Data privacy, security laws have far-reaching impact

By Bart Lazar, |  Security, privacy, regulation

  • Review the scope of the security measures on at least an annual basis or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
  • Document incident responses involving a breach of security, and changes in business practices resulting from the incidents.
  • The standards also provide the following minimum technical requirements for computer systems that electronically store or transmit personal information regarding Massachusetts residents:

    • Secure user authentication protocols including:
      • Control user IDs and other identifiers.
      • Provide a reasonably secure method of assigning and selecting passwords (or use an alternative authentication technology such as biometrics or token devices).
      • Control data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect.
      • - Restrict access to active users and active user accounts only.

      • Block access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system.
    • Secure access control measures that:
      • Restrict access to records and files containing personal information to those who need such information to perform their job duties.
      • Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls.
    • Encrypt (to the extent technically feasible) all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly.
    • Implement reasonable monitoring of systems, for unauthorized use of or access to personal information.
    • Encrypt all personal information stored on laptops or other portable devices.
    • Provide reasonably up-to-date firewall protection and operating system security patches for files containing personal information on a system that is connected to the Internet, designed to maintain the integrity of the personal information.
    • Provide reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
    • Educate and train employees on the proper use of the computer security system and the importance of personal information security.
    Join us:






    Answers - Powered by ITworld

    Ask a Question