Sam Dekay

New Massachusetts Regulation Has Significant Implications for Information Security Professionals

This year, the Commonwealth of Massachusetts enacted a regulation that prescribes information security policies and practices quite unlike those required in any previous state or federal mandate.  This regulation, 201.CMR 17.00 (Read the full text here), states that “all persons that own, license, store or maintain personal information about a resident of the Commonwealth” must adopt specific policies, including detailed technical standards, pertaining to access control.  The regulation takes effect on May 1, 2009 (changed from the original date of January 1), and will affect thousands of organizations (including financial, educational, medical, and retail establishments) throughout the world.  The scope of this regulation is truly breathtaking, and it may represent the most far-reaching compliance challenge confronted by information security professionals.

Post a Comment

Your email is never published nor shared. Required fields are marked *