PLEASE READ!! IMPORTANT INFORMATION!!
With little fanfare, or more importantly little notice, the Massachusetts issued a set of privacy regulations which will affect virtually any business dealing with the personal information of Massachusetts residents. Regulations found at 201 CMR 17.00 of the Massachusetts code of regulations impose a strict set of requirements that must be met by January 1, 2009 to avoid non-compliance with the new privacy regulations. Most museums will be required to meet the regulations.
Any business who collects deals with Massachusetts residents and collects the first and last name of a resident, or the first initial and last name of an individual, together with either (a) the resident’s social security number, (b) driver’s license or state identification number, or (c) financial account numbers or credit/debit card numbers is subject to these regulations.
The regulations require strict compliance. A Museum will be forced to:
- Formulate a comprehensive written information security program (WISP), which must include, at a minimum, 12 provisions outlined in section 17.03 of the regulations;
- Meet specific computer system security requirements concerning secure user authentication protocols, secure access control measures, encryption measures, system monitoring measures and security software;
- Maintain an education and training program for all employees on the proper use of the security system and the importance of personal information;
- Ensure that all third party service providers with access to the personal information certify that it has a WISP in place and is capable of securing personal information.
- Update any employment manuals appropriately.
Without compliance, should a security breach occur, an institution could be subject to triple damages, costs and attorneys fees. With the January 1, 2009 deadline fast approaching, Museums should review their privacy standards to ensure that their institutions meet the minimum regulatory requirements.