MASS 201 CMR 17.00 Includes Non-Profit Organizations
This new regulation going into affect March 1, 2010 is perhaps the most far-reaching personal information data security regulations in the country. This new regulation will apply to all individuals, corporations, associations, partnerships and other legal entities (regardless of where they are located) that own, license, store or maintain personal information about a Massachusetts resident. Yes this does include Non-Profit Organizations.
Personal information is can be any portion of someones name in conjuction with: a Social Security number; driver’s license number or state-issued identification card number; or financial account number, or credit or debit card number. The regulation requires a written information security plan (WISP).
So if your organization takes any personal information it is required to have a written plan for the security of that information. This could be as little as taking a check for a silent auction item at one of your fundraisers. The plan needs to be specific to your organization and contain the following:
- Designating an individual to be responsible for the program.
- Minimizing the use, retention and access of and to personal information.
- Protecting and restricting access to paper records and electronic records (including through password, encryption, and firewall technology)
- Ensuring that third parties with access to personal information comply with the requirements.
For the full MA 201 CMR 17.00 click here.
Want to learn more about the legal issues that affect your organization? Join us at our next non-profit mini-conference.
Photo credit: flickr.com/photos/mikeygottawa