November 2008 / New Identity Theft Prevention Regulations in Mass.

There is a new regulation set to take effect in the state of Massachusetts early next year and chances are your business will be forced to comply with it. 2001 CMR 17.00, issued by the state Office of Consumer Affairs and Business Regulation, establishes a set of standards for how businesses store and protect the personal information of clients and employees. Since the regulation defines private information to include social security, driver’s license, and credit card numbers – almost every business in the state (as well as many outside of it) will be affected. In this month’s Tech Brief we’ll discuss the details of 2001 CMR 17.00 and give you insight into what it will take to make your business compliant.

Legislation Overview

Between August 2007 and August 2008 the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) received almost 320 reports of identity theft incidents which combined have threatened to compromise the personal information of 625,365 state residents. 60% of the cases involved criminal and/or unauthorized acts with a high frequency of laptops or hard drives being stolen. The remainder of the incidents resulted from employee error or poor internal handling of sensitive information. A shocking 75% of the cases involved data that was not encrypted or password protected.

Facing such staggering statistics, the OCABR created 2001 CMR 17.00 as a set of minimum standards businesses must meet in order to protect personal information contained in both paper and electronic records. A deadline of January 1, 2010 has been set for all businesses affected by the resolution to become compliant. (note: the original deadline was January 1, 2009, then moved to May 1, 2009 but the OCABR has extended the deadline to allow more flexibility to business who may be affected by the current economic situation)

According to 2001 CMR 17.00, companies that possess personal information on residents of Massachusetts must:

• Create a Written Information Security Plan which all employees must sign.
• Amend employment contracts to comply with the plan.
• Designate certain employees to have access to personal information.
• Monitor electronic systems against attack. If there is a breach there must be an alert and a written response plan in place for how to deal with the situation.
• Force users who have access to personal information to change their passwords regularly.
• Block users who make multiple unsuccessful attempts to access personal information.
• Have firewall and anti-virus protection in place and up-to-date.
• Encrypt all wireless data as well as personal information traveling over public networks.
• Encrypt personal information sent via email.
• Encrypt any laptop, removable drive, or portable equipment that has personal information.

For the full text of 2001 CMR 17.00 please visit the OCABR's Website.

Who is Affected?

The provisions of this regulation apply to all persons that own, license, store, or maintain personal information about a resident of Massachusetts. Personal information, according to the regulation, is defined as:

A resident’s first name and last name, or first initial and last name, along with one of the following elements:

• Social Security number
• Driver’s license or resident ID
• Financial account, credit or debit account with or without security code or personal identification code.

It should be noted that personal information which is publicly available is exempt, and that this regulation applies to businesses located both in, and outside of Massachusetts.

Taking Action

The regulation states that companies must have a Written Information Security Plan in place which has to be created internally. Although there are aspects which can only be done in-house, outside consultants can be hired to assist with the plan.

OCABR has created a checklist to aid businesses in determining if they are compliant. This checklist can be found here in pdf format: http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf

2001 CMR 17.00 will force all businesses to review the current state of their network, and in many cases changes will need to be made. Thrive has created the checklist below to address the technical aspects of the regulation. We can work with you to make sure that your company is compliant with all these requirements:

Media and Device Security:

• Is all backup and offsite media encrypted and password protected?
• Is protected information stored on laptops & USB keys?
• Are these devices encrypted and password protected?
• Is protected information stored on Handheld Devices? Is there a management server with remote wipe and password policy capabilities in place?

Email Security:

• Is protected information transferred via email or any other internet related services?
• If so, is this data encrypted?

Network Security:

• If there is a wireless network, is it encrypted?
• Is there a VPN in place? Is RADIUS and Logging enabled?
• Is the firewall supported and up-to-date with the latest firmware and security enhancements?
• Is the firewall or any remote access system configured for logging?

Active Directory:

• Is auditing of object access and logon events enabled?
• Is there a strong password and account blocking policy in place?
• Is Active Directory cleaned of old and unused user/computer accounts?

Closing Thoughts

January 1, 2010 will soon be here and 2001 CMR 17.00 will be something that companies around the country who do business with Massachusetts residents will need to be compliant with. While it’s true that not all companies will be affected by the regulation, it is certainly good practical data management for any business to adhere to. If you have any questions about preparing your network for 2001 CMR 17.00 or compiling your Written Information Security Plan, please contact Thrive. We’ve been working with our clients to make sure they’re ready for this regulation, and we can help you prepare as well.