|TO:||All Individuals and Entities Licensed by the Division of Insurance|
|FROM:||Joseph G. Murphy, Acting Commissioner of Insurance|
|DATE:||February 1, 2010|
|RE:||Compliance with 201 CMR 17:00, Standards for the Protection of Personal Information of Residents of the Commonwealth|
The Office of Consumer Affairs and Business Regulation, pursuant to the authority granted to it by G.L. c. 93H, in November 2009 promulgated 201 CMR 17:00, a regulation setting standards for the protection of personal information of Massachusetts residents. The Division of Insurance reminds all of its licensees about their obligations under this regulation and the March 1, 2010 deadline for full compliance.
Any person that receives, stores, maintains, processes or otherwise has access to personal information acquired in connection with employment or with the provision of goods or services to a Massachusetts resident has a duty to protect that information. A "person," for purposes of the regulation, may be an individual, corporation, association, partnership or other legal entity. Personal information includes a surname, together with a first name or initial, in combination with one or more of the following three data elements pertaining to that person: Social Security Number; driver's license or state-issued identification card number; or financial account or credit or debit card number, with or without any other data element, such as a code, password, or PIN, that would permit access to the person's financial account.
The duty includes the requirement that the person develops and maintain a comprehensive written information security program ("WISP") to safeguard such information. If the person electronically stores or transmits personal information, the WISP must include a security system covering the person's computers and any portable and/or wireless devices. Safeguards should be appropriate to the size, scope and type of the person's business, to the person's available resources, to the amount of stored data and to the need for security and confidentiality of consumer and employee information. They must be consistent with safeguards for the protection of personal information, and information of a similar character, that are set out in any state or federal regulations that apply to the person.
A WISP must provide administrative, technical and physical safeguards for personal information under 201 CMR 17.00. It must address a wide range of matters that include, but are not limited to:
A complete copy of 201 MR 17.00 may be found at: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf . Additional information may be found at the Office of Consumer Affairs and Business Regulation's website, following this link: