A Section 201, Code of Massachusetts Regulations 17.00, applies to any individual, company or organiza-tion that handles personal information in connection with that person’s employment or the sale of goods or services to that person. Last August the state decided to push the date for enforcing compliance to safeguard residents’ personal information back to Monday, March 1st. Hopefully they won’t push it back any further because while it is different from many of the other state privacy regulations, there really aren’t any new requirements for most businesses.

Some, like Deborah Birnbach, an attorney at Boston-based law firm Goodwin Procter, state that this regulation represents a “significant change” in the compliance world for companies that aren’t in regulated industries.^[1] Hogwash. In fact, any organization handling credit card data has already been contractually bound to all of Massachusetts’ technical controls for a couple of years now. And that isn’t the only overlap in controls between the Massachusetts law and other authority document’s controls.

The Unified Compliance Framework has mapped this authority document into our comprehensive data-base of information and technology controls and found that every one of the 36 unique controls in the document do overlap with other regulatory or contractually obligated controls.

What’s the same, and what’s different?
In regard to controls directly pointing to the protection of data (think individual data elements like Social Security Number, Credit Card Number, Address), information (think combining these fields together so that John Doe is matched with his Social Security Number), and records (think putting John’s name and SSN into a printed or e-mailed report), the Massachusetts law overlaps those of the other states. Where the Massachusetts law is different is in all of its other protective measures.

Monitoring and Logging
Of the other state laws, only Massachusetts’ law directly calls for monitoring and logging operations (see UCF Control ID 00637). However, this doesn’t mean the control is new. Monitoring and logging has been a part of the SAS and AICPA auditing guidelines under SOX, the FFIEC guidelines for banks, HIPAA’s guidelines for protecting medial information, energy guidelines, payment card guidelines, federal guide-lines, part of the ISO standards, and international law. In other words, this requirement isn’t new. It’s just novel for a state to put into writing what most of the other authority documents already had.

Access Procedures
Again, other than California’s Office of Privacy Policy’s Breach Notification directive, no other state has called for Access Controls in their laws. Something we find very odd, seeing as how privacy breaches are defined by unauthorized access to the records. While most of the states have privacy breach notification laws that infer access controls are in place, this is the first state law to directly call for them. And, as with monitoring and logging, a raft of other authority documents have had these controls in place for years (see UCF Control ID 00512).

The technical controls
Another suite of controls that are currently unique in the state law space are the technical controls, such as ensuring firewalls are in place (see UCF Control ID 00544) and the much-ballyhooed call for end-to-end encryption (see UCF Control ID 01749). Again, while these are unique to most states’ laws (except for California’s OPP Breach Notification directive mentioned above), they are hardly unique to any organization accepting, storing, and transmitting confidential information. Even the call for end-to-end encryption is contained in 5 international privacy laws and 32 other federal, banking, payment card authority documents.

How do you know if you are compliant? Have some fun and find out…
Okay, maybe I’m the only writer in the world saying that compliance can become a bit of a game for the organization, but as my dad always said “doing something fun is always easier than doing something that’s not fun.” In that spirit, there are two websites called “Where’s George?” for the US and “Where’s Willy?” for Canada.^[2][3] Both sites allow the viewer to enter the serial number of a dollar bill to find out where it’s been and track where it’s going. In that same way, if you want to know whether or not the data in your organization is being protected, you first have to find out where that data comes in, where it goes, who does what with it, where its stored, and who gets rid of it (if ever), when you don’t need it anymore.

Have you asked your employees “who deals with these bits of data” in your organization? While they might be a bit shy about talking controls or regulations or encryption and the like, I’ve never met anyone who was afraid to speak up and say “yes, I see folks’ SSN’s, Driver’s Licenses, Credit Card Numbers, or the like in what I do.” If you want a list of all of the data fields you should be looking for, the UCF team will provide one for you for free (fill out the request form here). If you’ve ever played scavenger hunt, you can play this game too.

Once you know which (if not all) of the fields your folks are working with, where that data comes in, gets stored, gets worked with, and gets sent back out as records or reports, then you can ask about the access policies, standards, and procedures, the storage policies, standards, and procedures, the trans-mission policies, standards, and procedures, and the disposition policies, standards, and procedures.