment or leave a trackback: Trackback URL.


  • James Warren  On January 8, 2010 at 10:02 am

    I have read all three of your posts about the Mass. Data Protection Law and you provide some good, clear information that makes it easy for people to digest. Would you be interesten in writing a post on our blog (http://blog.itgovernance.co.uk)?

    We have developed a documentation toolkit that help organizations comply with this law and need to reach as many organization in Massachusettes as possible.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: