201 CMR 17.00 is a new Massachusetts law, created to establish standards that businesses must use to protect consumer personal information, like a person’s first and last name, first initial and last name, social security number, drivers license or state ID number, or financial account numbers. It applies to any business that compiles or maintains records that contain personal information.
This law applies whenever a Massachusetts resident’s personal data is stored or transmitted. This can be something as simple as a user ID and password, so the law applies to every website. If you administer a website, no matter where your business is located, the law applies to you. CMR 201 17 is administered by the Massachusetts Attorney General and was to go into effect January 1, 2010. The compliance date has been extended to March 1, 2010.
Changes to the Law
Initially, the law required all companies to use specifically designated SSL encryption on personal information. Due to the outcry of small businesses and municipalities, the Office of Consumer Affairs and Business Regulation (OCABR) created multiple changes from the law’s original form in order to make compliance easier for small businesses.
Now the requirement is that businesses perform “due diligence” using “industry standard” technologies. The law in its current form only requires the company take reasonable measures to protect the data, given the level of risk the data presents.
In order to assess your business’s security risk, perform an assessment that looks at the size of your business, the kind, sensitivity and amount of information you store or transmit and the resources you have available for security. More compliance information is available through OCABR, where you can secure a detailed guide to developing a security plan.
What CMR 201 17 Means for Websites
Website administrators will need to pay particular attention to the law in keeping user data secure. Many usernames already fit the definition of protected information, using a person’s first initial and last name, even when you have no other personally identifiable information about the user.
For most blogs and other media sites, there is little risk that the theft of a user ID would present a significant security threat. One can imagine a situation, however, in which a stolen user ID is used to post derogatory information that is harmful to a user’s reputation.
Problems with misused user IDs do not present a legal threat to websites, but it can be a liability threat. When laws protect personal information, businesses are held to a greater standard of care than when such laws are absent. You can prevent such a liability exposure by using SSL encryption on user data.
It is likely your business already has anti-virus software and firewalls in place to protect from viruses and other computer threats. While these systems are helpful, they do not provide complete protection. If you administer a website, SSL encryption for data will not necessarily be required, but it may be a good idea. You can view the full details of the law and gain additional helpful information at www.mass.gov.