March is a big month for Massachusetts! On the 5^th, we see the official kickoff of “Maple Month,” which is a celebration of “all things maple.” Scheduled events include numerous pancake breakfasts and tours of local sugarhouses that open their doors to show visitors how sap from the maple trees is boiled into a syrup. If you would like to learn about the interesting syrup-making process, including how to make your own, check out the Massachusetts Maple Producers Association. Just be aware that it takes 40 gallons of sap to make one gallon of maple syrup!

On the compliance front, March 1^st marked the deadline to comply with the wide-reaching Massachusetts Law 201 CMR 17.00, which requires any business with 1 or more records of information about a Massachusetts resident to adequately protect their data. This new law complements the existing state breach notification law (General Law 93H), which allows for civil penalties of up to $50,000 for data breaches. What is groundbreaking about this law is that it is much more specific than other data protection laws about how the data is to be protected, and the fact that it affects companies not otherwise in a regulated industry.

201 CMR 17 consists of 5 sections which outline the scope, responsibility, and requirements for compliance. There is a definition of what is considered a “data breach;” primarily described as the unathorized acquisition or use of unencrypted data (or encrypted data in conjunction with the encryption key). All data that meets the “personal information” criteria requires protection, and it is the responsibility of the data owner or licensee to safeguard that information with a comprehensive security program.

Highlights of that security program include the requirement of a documented security policy, regular monitoring to ensure that the security program is working to prevent unauthorized access (or use) of personal data, and detailed documention of incident response. To ensure incidents may be investigated, the law also requires data breaches to be reported to the state’s Attorney General.

PowerTech is well positioned to assist organizations running IBM i that are required to comply with 201 CMR 17. Our Network Security access control and Authority Broker solutions work together with the IBM i operating system to satsify section 17.04 2a, which states that methods be implemented to “restrict access to records and files containing personal information to those who need such information to perform their job duties.” And Compliance Monitor can assist with paragraph 4, which requires personnel perform “reasonable monitoring of systems, for unauthorized use of or access to personal information.” But it doesn’t stop there! Our security experts can assist with configuring the operating system controls, and our leading technology partnerships can assist with encryption and anti-virus requirements.

The law was written to make companies take a “risk-based” approach to compliance that takes into account the size of the company, the type and amount of data being stored, as well as the nature of the business. There was also a well-publicized shift in the deadline for compliance from August 2009 to March 2010. That day has now come!

A complete copy of the law may be found at: 201 CMR 17.00.

The Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) also maintains a number of online resources regarding identity theft, including an FAQ on complying with law 201 CMR 17.00.

I fly out again Wednesday, on my way to Reno, Nevada. I am looking forward to this trip as I fell in love with the Reno/Tahoe area during my visit for COMMON 2009. I will be conducting a security workshop at the impressive Grand Sierra Resort & Casino, and also presenting the popular “Top 10 Security Risks You Need To Fix NOW” to the Reno-Sparks Midrange Users Group. From there I head to Portland, a new city for me, but one that I have heard is spectacularly beautiful. This will involve another workshop at the offices of a regional PowerTech partner, MSI Systems Integrators, and then a session for the Portland Users Group.

Have a great week, and I will be sharing an update from Portland next week.

This entry was posted on Tuesday, March 2nd, 2010 at 9:24 am and is filed under Company News, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.