It is sometimes overwhelming for businesses to map out an effective and protective personal information security program. However, now more than ever, the protection of digital personal information must be prioritized for compliance, ethical, reputational, and monetary purposes. Businesses facing unauthorized access to inadequately protected systems containing personal information have faced harsh consequences, including high ransom payments, costly legal fees, loss of brand reputation and consumer loyalty, and the list goes on. But the question arises: which measures to implement, and will they be enough? US persons or businesses owning or licensing personal information may find that the Massachusetts Office of Consumer Affairs and Business Regulation’s detailed comprehensive information security (“Infosec”) program can provide a useful roadmap to secure its personal information and systems. Massachusetts’ Office of Consumer Affairs and Business Regulation is the regulatory agency that governs the protection of personal information of Massachusetts residents, for which it has implemented standards for safeguarding such personal information 201 CMR 17.03, the “Standards”). Massachusetts requires that any person or business owning or licensing such personal information must implement these minimum Standards as part of a comprehensive personal information security (“Infosec”) program to protect such personal information. However, Massachusetts does recognize that Infosec programs cannot be one-size-fits-all, and therefore only requires implementing these minimum Standards as part of an Infosec program appropriate to the size, scope and type of the business. Some US states require certain administrative safeguards, such as New York (the Stop Hacks and Improve Electronic Data Security Act (Senate Bill S5575B), amending 899-BB of the NY General Business Law); however the Standards set forth in striking specificity both the administrative as well as the technical measures that should be included in Infosec programs protecting the personal information of Massachusetts’ residents.

The Standard’s administrative safeguards include the following:

  • designation of an employee maintains the Infosec program
  • conducting internal and external risk assessments as to the security of all systems containing personal information, including employee training and compliance with policies and procedures, as well as means for detection and prevention of such systems’ security failures
  • developing policies for the internal storage, access and transportation of personal information outside of the business premises
  • ensuring compliance with the Infosec program by imposing consequences for any violation
  • ensuring restrictions on access to records containing personal information, including preventing terminated employees from accessing, and limiting internal access as is reasonable
  • ensuring third party service providers’ protection of personal information by conducting reasonable due diligence in selecting such third-party service providers, and requiring the third-party providers implement and maintain appropriate information security measures
  • monitoring the systems to ensure effective security operation and upgrading/patching as necessary to limit risk
  • reviewing the Infosec program at least annually or if there is a material change affecting the integrity of the Infosec program or any of its systems containing personal information
  • documenting and reviewing responsive actions taken in connection with any breach of security and making corrective actions as necessary

The Standard’s technical safeguards include the following:

  • securing user authentication protocols:
  • controlling user IDs, passwords, and biometrics, including protocols and secure storage location
  • restricting access to only active user accounts
  • blocking access to logins after multiple unsuccessful access attempts
  • implementing a need-to-access limitation of access to records and files containing personal information
  • assigning unique IDs and passwords to replace vendor supplied default passwords
  • encrypting transmitted personal information travelling across public networks, or travelling wirelessly
  • monitoring of systems for unauthorized access or use
  • encrypting all personal information stored on portable devices
  • implementing up-to-date firewall protection and security patches for systems containing personal information that are connected to the internet
  • implementing up-to-date malware protection
  • training employees on the use of computer security systems and the importance of safeguarding personal information.