THE REGULATION
The regulation (201 CMR 17.00) applies to all employers (size, in this case, does not matter) who “own, license, store or maintain personal information about a resident” of Massachusetts. We have tracked the evolution of this new mandate closely to help you achieve compliance and avoid civil penalties for claims and damages.

CAN YOU MAKE THIS PAINLESS?
Yes, we have developed a comprehensive compliance program that includes a compliance audit and the preparation of a written information security plan. We have worked in tandem with IT specialist SMH Electronics to ensure that your electronic systems comply with the new encryption requirements.

COMPLIANCE
Employers must have an information security program in writing by March 1, 2010. The plan must:

• detail measures adopted to safeguard information;
• designate at least one person to manage the security program;
• impose disciplinary measures for violations of the program;
• prevent terminated employees from accessing information;
• limit the amount of, time retained, and access to personal information;
• monitor security to prevent unauthorized use;
• document all incidents involving breach and all corrective actions taken as a result.
• implement user ID and password protocols;
• restrict access to electronically stored information to essential personnel for necessary business purposes only;
• monitor the electronic records for unauthorized access and security risks;
• upgrade safeguards and protection (firewalls, encryption software) as needed.