protecting personal information
DESCRIPTION
Protecting Personal Information. 201 CMR 17. Samet and Company PC 1330 Boylston Street Chestnut Hill, MA 02467 www.samet-cpa.com. TechKnowledge Advisors Inc 20 Park Plaza, Suite 400 Boston, MA 02116 www.tech-adv.com. Protecting Personal Information. Professional Experience - PowerPoint PPT PresentationTRANSCRIPT
Protecting Personal Information
Protecting Personal Information
201 CMR 17
Samet and Company PC1330 Boylston Street
Chestnut Hill, MA 02467www.samet-cpa.com
TechKnowledge Advisors Inc20 Park Plaza, Suite 400
Boston, MA 02116www.tech-adv.com
OVERVIEW AND RECOMMENDATIONS
201 CMR 17.00
Protecting Personal Information
Norman P. Posner, CPAManaging PartnerSamet and Company PC.Certified Public Accountants
Professional Experience
Norman is the Managing Partner of Samet and Company PC. and has over thirty years experience as a Certified Public Accountant licensed in Massachusetts .
Norman provides accounting, auditing, tax planning and preparation expertise to numerous industries including temporary staffing, law firms, real estate, manufacturing and non-profit.
201 CMR 17 is intended to:
The Purpose of the Law
1.Prevent the Breach of Personal Information (PI).
2.Establish procedures to follow if a breach of PI occurs.
Regulatory Overview
201 CMR 17.00 is intended to ensure the security and confidentiality of personal information of a Massachusetts resident.
For Compliance, Businesses must develop, implement, maintain and monitor a comprehensive, Written Information Security Plan (WISP) that is consistent with industry standards.
Regulatory Overview
The program must be monitored on a regular basis to help ensure that the program can:
1. Prevent unauthorized access to PI2. Prevent Unauthorized use of PI
Monitoring of the WISP should be done annually or whenever there is a material change in the business practices of the company
Does the law apply to your business?
1. If you store a Massachusetts resident’s Last Name and First Name (or First Initial) in any form (electronic, paper or some other form)
2. Plus One of the following (a,b,c or d)1. Social Security Number2. Driver’s License Number or State ID number3. Financial Account number (credit or debit card)4. Access code that allows you to access a person’s
financial information .
Then the law applies to your business!
Remember the TJX Data Breach
Breach may cost the company $1 Billion.
97 Million credit card numbers are estimated to have been breached.
Unsecured wireless network was the culprit.
Other publicized breaches1. Hannaford – 4 million accounts2. Bank of America – 1.2 million
records3. Boeing – 161,000 records
2008 Identity Theft Statistics
313,982 Registered Complaints
1. That is a 10 - Fold increase from 2000
2. 5,408 Identity theft complaints reported in Massachusetts alone.
(statistics courtesy of FTC consumer Sentinel Network Data Book 2008)
Duty to Protect and Standards for Protecting PI
Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to:
(a) the size, scope and type of business…
(b) the amount of resources available…
(c) the amount of stored data
(d) and the need for security and confidentiality of both consumer and employee information
Duty to Protect and Standards for Protecting PI
201 CMR 17.03 – Duty to Protect...
a) Designating one or more employees to maintain…
b) Identifying and assessing reasonably foreseeable internal and external risks…
c) Developing security policies for employees relating to the storage, access and transportation…
201 CMR 17.03 – Duty to Protect...
d) Imposing disciplinary measures for violations…
e) Preventing terminated employees from…
f) Oversee service providers, by: 1. Taking reasonable steps to select and retain third-
party service providers…2. Requiring such Third-party service providers by
contract to implement and maintain…
(Grandfather provision between March 1, 2010 and March 1, 2012)
201 CMR 17.03 – Duty to Protect...
g)Reasonable restrictions upon physical access to…
h)Regular monitoring to ensure that the comprehensive information security program is…
i) Reviewing the scope of the security measures at least annually or…
j) Documenting responsive actions taken in connection with any incident involving a breach of security…
Trigger Events
Notice is required when data owner knows that there is:
1.Unauthorized acquisition or use of:2.Unencrypted personal information, or
encrypted personal information and the confidential process or key that can unlock the personal information.
3.That creates a substantial risk of identity theft or fraud against a Massachusetts resident
Who to Notify
You must notify:
1.The Attorney General’s Office.
2.The data owner
Computer System Security Requirements
1. Secure user authentication protocols including:a) Control of IDsb) Secure method of assigning and selecting passwordsc) Restrict access to active usersd) Blocking access after multiple unsuccessful attempts
2. Secure access control measures that:a) Restrict access to files to those who need the information to
perform their job dutiesb) Assign unique identifications and passwords which are not
vendor supplies default passwords
3. Encryption of all transmitted record and files containing PI.
Requirement Recommendation
1. Secure user authentication protocols Use Windows Group Policy
2. Secure access controls Windows Domain Group Security
3. Email Encryption Leapfile
Tumbleweed
Perimeter eSecurity
MessageGuard
PGP Mailgate
PGP Desktop Messenger
BitAmor SecureMail
Computer System Security Requirements
Computer System Security Requirements
4. Reasonable monitoring of systems for unauthorized use or access.
5. Encryption of all PI stored on laptops or other portable devices (flash drives).
Requirement Recommendation
4. Monitor for unauthorized use Turn on Windows Event and Object Logging Setup event parser to notify through email
for events such as unsuccessful logons
5. Encrypt all portable devices
PGP whole disk Encryption
BitArmor Disk Encryption
MessageGuard
Windows 7 Bitlocker
(New Hardware) Hardware Encryption
Computer System Security Requirements
Computer System Security Requirements
6. Must have an up-to-date firewall that performs stateful packet inspection.
7. Up-to-date versions of system security agent software including Anti-Virus, Malware protection.
8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.
Requirement Recommendation6. Firewall and Windows Security Firewalls
Patch Management SonicWall
Cisco Pix
Juniper
WatchGuard
Windows Patch Management
Microsoft SUS server (free)
Computer System Security Requirements
Requirement Recommendation
7. Up to date Anti-Virus, Anti-spyware and Anti-malware.
Computer System Security Requirements
SPAM solution: Postini or Appriver: These are Third Party solutions which are offsite.
Computer System Security Requirements
Requirement Recommendation
8.Backup of Data Backup tapes should be encrypted if they
contain PI.
Offsite Data Backup uses encryption
www.capitalvault.net
• Imaging your servers is recommended. Using software like Symantec Live-state recovery is a great solution.
Other offsite backup providers