Massachusetts Issues Guidance On Its New Data Security Standards; Compliance Date Currently Remains January 1, 2009
[23031]
October 27, 2008
TO: BANK, TRUST AND RECORDKEEPER ADVISORY COMMITTEE No. 34-08BROKER/DEALER ADVISORY COMMITTEE No. 40-08
COMPLIANCE MEMBERS No. 59-08
OPERATIONS MEMBERS No. 22-08
PRIMARY CONTACTS - MEMBER COMPLEX No. 16-08
PRIVACY ISSUES WORKING GROUP No. 16-08
SEC RULES MEMBERS No. 132-08
SMALL FUNDS MEMBERS No. 68-08
TECHNOLOGY COMMITTEE No. 28-08
TRANSFER AGENT ADVISORY COMMITTEE No. 64-08 RE: MASSACHUSETTS ISSUES GUIDANCE ON ITS NEW DATA SECURITY STANDARDS; COMPLIANCE DATE CURRENTLY REMAINS JANUARY 1, 2009
On Friday, October 24th, the Institute received the following email communication from the Massachusetts Office of Consumer Affairs and Business Regulations concerning compliance with the new Massachusetts data security standards rules: [1]
We have attached a collection of documents that focus on helping small business with the task of complying with 201 CMR 17.00. Depending on the nature and scope of the business, these documents may assist with the formulation of a comprehensive, written information security program, as required by 201 CMR 17.03, and also with verifying compliance. The documents include a guide to creating such a written program, a checklist for determining compliance, and answers to frequently asked questions. To the recipients of this e-mail that are trade associations or organizations, we would ask that you please pass these documents along to your members, to facilitate their compliance efforts. These documents may also be found on our website at www.mass.gov/consumer:
Frequently Asked Questions Regarding 201 CMR 17.00
Small Business Guide for Formulating a Comprehensive Written Information Security Program
201 CMR 17.00 Compliance Checklist
? * * * * *
Two things about the above should be noted. First, the rules do not distinguish in their requirements between large firms and small firms. Instead, they set forth minimum requirements to be met by all firms. As such, the above documents should have application regardless of the size firm. Second, several of the provisions in the “Small Business Guide” referenced above appear to go beyond requirements of the rules. As noted in the prefatory language to such guide, “wherever there is a conflict found between this guide and the [provisions of the rules], it is the latter that will govern.”
The Institute continues to try to get an extension on the very unrealistic compliance date of January 1, 2009. We have a meeting set with the Massachusetts Secretary of Housing and Economic Development, the head of the department that adopted the rules, to discuss our concerns and we will keep you posted on our efforts.
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] See Institute Memorandum No. 22901, dated September 23, 2008, for more information regarding the Massachusetts data security standards rules.