BDG | Data Security

201 CMR 17.00 Compliance checklist

Boston Data Group has developed this checklist to help businesses in their effort to comply with the Commonwealth of Massachusetts 201 CMR 17.00. This checklist is broken down into three color-coded sections: Administrative Tasks, Technical Tasks and Physical Tasks. Please feel free to use this as you prepare your company for the CMR 17 regulations which will go into effect on January 1, 2010. Boston Data Group can help you with implementing all the Safeguards.

Administrative Tasks

• Completed a comprehensive, written information security program (“WISP”) applicable to all records containing personal information (“PI”) about any resident of the Commonwealth of Massachusetts. (WISP that includes administrative, technical and physical safeguards for PI protection)
• Engaged legal counsel to assist you with the creation of your WISP.
• Appointed at least one employee (the “Data Security Coordinator”) to maintain and supervise WISP implementation and performance.
• Documented the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices that contain personal information.
• As an alternative to above, made a decision whether or not to treat all your information as if they all contained PI.
• Identified and evaluated reasonably foreseeable internal and external risks to paper and electronic records containing PI.
• Included disciplinary measures in the WISP for violators of the security program.
• Included policies and procedures in WISP spelling out when and how records containing PI should be allowed to be kept, accessed or transported off your business premises.
• Evaluated the current safeguards in place and documented any necessary improvements.
• Taken all reasonable steps to verify that any thirdparty service provider with access to PI has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00.
• Taken all reasonable steps to ensure that your third party service providers with access to personal information are applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00
• Limited collection of PI only to the amount reasonably necessary to accomplish your legitimate business purposes, or to comply with state or federal regulations.
• Established a procedure for regular monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PI; and for upgrading it as necessary.
• Inc