that owns or licenses personal information about a resident of the Commonwealth
shall develop, implement, and maintain a comprehensive information security
program that is written in one or more readily accessible parts and contains
administrative, technical, and physical safeguards that are appropriate to:
(a) the size, scope and type of business of
the person obligated to safeguard the personal information under such
comprehensive information security program;
(b) the amount of resources available to such
(c) the amount of stored
(d) the need for security
and confidentiality of both consumer and employee information. The safeguards
contained in such program must be consistent with the safeguards for protection
of personal information and information of a similar character set forth in any
state or federal regulations by which the person who owns or licenses such
information may be regulated.
Without limiting the generality of the
foregoing, every comprehensive information security program shall include, but
shall not be limited to:
(a) Designating one
or more employees to maintain the comprehensive information security
assessing reasonably foreseeable internal and external risks to the security,
confidentiality, and/or integrity of any electronic, paper or other records
containing personal information, and evaluating and improving, where necessary,
the effectiveness of the current safeguards for limiting such risks, including
but not limited to:
1. ongoing employee
(including temporary and contract employee) training;
2. employee compliance with policies and
3. means for
detecting and preventing security system failures.
(c) Developing security policies for
employees relating to the storage, access and transportation of records
containing personal information outside of business premises.
(d) Imposing disciplinary measures for
violations of the comprehensive information security program rules.
(e) Preventing terminated employees from
accessing records containing personal information.
Oversee service providers, by:
Taking reasonable steps to select and
retain third-party service providers that are capable of maintaining
appropriate security measures to protect such personal information consistent
201 CMR 17.00
applicable federal regulations; and
Requiring such third-party service
providers by contract to implement and maintain such appropriate security
measures for personal information; provided, however, that until March 1, 2012,
a contract a person has entered into with a third party service provider to
perform services for said person or functions on said person's behalf satisfies
the provisions of 201 CMR 17.03
(2)(f)2. even if the contract does not include a
requirement that the third party service provider maintain such appropriate
safeguards, as long as said person entered into the contract no later than
March 1, 2010.
Reasonable restrictions upon physical access to records containing personal
information, and storage of such records and data in locked facilities, storage
areas or containers.
monitoring to ensure that the comprehensive information security program is
operating in a manner reasonably calculated to prevent unauthorized access to
or unauthorized use of personal information; and upgrading information
safeguards as necessary to limit risks.
(i) Reviewing the scope of the security
measures at least annually or whenever there is a material change in business
practices that may reasonably implicate the security or integrity of records
containing personal information.
(j) Documenting responsive actions taken in
connection with any incident involving a breach of security, and mandatory
post-incident review of events and actions taken, if any, to make changes in
business practices relating to protection of personal information.