Assess your compliance with Massachusetts data privacy law. This regulation requires all businesses that own or license personal information about Massachusetts residents to implement comprehensive information security programs.
Note: 201 CMR 17.00 applies to all businesses, regardless of location, that own or license personal information about Massachusetts residents. Non-compliance can result in significant penalties.
Do you have a written, comprehensive information security program (WISP)?
Does your WISP identify and assess reasonably foreseeable internal and external risks?
Do you review and update your WISP at least annually?
Have you designated one or more employees to maintain the WISP?
Do you conduct risk assessments identifying reasonably foreseeable risks?
Do you conduct background checks on employees with access to personal information?
Do you provide security training for employees who handle personal information?
Do you have disciplinary measures for security policy violations?
Do you implement secure authentication protocols (unique IDs, passwords)?
Do you restrict access to active users and active user accounts only?
Do you encrypt all personal information on laptops, portable devices, and in transmission?
Do you have up-to-date firewall protection for your network?
Do you keep operating system security patches up to date?
Do you use up-to-date antivirus and antimalware software?
Do you monitor systems for unauthorized access to or use of personal information?
Is personal information stored in locked facilities, storage areas, or containers?
Do you have secure disposal procedures for paper and electronic records?
Do you have written contracts with all third-party service providers?
Do contracts require service providers to maintain appropriate security measures?
Do you monitor and verify service provider compliance with security obligations?
Please answer all requirements to see your results