MA Privacy Law
8 RepliesJump to last post
So this goes into effect on Monday. I’m interested to see what, if anything, my RIA counterparts are doing for it as well as the B/D wires.
Please answer. I hate when my topics have no replies (B24 knows that feeling).I too got an email from Zach. I don’t plan to do anything about it for the next two years - which is the time frame that my slow a$$ state will need to review it.
So neither of you have MA clients? We have some clients there so we are just adopting the MA Privacy Law for the whole firm. Somethings in it…OMFG.
Its kind of weird though. From my talks with the various plan sponsors (B/Ds), some are ontop of it and had their policies in place months ago, and some seem to be doing nothing.[quote=Wet_Blanket]So neither of you have MA clients? We have some clients there so we are just adopting the MA Privacy Law for the whole firm. Somethings in it…OMFG.
Its kind of weird though. From my talks with the various plan sponsors (B/Ds), some are ontop of it and had their policies in place months ago, and some seem to be doing nothing.[/quote]No MA clients. Although if certain members of the forum want to jump on board my firm...
Massachusetts Regulation 201 CMR 17.00 requires all Investment Advisers with even just one client residing in Massachusetts to:
· Create and implement a Written Information Security Plan (WISP) outlining administrative, technical and physical safeguards for the protection of personal information for Massachusetts residents;
· Ensure that all records containing any personal information are now digitally encrypted. RIA’s are now responsible for the update of all technology and system security measures on computers that process and retain personal information;
· Include a mandatory breach notification standard where any security breach must be reported to the Attorney General, the Director of Consumer Affairs and Business Regulation, and the affected resident(s);
· Designate a firm representative to maintain the security program, evaluate on-going internal and external risks and document employee training.
Guess who got this "promotion" at my firm? I took under one condition, that I can be called the "Supreme Privacy Officer." This looks like you got it from a RIA specific source. This bill actually affects any financial institution that "holds" client personal information. Basically, the bill expands what is generally thought of as PII. ie. anything with a combination of a client's name and a. account number, b. SSN, c. DL#, etc. So think about any emails you may send out with a client's name and account number. This bill is a good thing and a bad thing. Bad: Some things are overkill in my opinion. Good: While getting the firm up to snuff for this regulation, I have found myself filling gaps and dotting I's that I (or my predecessor) should have done in the first place. I would suggest anyone to look over the bill, read some material, and adopt some of the practices that would make sense for your firm (if you don't have to fully comply with the law).Massachusetts Regulation 201 CMR 17.00 requires all Investment Advisers with even just one client residing in Massachusetts to:
· Create and implement a Written Information Security Plan (WISP) outlining administrative, technical and physical safeguards for the protection of personal information for Massachusetts residents;
· Ensure that all records containing any personal information are now digitally encrypted. RIA’s are now responsible for the update of all technology and system security measures on computers that process and retain personal information;
· Include a mandatory breach notification standard where any security breach must be reported to the Attorney General, the Director of Consumer Affairs and Business Regulation, and the affected resident(s);
· Designate a firm representative to maintain the security program, evaluate on-going internal and external risks and document employee training.