Security laws, regulations and guidelines directory

By CSO staff, CSO |  Security, privacy, regulation

What it covers: This Massachusetts law--which went into effect March 2010--works to protect the state's residents against fraud and identity theft. It requires that any business that stores or uses personally identifiable information about a Massachusetts resident develop a written, regularly audited plan to protect this information. It takes a risk-based approach--rather than a prescriptive one--to information security. That means it directs businesses to establish a security program that takes into account the business size, scope, resources, nature and quantity of data collected or stored and the need for security rather than requiring the adoption of every component of a stated program.

More about Mass 201 CMR 17 and data breach notification

* The 201 CMR 17 survival guide

* Mass data protection law's tough requirements

* How NOT to write a disclosure letter

Who is affected: Businesses that collect and retain personal information of Massachusetts residents in connection with the provision of goods and services or for the purpose of employment.

Link to the law: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

Key requirements/provisions: Key requirements of the regulation include the following:

* A documented information security program, detailing technical, physical and administrative measures taken to safeguard personal information.

* Encryption of personally identifiable information -- a combination of a name, Social Security number, bank account number or credit card number--when stored on portable devices, such as laptops, PDAs and flash drives, or transmitted wirelessly or on public networks.

* Selection of third-party service providers that can properly safeguard personal information.

* Designated employees charged with overseeing and managing security procedures in the workplace, as well as continuously monitoring and addressing security hazards.

* Limits on the collection of data to the minimum required for the intended purpose.

* Computer system security requirements, including secure user authentication protocols, access control measures, system monitoring, firewall protection, updated security patches and security agent software and employee education and training.

Source: Commonwealth of Massachusetts Office of Consumer Affairs

Nevada Personal Information Data Privacy Encryption Law NRS 603A


Originally published on CSO |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question
randomness