This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.
Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00. A civil penalty of $5,000 USD may be levied for each violation of M.G.L. 93H, 201 CMR 17.00. In addition, under the portion of M.G.L. 93I concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal.
Our approach is based on adaptation of the NIST Cybersecurity Framework and use of NIST 800-53 and CIS 20 controls. We have uniquely mapped Massachusetts Data Security regulations to NIST Cybersecurity Framework and have integrated CIS 20 controls in to development of a written information security program. In addition, our approach includes DoD's CMMC, OWASP, PCI, HIPAA-cybersecurity, and ISO 27000 standards.
There are several components that need to be addressed when developing WISP per Mass Data Protection Regulation (201 CMR 17.0). The following are key areas that must be addressed developing a robust WISP.
1. Information Security Policies and procedure
2. Vulnerability Assessment
3. Risk Analysis
4. Incidence Response Plan
5. Security Awareness Training
Matured organizations have well defined cybersecurity plans and policies established and practiced in their operations. Adaptive organizations review and adjust these plans and policies at regular frequency as their risk factors change. We will help your organization develop cybersecurity program to comply with mandates and best practices.
We will work with your organization to review your current plans and policies and help you write or update to reflect organizational changes, changes in regulations and threat landscape.