Section 27.03 - Written Information Security ProgramThe Attorney General shall develop, implement, maintain, and monitor a Written Information Security Program ("WISP") designed to safeguard the personal information of residents of the commonwealth contained in the records of the Attorney General. The Attorney General's WISP shall be separate from the regulations in order to facilitate periodic review and updating of the program. Like the regulations, the WISP shall be read consistently with the safeguards for protection of personal information of a similar character set forth in other state or federal laws and regulations applicable to the AGO and already in place, including but not limited to the Fair Information Practices Act, M.G.L. c. 66A, § 1; the Criminal Offender Record Information Act, M.G.L. c. 6, §172, et seq.; and 940 CMR 11:00, et seq. The Attorney General's WISP shall be available for public inspection, except to the extent any section(s) thereof may be exempt from disclosure under M.G.L. c. 4, § 7, cl. 26, or are privileged by law.
The Attorney General's WISP shall include the following elements:
(1)Designation of employee. The Attorney General will designate one or more employees to design, implement, and coordinate the maintenance of the WISP.(2)Identification and Assessment of Internal and External Risks. The Attorney General will identify and assess internal and external risks to the security, confidentiality, or integrity of any electronic, paper, or other records containing personal information in each relevant area of activity of the Attorney General, and will evaluate and improve, where necessary, the effectiveness of the current safeguards for minimizing such risks, including but not limited to: (a) ongoing employee training; (b) monitoring employee compliance with policies and procedures; (c) upgrading information systems, including network, system, and software design, as well as information processing, storage, and transmission, as necessary; (d) storage of records and data in locked facilities, storage areas or containers; (e) access and transportation of records and data by telecommuters and others who take records containing personal information off the AGO premises; and (f) improving, as necessary, means for detecting, preventing, and responding to security breaches, including but not limited to security systems and failures.(3) The Attorney General will take reasonable steps to ensure that departing or former employees cannot physically or electronically access records containing personal information.(4) The Attorney General will take reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.03; and will take all reasonable steps to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.03.(5)Collection of Information. The Attorney General will collect information required by law and the minimum amount of personal information reasonably necessary to accomplish the legitimate governmental purpose for which it was collected; will permit access to the smallest number of persons who are reasonably required to know such information in order to accomplish such governmental purpose; and will retain such information for the minimum time reasonably necessary to accomplish its purpose and consistent with laws and regulations governing public records retention.(6)Access, Storage, Use, and Disclosure. The Attorney General will place reasonable restrictions upon physical access to records containing personal information including a written procedure that sets forth the manner in which physical and electronic access is restricted. The AGO will disclose the information only to those persons who and entities which reasonably require the information to perform their duties. The AGO will use and disclose the information only in conformance with a written procedure that sets forth the manner in which access to, and use and disclosure of such personal information is restricted.(7)Monitoring. The Attorney General will conduct reasonable monitoring of systems to determine whether the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or use of personal information and upgrading information safeguards as necessary to limit risks.(8)Review of Program. The Attorney General will review and, where necessary, update the WISP at least annually or whenever there is a material change in personnel, governmental, technological, administrative, or other practices that may reasonably undermine the efficacy of the program.(9)Review, Responsive Action, and Documentation of Responsive Action. Where the AGO learns that unauthorized access to physical or electronic records by a employee or third party has occurred, the AGO will review the incident in a manner commensurate with the nature and scope of the unauthorized access to determine the possible breach of confidentiality, security, or integrity of the records, if any, and to make any necessary changes in personnel, governmental, technological, administrative, or other practices relating to protection of personal information. The Attorney General in her discretion (and consistently with any relevant collective bargaining agreements) may impose appropriate disciplinary measures for violations of the WISP. The AGO will document any action taken.(10)Destruction. The Attorney General will establish policies and procedures for the destruction of personal information as soon as it is no longer needed or required to be maintained by state or federal record retention requirements.(11)Employee Training. The Attorney General will ensure that AGO employees are trained in the law and the AGO WISP relating to the proper collection, storage, use, and disclosure of personal information.