201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth is a regulation that applies to anyone (not just Massachusetts companies) who owns, licenses, stores or maintains personal information about a resident of the Commonwealth of Massachusetts. It establishes minimum standards consistent with industry standards to safeguard personal information as defined in (§17.02: Definitions). The regulation applies to information in both paper and electronic form, and goes into effect on May 1, 2009.
The regulation places a duty of care on anyone who deals with personal information. This includes the following requirements in §17.03: Duty to Protect and Standards for Protecting Personal Information:
Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information … Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:
(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: (i) ongoing employee (including temporary and contract employee) training; (ii) employee compliance with policies and procedures; and (iii) means for detecting and preventing security system failures.
(k) Reviewing the scope of the security measures at least annually …
Where information is stored or transmitted electronically, §17.04 (Computer System Security Requirements) also applies. This requires that, at a minimum, the security systems will include:
(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.
Cosaint’s courses can provide the basis for a solid employee training program. And a Cosaint training portal makes the distribution and signature of policies simple, as well as making the annual review of the training and policy signatures easy.