Massachusetts Data Privacy Act 201 CMR 17
What is CMR 17?
CMR 17 is a Massachusetts state government regulation that requires companies to safeguard personal information of Massachusetts residents. The state of Massachusetts is requiring all companies to be CMR 17 compliant.
Your company must have a written information security plan (WISP) and procedures to safeguard that Data.
You are responsible to make sure that the vendors/clients to whom you may pass PI or receive PI from are also compliant.
Why should you care?
You are both civilly and criminally liable for any PI that passes through your business.
What is personal information (PI)?
At a minimum you have PI for your employees. This PI is maintained internally and is most likely shared with external vendors such as payroll and insurance providers. You may also have PI from clients and vendors.
PI is defined as first name or first initial combined with the last name with any of the following: Social Security number, credit/debit account information, driver's license number, financial account numbers.
How does it impact my business?
The state of Massachusetts is now holding you responsible and there is a fine structure in place in case you are found noncompliant. Also depending on your business and the amount of PI your business needs to operate a security breach would compromise the integrity and longevity of your business.
Your business needs to show that you have:
- Trained employees on proper management of PI
- Created procedures on how your company will effectively manage PI
- Ensured that paper based PI is secure
- Ensured that data based PI is secure
- Ensured that all PI in transit is accounted for in and out of your organization
- Made sure that all data based PI is secure and encrypted upon the exit of your premises
- Made sure that all access of PI is limited to appropriate personnel
- Audited all of the above on a regular basis in a document fashion
- Asked all of your vendors to show that they are CMR 17 compliant
CMR compliance does not need to be difficult.
CMR compliance for most does not require the calling of committees, hundreds of man hours, thousands in training and a loss of focus on what makes your business profitable.
Benefit from our labor
We have created a system to efficiently walk through an organization identify the PI, review the processes, supply a simple action report, supply needed forms for your employee handbook, and produce your WISP. The NENS process generally takes just a few days.
Call us at 781-933-9300 for a free consult today!
