New Employer Compliance Obligations

Document Sample
New Employer Compliance Obligations Powered By Docstoc

                                    AN OVERVIEW


The Commonwealth passed a new law requiring the protection of personal information.
This law, Regulation 201 CMR 17.00, applies to all employers of Massachusetts
residents, size of the workforce is not relevant in this case.

The alphabet soup that we have come to know in workplace law: the ADA, the FMLA,
MCAD, SNLA has been expanded to include the OCABR. The Massachusetts Office of
Consumer Affairs and Business Regulation OCABR will be the chief watchdog on this
new law, although the Attorney General’s Office will serve as the enforcement agency.

The mission of OCABR is to “empower Massachusetts consumers through education and
outreach and maintain a fair and competitive marketplace.” The Division of Banks,
Division of Insurance, Division of Professional Licensure, Division of Standards, State
Racing Commission and the Department of Telecommunication and Cable all fall under
the OCABR umbrella.

The Regulation 201 CMR 17.00 applies to any persons who “own, license, store or
maintain personal information about a resident of Massachusetts.”

What is Personal Information?

For the purposes of Regulation 201 CMR 17.00, personal information includes a
resident’s first name and last name or first initial and last name in combination with any
one or more of the following:

      Social Security number
      Driver’s license number
      Financial account number or credit or debit card number (with or without the
       pin, password, etc.)

However, this does not include information that is lawfully obtained from publicly
available information.

One of your first steps towards compliance is to think about and document all the places
where you have electronic and paper records, databases, spreadsheets and other
information that may contain personal information covered under the Regulation.
Examples might be employee personnel files, payroll, 401(k) and other benefit
information, accounting databases with client information and client databases.

Personal information covered under Regulation 201 CMR 17.00 may also be found in
your document management system, the email you store and archive, on backup tapes
and on paper in boxes and files.

No matter where this information is, you are going to have to find it and find a way to
protect in accordance with the new Regulation.

What is Encryption?

One of Regulation 201 CMR 17.00’s major requirements is encryption, but what exactly
does encryption mean?

 Encryption is the process of transforming information using something (usually an
algorithm) to make it unreadable to anyone except those possessing specific knowledge,
often referred to as a “key.”

Encryption is widely used to protect data in transit, such as data transferred via networks
like the Internet, mobile phones, PDA devices, Bluetooth devices, etc. It can also be used
to protect data in place on hard drives and similar devices.

The new Regulation requires:

        “To the extent technically feasible encryption of all transmitted records and files
       containing personal information that will travel across public networks, and
       encryption of all data containing personal information to be transmitted

What this means for you and your company:

We are all in constant communications with our clients and others via email and fax.
Any communication containing personal information needs to be encrypted before being
sent out over a public (think Internet) method of communication.

           o Email and third party mail services are not automatically encrypted so you
             should protect yourself by purchasing software such as PGP (Pretty Good
             Privacy) or look for a free program such as PC-Encrypt.

           o Another option is to subscribe to a service that acts as a secure store and
             forwarding system such as R Post, which allows you to post a message to
             a separate site and notify the recipient that it’s available there. The
             recipient in turn must have his own secure access to the site to retrieve the

If you employ Massachusetts residents, store and communicate their personnel and
benefits data electronically, you’ll need to either:

      Encrypt all files and hard drives where information subject to the Regulation is
       stored. You can do this with file and hard drive encryption software that’s widely
       available for sale.
      Maintain all information on employees that is subject to the Regulation in an
       encrypted online database such as The HR in a Box™, a dual-layer encrypted
       human resource information system (HRIS) that acts as a safe deposit box for all
       personnel and benefits data. The HR in a Box™ also features encrypted
       electronic communication capabilities between employees, employers and the
       insurance brokerage agency.

If you transmit personal information on the Internet (such as credit card data), you should
make sure that the site is SSL encrypted. SSL refers to Secure Socket Layer and is the
standard security technology for establishing an encrypted link between a server and

Also, any device that contains personal information on jump drives, diskette, tape, laptop
or other electronic format that you may use for travel or removal from secure office space
will need to be encrypted.

Written Information Security Program Requirements:

You are also required to develop a comprehensive written security program and policy
for your business and employees that will take into account whether and how employees
should be allowed to keep access and transport records containing personal information.

The Information Security Plan must be in writing and in place prior to March 1, 2010.
Here is an overview of your compliance obligations with respect to the written
information security program (WISP):

           o Designate one or more persons to maintain the program. This person (or
             persons) will be your Data Security Coordinator (or Coordinators).
           o Identify risks and evaluate safeguards.
           o Develop security policies for employees who work out of the office.
           o Impose disciplinary measures for program violations.
           o Prevent terminated employees from accessing personal information.

          o Make sure that third party service providers have an information security
            program that is 201 CMR 17.00 compliant.
          o Limit the amount of personal information collected, the time it is retained
            and access to it.
          o Identify all systems used to store personal information.
          o Restrict physical access to records containing personal information.
          o Monitor the program regularly.
          o Review the scope of security measures at least annually or whenever there
            is a change in business practices.
          o Document actions taken in a security breach incident.

System Security Requirements:

      Businesses subject to Regulation 201 CMR 17.00 must meet the following system
       security requirements:

          o The requirements are minimum standards and must be part of your written
            information security program.
          o Secure user authentication protocols including control of user ID’s and
            other identifiers.
          o A reasonably secure method of assigning and selecting passwords or use
            of unique identifier technologies such as biometrics or token devices.
          o Control of data security passwords to ensure that such passwords are kept
            in a location and/or format that does not compromise the security of the
            data that they protect.
          o Restricting access to active user and active user accounts only.
          o Blocking access to user identification after multiple unsuccessful attempts
            to gain access or the limitation placed on access for the particular system.
          o Secure access control measures that restrict access to records and files
            containing personal information to those who need such information to
            perform their job duties.
          o Assign to each person with computer access unique identifications plus
            passwords which are not vendor supplied default passwords and be sure
            they are reasonably designed to maintain the integrity of the security of the
            access controls.

      You will need to have installed the latest security patches and have in place
       appropriate firewall systems to protect your networking computers from intrusion
       from outside hackers. You will need antivirus software and have it set to receive
       updates on a regular basis. The software must include spyware and malware

We Can Help:

We have developed a comprehensive compliance program that includes: A compliance
audit to identify the policies and practices that must be changed to achieve compliance;
the preparation of a written information security plan; a personal information security
program checklist and required training. Please remember, anyone, including businesses,
employers, or individuals that fail to comply with these Regulations are subject to civil
and potential criminal penalties.

                         (508) 548-4888