We have just one week to go before all entities that own, store, license -- or basically do anything with -- personal information of Massachusetts residents must comply with the Commonwealth's new data security regulations. Things to consider:
- Have you done your risk assessment? Looked at what you collect and how you collect and how it is transmitted through and outside your organization?
- Have you reached out to service providers that may have access to PI of your employees/customers?
- Is your written information security plan in place, or at least have you started pulling together the various policies and processes ("P&P") that would make up a "written information security plan"? Is the plan tailored to your actual P&P and, thus an accurate representation of what your business really does (and not a template with [insert company name here])?
- Have you thought about employee security awareness training?
Member / Chair, Privacy & Cybersecurity Practice
Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.