The regulations impose detailed administrative and technical obligations on any person that owns, licenses, stores, or maintains personal information of Massachusetts residents.
The regulations require businesses to comply with the following administrative obligations:
- Program implementation and oversight. Companies must designate one or more employees to maintain and enforce a comprehensive information security program.
- Security policies. Companies must create policies governing whether and how employees keep, access, and transport records containing personal information outside of business premises. Companies must also impose disciplinary measures for violations of its comprehensive information security program rules.
- Limited access. Companies must impose reasonable restrictions upon physical access to records containing personal information.
- Monitoring. Companies must regularly monitor the information security program to ensure its proper operation and effectiveness.
- Security breaches. Companies must document responsive actions taken in connection with any incident involving a security breach.
- Service providers. Companies must take reasonable steps to ensure that third-party service providers with access to personal information have the capacity to protect such information consistent with the Massachusetts regulations and applicable federal regulations.
The regulations also impose significant technical requirements for any computers, systems, or networks involved in the maintenance or transmission of personal information.
Specifically, the regulations require companies to establish and maintain a comprehensive information security program incorporating, at a minimum, and to the extent technically feasible, the following elements:
- User authentication protocols. Companies must implement secure user authentication protocols including:
- Control of individual account identifiers to limit access
- Secure measures for selecting, storing and accessing passwords
- Control of data security passwords to ensure that passwords are kept in a location and/or format that does not compromise the data they protect
- Restricting access to active users only
- Blocking access to user identification after multiple unsuccessful attempts to gain access
- Access controls. Companies must implement secure access control measures that:
- Restrict access to records and files containing personal information on a “need-to-know” basis
- Assign unique identifications plus passwords to each person with computer access
- Encryption. Companies must encrypt all personal information when stored on laptops or other portable devices, or in transit across public networks or by wireless connection.
- Monitoring. Companies must monitor their systems to detect unauthorized access to or use of personal information.
- Firewall protection. Companies must use reasonably up-to-date firewall protection and system security agent software (including malware protection) for files containing personal information on a system connected to the Internet.
- Antivirus protection. Companies must also have reasonably up-to-date antivirus software and security patches.
- Employee training. Companies must educate and train their employees on the proper use of the computer security system and the importance of personal information security.