As a QuickBooks ProAdvisor, we are provided with the software, support, information and resources necessary to give outstanding service and
support to our QuickBooks and small business clients.
For both your protection and ours, ALPICE Bookkeeping is bonded and insured. We do not offer or provide legal or tax advise.
Asset $ Liability $ Proprietorship $ Income $ Cost $ Expense
ALPICE Bookkeeping is compliant with the Massachusetts Personal Protection Regulation 201 CMR 17
Effective March 1, 2010 all businesses regardless of size that own, store, or maintain personal information of Massachusetts residents will be required to comply with the Code of Massachusetts Regulations, 201 CMR 17. This regulation requires businesses to take rigorous steps to protect the information they have and not only affects Massachusetts-based businesses but any company doing business with Massachusetts residents.
In 2005 over 45 million credit card numbers were stolen in a TJX (TJ Maxx) security breach. In response to this significant breach, the Massachusetts legislature began working on writing a law that would protect all residents of the Commonwealth regardless of the location of any business with whom they conducted a non-cash transaction.
What is personal information?
Personal information includes the residents last name and either first name or first initial COMBINED with any of the following:
Do you need to comply?
All non-cash businesses collect personal information (PI) in some form and thus must comply with this new regulation. Cash businesses may need to comply as well if they have employees or subcontractors. “Cash or credit card” only businesses will also need to comply. Compliance includes a written plan detailing how this data will be secured (this is referred to as a “WISP” or Written Information Security Program).
How do you comply?
The level of compliance differs for each business and is determined by the amount of personal information collected in any form. Each company’s WISP must include administrative, technical, and physical safeguards for PI protection. Among the elements of a company’s WISP will be specifics on how that business protects personal information as well as who has access to this data within the company, training of those individuals, steps taken upon termination, procedures handling a security breach, and transporting data offsite of the business. Any business using a third-party service provider must ensure that provider, by contract, is capable of maintaining security measures in compliance with 201 CMR 17.
IT requirements include secure user authentication protocols and access controls; paid antivirus protection set to update a minimum of once per day; a business-class firewall; regular network maintenance, with updates at least every thirty days; unique password policies; and laptop, portable storage, and email encryption. The law specifically requires notification to the attorney general and a company’s clients if a laptop containing personal information is stolen.