Massachusetts Data Security & WISP

Have You Heard?

Massachusetts has updated its data breach laws for any business that stores the following information on any Massachusetts resident:

• Social security numbers
• Driver's License / State ID numbers
• Bank account information
• Debit / Credit Card details

Along with notifying the Office of the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation in the event of a breach, businesses are also required to develop, implement, and maintain a Written Information Security Program, commonly known as WISP.

A WISP is defined as documented plan that outlines how your business collects, stores, and protects personal information, as well as outlining what steps will be taken in the event of a breach. In an effort to help businesses determine where they stand in compliance to these new regulations, the following checklist has been compiled to help you identify gaps you may have, develop a strategy to evaluate your current security environment, or address any questions or concerns you may have.

General Requirements

The following was designed for physical record keeping:

• A WISP must include administrative, technical, and physical safeguards for the protection of personal information (PI)
• Identify all physical and electronic records, and the systems and devices they are stored on
• Identify and evaluate foreseeable threats to records containing PI and assess the effectiveness of current safeguards
• Ensure regular and ongoing employee training, procedures for monitoring employee compliance, and disciplinary measures for violations
• Implement policies for when and how records containing PI can be stored, accessed, or transported and immediately block terminated employees from access
• Ensure any third-party service providers or vendors are contracted to comply with the security measures outlined in the compliance regulations your business must follow
• Limit the amount of PI collected to only information necessary for business purposes or regulatory compliance. In addition, ensure the retention period for these records, and who has access, are similarly limited
• A WISP should specify how physical records are stored (in locked facilities, storage areas, or containers) and outline how access to these records is restricted
• Ensure procedures are in place for regularly monitoring and evaluating WISP effectiveness, updating it when necessary. Security measures should be reviewed annually, or whenever events occur that may affect the security of PI
• Ensure a procedure exists for documenting the actions taken during a security breach and a post-incident review for improved security

Additional Requirements for Electronic Records

These additional requirements go over preventative measures to protect electronic records:

• Secure authentication protocols are in place:
  • Control of user IDs and other identifying credentials
  • A reasonable secure way of assigning passwords, use of biometrics, or token devices
  • Ensure security passwords are kept in a secure location or format
  • Access to PI should be restricted to active employees who require access to perform job responsibilities
  • In the event of multiple unsuccessful access attempts, ensure access is immediately blocked
• Secure all access control measures ensuring it is on a need-to-know basis, limiting user access and what information they can access
• All PI transmitted across public networks or wirelessly, stored on laptops, or stored on other portable devices should be encrypted. Monitoring should also be in place to alert businesses to unauthorized access
• All systems and devices connected to the internet should have reasonable protections in place for files containing PI. Protections include:
  • Firewall protections
  • Security patches for operating systems
  • Up-to-date system security agent software, including malware protections
  • Maintaining current security patches and virus definitions
  • Regular employee training on securely using devices, systems, and handling of PI