Wednesday, March 03, 2010

Massachusetts security and privacy law has teeth?

Following hot on the heals of the new HIPAA HITECH Act, the new Massachusetts regulation for data security and information privacy came into effect at the start of this month. It has seen lots of activity from the software security vendors, as it gives them another opportunity to scare the dollars out of corporate wallets. The full regulation is 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH

The document doesn't make a particularly exciting read, although it is not that hard to get through the barely 4 pages of content. The striking thing when reading the document is how familiar all this stuff sounds. Most likely drawing from several sources, such as California Senate Bill No. 1386 ("SB 1386") for protection of personal information and privacy, and PCI Data Security Standard (PCI DSS) produced by the credit card companies, Massachusetts has pulled together a regulation into one place that at least starts to give companies no excuse not to protect the personal information of customers, partners and employees.

In my non-professional opinion, this is likely to become another checklist that sits in the binder of compliance self-certifications that companies annually review and update. I don't see much that the CIO of a company that already prides itself on protecting customer information would worry about. A the same time, if you were already losing sleep over the fact that your infrastructure is shaky and insecure, that your employees are not trained in their compliance obligations, that you don't have all your security policy documents up to date, maybe it is time to beat the insomnia and do something about it.

A post from the Improving It blog

Let us help you improve your business today. Visit

No comments: