Massachusetts 201 CMR 17.00 - Security of Personal Information - Effective January 1, 2010

On January 1, 2010, Massachusetts businesses will be required to comply with the most comprehensive and strictest data security laws of any state. This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents.

What types of organizations need to comply with 201 CMR 17.00?

Every corporation, partnership, or other legal entity that owns, licenses, stores or maintains Personal Information about a resident of Massachusetts. Even businesses that do not handle consumer data are required to comply with 201 CMR 17.00. For example, Human Resources data falls into this category, if you have Massachusetts employees.

Penalties for Not Complying with 201 CMR 17.00

* Up to $50,000 per improper disposal
* Maximum of $5,000 per violation
* Massachusetts Attorney General can take action
* Lost Business / Time Spent / Associated Costs

EasyDocEx combines cutting-edge security technology, best practices and a team of certified senior-level professionals to help ensure that security. Using state-of-the-art traffic profiling and anomaly detection capabilities, we manage and secure our networks, pinpoint and troubleshoot network attacks, monitor our servers and applications, and analyze network security performance issues. Multiple levels of security (known as Defense in Depth) allow elevated levels of control for maintenance personnel without compromising security—including private network circuits for systems management and data and duplication for disaster recovery.

EasyDocEx utilizes Secure Socket Layer protocol (SSL) with 256-bit encryption to protect personal information sent or received through our EasyDocEx system and complies with the Federal Information Process Standard 140-2, Security Requirements for Cryptographic Modules. This protocol is supported in the latest versions of the most popular web browsers, such as Firefox 3.0 and Microsoft's Internet Explorer. To assure that all web browsers provide the greatest level of security, EasyDocEx utilizes Server Gated Cryptography (SGC). Server Gated Cryptography provides the ability to 'up-rate' older browsers that are only capable of weak, 40-bit and 128-bit encryption to ultra-secure 256-bit encryption.