The text below has been excerpted from the Massachusetts Data Privacy Law and provides information of relevance to merchants. The entire statute may be found at ttps://www.mass.gov/files/documents/2017/10/02/201cmr17.pdf.
Purpose. 201 CMR 17.00 implements the provisions of M.G.L. c. 93H relative to the
standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts. 201 CMR 17.00 establishes minimum standards to be me in connection with the safeguarding of personal information contained in both paper and electronic records.
Duty to Protect. Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to:
(a) the size, scope and type of business of the person obligated to safeguard the personal
information under such comprehensive information security program;
(b) the amount of resources available to such person;
(c) the amount of stored data; and
(d) the need for security and confidentiality of both consumer and employee information.
The safeguards contained in such program must be consistent with the safeguards for
protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.
Computer System Security Requirements. Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:
- Secure user authentication protocols
- Secure access control measures
- Encryption of all transmitted records and files containing personal information that will
travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. - Reasonable monitoring of systems, for unauthorized use of or access to personal
information; - Encryption of all personal information stored on laptops or other portable devices;
- For files containing personal information on a system that is connected to the Internet, there
must be reasonably up-to-date firewall protection and operating system security patches,
reasonably designed to maintain the integrity of the personal information. - Reasonably up-to-date versions of system security agent software which must include
malware protection and reasonably up-to-date patches and virus definitions. - Education and training of employees on the proper use of the computer security system and
the importance of personal information security.
Posted 2019-05-04.