Other states have since adopted a similar law. Management must do a risk assessment to determine if
            they are subject to CA SB-1386, or similar state law, and take action accordingly with P&P and a
            monitoring process.

                                                                                              10
            Another key state law is the Massachusetts Data Privacy Act (MDPA), bill 201 CMR 17.
            Companies that do business with Massachusetts residents or businesses located there must comply
            with this law. MDPA establishes minimum standards for safeguarding PII of any resident of the state by
            organizations or individuals who own, license, store, or maintain PII. It applies to the collection, storage,
            or processing of PII. Thus, an entity (for example, data center) that simply stores PII, or processes PII (for
            example, credit card processing) may be subject to this law.


            PII is defined in MDPA as Social Security numbers, driver’s license or state-issued ID numbers, financial
            account numbers, and credit and debit card numbers (with or without CVV codes, PINs, or passwords).
            Care should be taken by entities that maintain PII data to determine whether they are subject to MDPA.

            All four of these laws cover both privacy and security issues related to data and information, and PII in
            particular.

            Industry requirements can affect the entity. For example, entities that use credit and debit cards have PCI
            compliance issues in order to accept and process charges (see 4.1.3.3.1, PCI).


            Other external compliance

            Other external compliance-related issues would relate to contractual obligations and industry
            requirements. The PCI compliance is an example of industry requirements. Banks have other
            requirements from Federal Financial Institutions Examination Council (FFIEC) which has certain auditing
            requirements that affect information management.

            Roles & responsibilities


            Roles and responsibilities with respect to information security within an organization should be set forth
            and clearly defined in the information security policy. Although information security is collectively the
            responsibility of everyone within an organization, common roles with specific security related duties
            include the following:

              Chief information security officer
              Security manager
              Security engineer
              Security analyst









            10
              See www.mass.gov/doc/201-cmr-17-standards-for-the-protection-of-personal-information-of-residents-of-
            the/download, accessed August 28, 2019.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-9