201 CMR 17.00
From Forestlake_wiki
(New page: 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH Section: 17.01: Purpose and Scope 17.02: Definitions 17.03: Duty to Pr...) |
|||
Line 1: | Line 1: | ||
201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH | 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH | ||
− | |||
− | + | == Section:17.01 Purpose and Scope == | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | 17.01 Purpose and Scope | + | |
(a) Purpose | (a) Purpose | ||
Line 17: | Line 11: | ||
The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth. | The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth. | ||
− | 17.02: Definitions | + | == Section:17.02: Definitions == |
The following words as used herein shall, unless the context requires otherwise, have the following meanings: | The following words as used herein shall, unless the context requires otherwise, have the following meanings: | ||
Line 33: | Line 27: | ||
“Record” or “Records,” any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics. | “Record” or “Records,” any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics. | ||
− | 17.03: Duty to Protect and Standards for Protecting Personal Information | + | == Section:17.03: Duty to Protect and Standards for Protecting Personal Information == |
Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information. Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records. Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated. | Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information. Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records. Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated. | ||
Line 61: | Line 55: | ||
(k) Documenting responsive actions taken in connection with any incident involving a breach of security or the potential therefor, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information. | (k) Documenting responsive actions taken in connection with any incident involving a breach of security or the potential therefor, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information. | ||
− | 17.04: Computer System Security Requirements | + | == Section:17.04: Computer System Security Requirements == |
Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements: | Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements: |