Looking further into MA regulation 201 CMR 17.00
Thanks to MSCPA, I finally tracked down the Governor’s press release which, at first glance, has a reasonably clear description of the regulation’s intent. Also came across an analysis by Beth Israel’s CIO, a positive blurb from a Maine consultancy, and a brief mention by a MA payroll company.
As for me, I still need to do my official audit of our procedures vs. those specified by the regulation.
October 23rd, 2008 at 3:07 PM
Yeah, I was wondering about this too. Does it have any relevance for a certain project we have worked on together? I fear that it does…
October 23rd, 2008 at 5:20 PM
The ramifications go beyond the potential fines from the law. Where this really will affect every business and organization is in terms of liability. If a business fails to comply with a known requirement (e.g. 201 CMR 17.00), that company can be found professionally negligent. Since it is easy to prove or disprove due care and due diligence by the fact there are quantifiable standards, a law as this makes it easy to hold a company accountable. Unfortunately for the company, if they are not compliant and a verdict is awarded, insurance will not cover the loss. This is unfamiliar to most business owners, since they do not equate non-compliance with their computer security with negligent behavior. This can easily put a business into bankruptcy.
Here is an interesting handout on the new law from MA and how it stacks up against other requirements such as HIPAA, SOX, GLBA, FACTA, and the PCI DSS. Check out: http://www.isecuritypolicy.com/pdf/commonwealth.pdf
October 24th, 2008 at 10:32 AM
Thanks, Tom. In particular, I found the table comparing the relevant standards helpful.