Does 201 CMR 17 apply to VOIP?
Thursday, May 13th, 2010Background: looking at going to a Voice Over IP phone system at work. Wondering if Massachusetts’ new law about information security applies.
Why it might not: a potential (MA based) vendor we’re talking to says
We’ve not been asked this before and about 201 CMR 17 Compliance and I don’t particularly think it applies to our VoIP, or VoIP in general
Why it might: Section 17.04 qualifies the applicability of the rule to
Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include…a security system covering its computers, including any wireless system
Like just about any business, we definitely transmit personal information over our phone system, so I think the technical / legal question is whether an electronic phone system of the type in question is covered under the “its computers” phrase.
Stepping back from the legal to the practical, however, it seems fair to expect reasonable information security from our communications systems, including VOIP. At least in its intent, I think that’s what 201 CMR 17 is after. VOIP is still new enough that I suspect many prospective customers (like us!) aren’t quite sure what constitutes a reasonably secure installation, though we sense that there are all kinds of potential attack vectors not present in POTS.
