TO: John Henry, CEO
FROM: Edward Schaefer, CISO
DATE: December 10, 2011
SUBJECT: IT Legislation Compliance
The state of Massachusetts has one of the most comprehensive and clearly defined data privacy laws known as 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth. As stated: “The objectives of this regulation are to insure (sic) the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.” At the most basic level, this requires that all data and information is adequately protected through the use of encryption and other data protection mechanisms.
There are a number of groups whose data must be considered under this policy. Data about Boston Red Sox fans, ticket holders must be stored and maintained in a secure fashion. This will include standard personal information, as well as any financial information used for the purchase of tickets or merchandise. Additionally data for all Boston Red Sox employees, including the players, must be maintained under these standards. This applies to personnel records, information pertaining to employee compensation and retirement plans, in addition to information relating to negotiations with players. Our current policies are mostly compliant, but we will be performing a full audit and examination to locate any areas that need to be updated to be in compliance with the law. Attached is the compliance checklist provided by the commonwealth that will be used to verify compliance.