201 CMR 17.00

Revision as of 07:17, 30 May 2009 (view source)

(New page: 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH Section: 17.01: Purpose and Scope 17.02: Definitions 17.03: Duty to Pr...)

Latest revision as of 07:25, 30 May 2009 (view source)

WikiSysop (Talk | contribs)

Line 1:

201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH

−

~~Section:~~

−

~~17.01~~: ~~Purpose and Scope~~

+

== Section:17.01 Purpose and Scope ==

−

~~17.02: Definitions~~

+

−

~~17.03: Duty to Protect and Standards for Protecting Personal Information~~

+

−

~~17.04: Computer System Security Requirements~~

+

−

+

−

17.01 Purpose and Scope

+

(a) Purpose

Line 17:

Line 11:

The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth.

−

17.02: Definitions

+

== Section:17.02: Definitions ==

The following words as used herein shall, unless the context requires otherwise, have the following meanings:

Line 23:

Line 17:

"Breach of security", the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.

−

“Electronic,” relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.

+

“Electronic,” relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.

"Encrypted," transformation of data through the use of a 128-bit or higher algorithmic process, or other means or process approved by the office of consumer affairs and business regulation that is at least as secure as such algorithmic process, into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

Line 33:

Line 27:

“Record” or “Records,” any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.

−

17.03: Duty to Protect and Standards for Protecting Personal Information

+

== Section:17.03: Duty to Protect and Standards for Protecting Personal Information ==

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information. Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records. Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated.

Line 61:

Line 55:

(k) Documenting responsive actions taken in connection with any incident involving a breach of security or the potential therefor, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

−

17.04: Computer System Security Requirements

+

== Section:17.04: Computer System Security Requirements ==

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:

Line 91:

Line 85:

(6) For files containing personal information on a system that is connected to the Internet, there must be firewall protection with up-to-date patches, including operating system security patches. A firewall must, at a minimum, protect devices containing personal information from access by or connections from unauthorized users.

−

(7) The most current version of system security agent software which must include antispyware and antivirus software, including up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and which includes security software that is set to receive the most current security updates on a regular basis.

+

(7) The most current version of system security agent software which must include antispyware and antivirus software, including up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and which includes security software that is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

Latest revision as of 07:25, 30 May 2009

Views

Personal tools

Site navigation

Watershed links

Search

Wikiwork

Toolbox

@@ Line 1: / Line 1: @@
 CMR 17.00:       STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH
-Section:
-.01:   Purpose and Scope
+== Section:17.01   Purpose and Scope ==
-.02:   Definitions
-.03:   Duty to Protect and Standards for Protecting Personal Information
-.04:   Computer System Security Requirements
-.01   Purpose and Scope
 (a)        Purpose
@@ Line 17: / Line 11: @@
 The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth.
-.02:   Definitions
+== Section:17.02:   Definitions ==
 The following words as used herein shall, unless the context requires otherwise, have the following meanings:
@@ Line 23: / Line 17: @@
 "Breach of security", the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and  the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth.  A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.
- “Electronic,” relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.
+“Electronic,” relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.
 "Encrypted," transformation of data through the use of a 128-bit or higher algorithmic process, or other means or process approved by the office of consumer affairs and business regulation that is at least as secure as such algorithmic process, into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
@@ Line 33: / Line 27: @@
 “Record” or “Records,” any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.
-.03:  Duty to Protect and Standards for Protecting Personal Information
+== Section:17.03:  Duty to Protect and Standards for Protecting Personal Information ==
 Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.  Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records.  Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated.
@@ Line 61: / Line 55: @@
 (k)        Documenting responsive actions taken in connection with any incident involving a breach of security or the potential therefor, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
-.04:  Computer System Security Requirements
+== Section:17.04:  Computer System Security Requirements ==
 Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:
@@ Line 91: / Line 85: @@
 (6)        For files containing personal information on a system that is connected to the Internet, there must be firewall protection with up-to-date patches, including operating system security patches.  A firewall must, at a minimum, protect devices containing personal information from access by or connections from unauthorized users.
- (7)       The most current version of system security agent software which must include antispyware and antivirus software, including up-to-date  patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and which includes security software that is set to receive the most current security updates on a regular basis.
+(7)       The most current version of system security agent software which must include antispyware and antivirus software, including up-to-date  patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and which includes security software that is set to receive the most current security updates on a regular basis.
 (8)        Education and training of employees on the proper use of the computer security system and the importance of personal information security.