At the beginning of the "countdown" to the March 1st effective date of 201 CMR 17.00, we offered some posts with "misapprehensions" and compliance suggestions (see
16 Days to March 1..... and Countdown to compliance with 201 CMR 17.00.....11 days). Here are some questions that have been reoccurring over the last few weeks:
1) What should I be doing about the requirement relating to third party service providers and how does my company get "assurances" that those service providers (like payroll and benefits) are in compliance?
The answer to this will depend upon the kind of access and extent of information that the vendors have. Some companies have created extensive 3rd party/ vendor PI due diligence forms and processes. In the end, all your vendors should provide their own attestation that they are capable of meeting the requirements of 201 CMR 17.00 as part of the vendor review process, and it should be part of the contract. Depending on the situation, targeted risk assessments of vendors may be appropriate, as well as detailed security exhibits attached to contractual agreements. With existing service providers, if the contract is in place by Monday, you will have two years to amend it....but you should be addressing the security safeguard issues now.
2) What about faxes? How can I encrypt those, and is that required under 201 CMR 17,04?
A rather complex answer, but if the fax machine is using the Plain Old Telephone System (POTS to telecom engineers) this is not a "Public Transport" as used in 17.04(3). POTS is a private, switched, 2 party connection. The fax transmission in this case is simply not traveling over a public connection....and does not need to be encrypted nor would the fax machine require an encryption key technology. There are many other concerns with the "process" of sending and receiving faxes, most of these fall under logical or physical access controls, that are required elsewhere in 201 CMR 17.00. One thought of caution, is that there are many FAX systems that are NOT, 100% based on POTS or based on private switched network technology. If your business uses eFax or some other Internet-based form of transmission, that may be going to a traditional fax machine -- it’s POTS to me, but an email to you that is traveling over the public network. If you have a concern about the security of PI in a process, then you most likely have something which needs to be locked down and controlled.
3) We have a good handle on the computer system security requirements and the technical issues, including the whole portable device issue, but what about all that paper?
Start with the basics - do you really need to have the PI in paper format, and do you need as much as you have? If you don't have it, you can't lose it. Keep track of what is in the file, so missing items will be noticed, and to enable you to comply with data breach notification obligations if the worst happens. Simple things like: use color-coding and labels to indicate the sensitivity of the file; consider whether the original or a copy can be taken, if a copy, track the number of copies and stamp them; physically attaching documents to a folder makes copying/losing items more difficult. Use log-in/out records for the files. Remind employees to keep the records in sight or in a safe location when out of sight - use a briefcase lock if there is one, keep files in the trunk of the car and not on the car seat. The most important step is to make sure the plan is followed and to TRAIN EMPLOYEES. Companies can craft great policies and procedures to handle PI and comply with 201 CMR 17.00. But if employees and third parties are not educated and trained in these policies then compliance with the law is highly unlikely! Training, training, training. Security awareness is a big key to avoiding the unfortunate data breach.