An insurance provider in Massachusetts had basic security measures in place, but these were not enough to be fully compliant with a strict, new state regulation, reports Greg Masters.
When Massachusetts passed what arguably is one of the most stringent data protection laws in the nation last March, Ray Pata, the manager of systems and programming at A.I.M. Mutual Insurance Cos., found himself particularly challenged with the encryption of laptops, required by the new law.
The legislation, 201 CMR 17.00, requires that all companies, no matter where they are based, must safeguard the paper or electronic records in their possession of any Massachusetts resident. Businesses that possess personally identifiable information (PII) of Bay State residents will now be required to encrypt all devices and transmissions.This legislation differentiates itself from other state disclosure bills because it forces businesses to become proactive in securing technology, insisting that organizations take measures to protect information, as opposed to other guidelines that only require companies alert customers should their data be compromised. In addition, it requires that businesses restrict access to company data to only those employees requiring access, have an employee dedicated to security efforts, regularly monitor enterprise security programs, and develop, implement and maintain a “comprehensive information security program.
While A.I.M. Mutual Insurance Cos. already had several basic security measures in place, such as anti-virus, firewalls, etc., these were not enough for the provider of worker's compensation in Massachusetts to be fully compliant with the new state regulation. The company is headquartered in Burlington, Mass., and also has satellite offices throughout the state, and in neighboring New Hampshire.To upgrade the company's defenses in order to bring it up to compliance with the new state requirement, Pata and his team – comprised of three developers and a network specialist – began a review of the standard offerings available. After an assessment and trial period, they chose a solution from BitArmor, recently acquired by Trustwave.
“As a small organization, deploying encryption can be hard, and this could have been a challenge for us. However, BitArmor Managed Encryption made it easy for us to be compliant.”