Massachusetts Regulations to Protect Personal Information
Fr: Dawn Hammond, Associate Conference Minister for Policy and Finance
Re: New Mass. Regulations to Protect Personal Information
I’ve recently received several requests for information about new rules under Mass. General Laws 93H, 201 CMR 17.00. These rules require anyone storing or maintaining certain information about a resident of the Commonwealth to protect that information in order to minimize the risk of identity theft. The rules do apply to local churches. I encourage you to read the full text of the regulations, which may be found here.
Requirements of the Regulations
The personal information covered under these rules are a resident’s first name and last name, or first initial and last name, in combination with any one or more of the following “data elements that relate to such resident”:
a) Social Security number;
b) driver’s license number or state-issued identification card number; or
c) financial account number, or credit or debit card number.
For a local church, several kinds of information come immediately to mind:
a) Personnel records, which generally include a name and a social security number for each employee;
b) Records concerning independent contractors, including 1099 forms;
c) Pledge cards and other donor records which include credit or debit card or bank account information.
The regulations require individuals and organizations to go to considerable lengths to protect such
information. The requirements include:
- Designation of one or more individuals to implement and maintain a security program;
- Assessing risks to the security of information and working to limit such risks;
- Limiting the information collected and maintained to what is really necessary, and keeping it only as long as necessary;
- Making sure that the protected information is accessible only to those current employees and volunteers who need it in order to do their jobs;
- Verifying that any third-party service provider (such as a payroll processing company or bank) is protecting the church’s information in compliance with the regulations;
- Storing physical records in locked containers;
- Making sure electronic records are password-protected ;
- Encryption of personal information which is sent across public networks or stored on laptops or portable devices;
- Where an electronic system is connected to the internet, maintaining “reasonably up-todate” firewall protection, operating system security patches, and malware and virus protection software set to receive current updates on a regular basis; and
- Writing written policies to affect the security program.
The regulations require compliance by January 1, 2010.
Issues to Consider
In general, the rules codify best practices which some churches already follow. However, many will need to make changes in procedures, including the development of written plans. While compliance with these regulations will look a bit different for each local church, here are some things to consider:
- 1. These rules highlight the risk of volunteers carrying pledge cards or personnel records home in briefcases, leaving them in their cars, etc. Paper records need to be kept in locked cabinets, ideally in a lockable room at the church building. Only the people who really need them should have keys to the cabinets. Since the people who need to see pledge cards may not be the same as those who need to see personnel records, you may need two cabinets with two sets of keys.
- There needs to be a designated individual responsible for making sure software permissions are kept up-to-date, so that only people who currently need access to personal information can view it. Change passwords whenever there is staff turnover, or whenever there is reason to believe a password may have been compromised. Keep any records of passwords in a secure location removed from the computer.
- It’s a good idea to get and maintain written documentation from third-party vendors stating their compliance with these regulations.
- Many standard data backup procedures are out of compliance with these regulations, which require that personal information on portable devices be encrypted. Make sure that information on portable devices are encrypted and password protected.
What should go into a plan document?
According to the regulations, a written plan should include the following:
- Identification of the volunteer or staff position whose occupant will be responsible for maintaining the ‘comprehensive information security program’;
- A description of the kinds of paper and electronic records protected by the program, where they are stored, who has access to them, and how access is controlled;
- A statement as to how long records will be maintained, and how and by whom they will be destroyed when no longer needed;
- How access is withdrawn from those no longer employed or in relevant volunteer posts;
- Identification of the individual responsible for computer security, including access, encryption of information to be sent over the Internet, virus and firewall protection updates, and general due diligence.
- Whether, when and how anyone is allowed to remove such records from the church building (or other building in which it is kept, if the church has no office.
- Measures to be taken to ensure that any third parties with access to the church’s protected information are in compliance with the regulations;
- Disciplinary consequences for staff and volunteers who violate the rules of the security program;
- Procedures for documenting and reviewing any breach of security in order to learn what went wrong and improve protection in the future.
- A stipulation that the security program be reviewed at least annually, including who is responsible for this review.
Because the new law is affecting every business and nonprofit organization in the Commonwealth, there are many articles and resources available on the Internet. Here’s one article that I found particularly accessible (scroll down to the “comments” section).