Thanks for coming back! We hope you find these articles informative and hopefully helpful as a guideline in getting your security practices up to snuff. Again, we want to make it very clear that we are not attorneys, nor do we play one on any current or past TV show. For legal advice, PLEASE consult with your attorney.
What Applies to Me?
This is the question we get most often. With all the alphabet soup out there for regulations and statutes, it is confusing and difficult to figure out which regulations you need to pay attention to. Despite the lack of clear communication on what these laws entail, ignorance is not an excuse when it comes to protecting data. We’ll start with the regs that most businesses in Massachusetts need to worry about and start to narrow it down after that. We’re focusing on our home state of Massachusetts in this article, and depending on your industry, there may be additional security regulations that you need to follow (looking at you, Medical, Legal and Financial practices). We advise that you consult with security professionals to ensure that your practices comply with additional requirements not covered in our discussion. We cannot stress enough that you contact the proper team to address the more nuanced requirements of industry specific regulations.
First, the broadest requirements:
201 CMR 17: Standards for the protection of personal information of residents of the Commonwealth
This was the one that woke up businesses in Massachusetts. It finally went into effect on March 1, 2010 after a few hiccups. If you are a business in Massachusetts, and you have or maintain personal information about your employees or clients, i.e. Social Security, Bank Accounts, Medical Information, Credit Information, etc., you are required to comply with these regulations, and annually review your practices and these regulations for compliance.
At the heart of this statute is the requirement of developing a plan to securely manage the personal information, documenting the plan in detail, and requiring employees who manage the information to read the plan and sign that they will follow the procedures documented in the plan. In addition, the plan should be updated on an annual basis, reviewed, and signed again. It is referred to as a WISP - Written Information Security Plan
We won’t go into the specifics of the plan here as it would be quite lengthy. We encourage you to consult with your IT professional, Human Resources Lawyer, or ask them for a referral to a security specialist. Of course, we would be happy to provide these services, but we strongly encourage you to take these steps – if not with us then at least with a professional with experience in these regulations.
We have developed a template that you can use at no charge that follows the regulations chapter and verse – you fill in the blanks for your business. Send us an email at info@systemsupport.com to request yours. Please be advised that you must follow these practices, not just write down that you do. And of course, please have your attorney review the document as well.
Like the IRS has “flags” for audits, one flag for 201 CMR 17 compliance is an organization not having a WISP to provide on demand. Have one available when requested - it is a good indication that you are conscious of 201 CMR 17, and are complying with its requirements, even if you do not have or manage personal information. Also, it’s better to have the document and not need it, than need it and not have it.
PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS), commonly called PCI, is not a government regulation, but a standard established by the credit card industry. If your organization accepts credit cards for payment, you have agreed to be bound by these standards, and need to ensure that your practices meet these requirements, as you have also agreed to be penalized if you are found to be non-compliant. It puts the burden of protecting credit card information on you, the business who takes the card. To help businesses make sure they’re taking the right steps, there is a Self-Assessment Questionnaire available online from the PCI Security Standards Council:
https://www.pcisecuritystandards.org/documents/SAQ_A_v3.pdf
Many of the requirements overlap and coincide with 201 CMR 17. We suggest that you contact your Merchant Services provider regarding your compliance as well as your IT professional, again we can provide these services if you would like (shameless plug). Chances are you already have had some experience with this as Merchant Service providers (Credit Card companies) are actively engaging with their clients to see that they are complying – some even have compliance built into the solution. For example, the chip readers for credit cards are all steps in the right direction.
Like everything else, tell me if you’ve heard it before, an ounce of prevention is worth a pound of cure, so spending a little time to ensure you are PCI Compliant may help you avoid some hefty fees, and make no mistakes, those fees are charged to egregious noncompliance cases.
HIPAA
From the US Department of Health and Human Services comes HIPAA - Health Insurance Portability and Accountability Act of 1996. A good summary of the HIPAA privacy rule can be found here:
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
HIPAA applies to any organization that manages or otherwise uses individual’s health information. This of course includes doctors and other health practitioners and their administrators, insurance companies, dentists, pharmacists, ophthalmologists, and others. Also included would be anyone who may touch or be exposed to this information indirectly – i.e. filling a nonpharmaceutical prescription for medical equipment or hardware, legal services regarding a health issue, or an employer who has access to this information whether they actually access it in their day to day work.
While these regulations address a narrower scope of professionals, look at your practices carefully. If you have access to any of this information, whether you directly work with it or not, you need to make sure that your procedures that may give you access are compliant with HIPAA.
Like the others, we will not go into the specific requirements of HIPAA compliance here, but it is more complex than the others we have described. For example, in a doctor’s office, the computer monitors need special screen overlays that cannot be seen from the side!
You really need to work with some HIPAA professionals to review your practices and document compliant procedures. As our last shameless advertisement – at least for this article – We provide a HIPAA compliance program checklist consultation to our clients that may need this review and documentation.
Government, Military, and Defense Contractors
If you fall under this category, you likely already know the vast array of regulations and statutes requiring your compliance – and it is not viewed as personal information. As such it is beyond the scope of our discussion here.
We will however, urge that you review your compliance as a vendor, or with your vendors for compliance. You don’t want to wait for the Government to surprise you with an audit or worse, an investigation.
Thanks for making it all the way through this lengthy article! In our upcoming article we’ll talk about the penalties for noncompliance and typical scenarios for how organizations are found to be noncompliant through e-discoveries and other events. Not only is ignorance not bliss, but it can be incredible expensive!
See you next time!