As we approach the 10 day mark to the March 1 effective date of the Massachusetts data security regulations, 201 CMR 17.00, we thought that we would share another misapprehension in the ever-growing list.
"I ordered one of those $99 "Compliance Kits" from the Internet, and they say that they will "certify" that I am compliant. I should be all set."
You might be -- but then again, we are not sure that we would bet the company on it. First, if any packaged template provider or consultant promises to issue a "certification" of your company's compliance with 201 CMR 17.00, run the other way. There are no standards that would form the basis for any such "certification" and neither the Attorney General nor the Office of Consumer Affairs and Business Regulation have authorized any such "certifications."
The Attorney General's office has been clear in various outreach programs across the state -- any company that chooses anything less than "strict compliance" with the very specific requirements of the written information security and control requirements in the Standards will need to be able to legally support their decision based on the risk elements in the Standards. In other words, did you do something more than insert your company's name in the pre-fab "policy" that you purchased?
The Massachusetts Standards take a hybrid approach to privacy/security requirements and require specific controls mandated through a general risk-based framework. Without a legal analysis to interpret and apply the risk-based factors to your particular business and business processes, companies run a serious risk with "one size fits all" templates.
The main question on March 1 should be: "If the worst happens, how comfortable are we defending our legal position to the Attorney General's office concerning our information security program and security controls under the law?" And where will the provider of that $99 template or "certification" be by that time?