Every person that owns or licenses personal information about a
resident of the Commonwealth and electronically stores or transmits such
information shall include in its written, comprehensive information security
program the establishment and maintenance of a security system covering its
computers, including any wireless system, that, at a minimum, and to the extent
technically feasible, shall have the following elements:
(1) Secure user authentication protocols
including:
(a) control of user IDs and other
identifiers;
(b) a reasonably
secure method of assigning and selecting passwords, or use of unique identifier
technologies, such as biometrics or token devices;
(c) control of data security passwords to
ensure that such passwords are kept in a location and/or format that does not
compromise the security of the data they protect;
(d) restricting access to active users and
active user accounts only; and
(e)
blocking access to user identification after multiple unsuccessful attempts to
gain access or the limitation placed on access for the particular
system;
(2) Secure
access control measures that:
(a) restrict
access to records and files containing personal information to those who need
such information to perform their job duties; and
(b) assign unique identifications plus
passwords, which are not vendor supplied default passwords, to each person with
computer access, that are reasonably designed to maintain the integrity of the
security of the access controls;
(3) Encryption of all transmitted records and
files containing personal information that will travel across public networks,
and encryption of all data containing personal information to be transmitted
wirelessly.
(4) Reasonable
monitoring of systems, for unauthorized use of or access to personal
information;
(5) Encryption of all
personal information stored on laptops or other portable devices;
(6) For files containing personal information
on a system that is connected to the Internet, there must be reasonably
up-to-date firewall protection and operating system security patches,
reasonably designed to maintain the integrity of the personal
information.
(7) Reasonably
up-to-date versions of system security agent software which must include
malware protection and reasonably up-to-date patches and virus definitions, or
a version of such software that can still be supported with up-to-date patches
and virus definitions, and is set to receive the most current security updates
on a regular basis.
(8) Education
and training of employees on the proper use of the computer security system and
the importance of personal information security.
