KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law

Webinar Series
July 29, 2009
Preparing for the Strictest Privacy Law in the Nation: MA Privacy Law 201 CMR 17
Presented by:

About the Speakers
Doug Cornelius Bob Boonstra Sean Megley

Agenda
Overview of the Law: MA Privacy Law 201 CMR 17
Implications and Best Practices
10 Questions to Determine if You will be Compliant by 1/1/2010
A First Look at a SharePoint-based Compliance Management Solution
Questions & Answers

Overview of the Law:MA Privacy Law 201 CMR 17

Law Overview
Doug Cornelius, Chief Compliance Officer
Publisher of Compliance Building

Disclaimer
I am a lawyer, but I am not your lawyer.
This overview is for information purposes. Please seek your own attorney for advice.
These are my views and not necessarily the views of my employer.

Background

Background
The breaches affected over 600,000 Massachusetts residents.

Image source: http://www.massachusetts-map.org/detailed.htm

Federal Regulation
Gramm-Leach-Bliley
HIPPA

Massachusetts Data Privacy Law
Massachusetts General Laws Chapter 93H
Statute on security breaches
shall provide notice, as soon as practicable and without unreasonable delay

Massachusetts Data Privacy Law
201 CMR 17.00
Regulations from 93H to safeguard the personal information of the residents of the Commonwealth

Personal Information
Massachusetts resident's
first name and last name, or first initial and last name
in combination with:
Social Security number;
driver's license number or state-issued identification card number; or
financial account number, or credit or debit card number (with or without any required security code, access code, personal identification number or password)

Duty to Protect
Written Information Security Program
Computer System Security Requirements

Information Security Program
Written

Reasonably consistent with industry standards

Designee

Identify and assess internal and external risks:
Employee training
Employee compliance
Detect security failures

Taking it outside

Discipline

Terminating access for terminated employees

Third Party compliance

Limiting the amount of personal information

Identify storage locations

Restrict physical access

Monitor
Review
Document

Computer System Security

Secure user authentication protocols

Secure access control measures

Encryption

Monitor

Virus Protection
Firewall
Malware

Training

Resources
Massachusetts General Laws Chapter 93H
http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
201 CMR 17.00
http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf
Compliance Building Posts
http://www.compliancebuilding.com/tag/mass-data-privacy-law/

Implications & Best Practices

Implications & Best Practices
Brief Indevus Pharmaceuticals background
201 CMR 17, Rounds 1, 2, and 3
Assessment approach
Assessment results
Final observations

Indevus Pharmaceuticals Background
Focused on development and marketing of drugs in urology and endocrinology
260 staff, including 115 person sales force (Jan 2009)
2 locations: Lexington, MA, and Cranbury NJ
Indevusacquired in Mar 2009, and the Lexington location is being closed by Dec 31, 2009

201 CMR 17 at Indevus
Assessment effort launched Oct, 2008
Re-planned after 14 Nov deadline postponement to 1 May 09
Coordination with acquiring company
Re-replanned after Feb 09 postponement to 2010

Assessment Approach
Does the new law even apply?
What personal information do we have, who has it, and where is it
HR, Finance
Others?
What do we need to have in place?
Policies
“Comprehensive, written information security program”, security policies regarding personal information, annual review
Risk assessment
Practices
Designated information security employee
Identify record locations
Restrict physical access to personal information
Verify 3rd party compliance
Technology
Access control
Encryption
Firewall protection, malware protection
Monitoring
Monitoring and enforcement
Enforcement and disciplinary mechanisms

Assessment Results
Where do we stand?
Policies
Security policy: Exists, but needs augmentation
Risk assessment: Needed to be accomplished for personal information
Practices
Designated information security employee: Already in place
Identify record locations: Needed to be accomplished for personal information
Restrict physical access to personal information: Already in place
Verify 3rd party compliance: Reasonable covered by SAS 70, verification needed
Technology
Access control: Already in place
Encryption: Need to be accomplished for laptops with personal data
Firewall protection, malware protection: Already in place
Monitoring: Already in place
Monitoring and enforcement
Enforcement and disciplinary mechanisms: Needed to be accomplished for PI

Final Observations
Take advantage of synergies with sound IT management practices and other compliance activities
Use both process and technology
Don’t overreact: “… compliance … shall be evaluated taking into account … size, scope, and type of business …. resources available …. amount of stored data ….”
Remember to stay current with evolving systems architecture, business practices, regulatory changes

Sneak Peak of SharePoint Based Compliance Management Solution

10 Key Questions
Do you have policies that apply? Policy - Write a high level policy that indicates your company intends to comply with the spirit and letter of the law, completely.
Do your business leaders understand the new law? Exposure - Give your business leaders and executives a crash course on the ramifications of the law in terms of business risk. A couple of hours should be enough to cover the basics.
Are you communicating the changes? Communication - Inform the company staff that the law is coming and request their help in meeting the compliance obligations.
Have you classified your data and systems? Data classification - Create a classification scheme for all the likely PI types of information: Public, Company Private, Company Protected, etc.
Where is the PI? Discovery - Use a search engine on suspected harbors of PI to find out where the PI resides in your data structures. Survey employees to identify PI in the workplace.

10 Key Questions (continued)
Do your job descriptions consider PI? Need to know - Review job descriptions and note if a position requires PI access. Technical security policies can then be adjusted using role based security tools, such as Active Directory groups.
How do you use PI? Lifecycle - Look at your business processes to understand the lifecycle of PI in your enterprise.
Who is administering and enforcing your policies? Administration - Assign a senior person to be responsible for compliance and have them assign business line or location deputies for enforcement. Make sure they have the proper authority.
Do you allow PI on laptops? Technical -Encryption options should be considered, but a policy that prohibits PI from being stored on a vulnerable laptop is a much easier solution.
Got Security? Physical - Data centers, network closets and front doors need to be properly secured. This recommendation is just common sense even if you have no PI.

Privacy Law Objectives

Objectives Facilitated by SharePoint

Key Compliance Indicators

Questions and Answers
Doug Cornelius Bob Boonstra Sean Megley
Overview of law
Practitioner’s view
Solution Overview

In Closing…
How to get (and share) a copy of today’s slides
Continue the compliance conversation with KMA – pilot the portal!
Next KMA Insights Webinar – watch for invitation:
SharePoint and Enterprise Social Computing
Wednesday, August 26, 12:30 pm
Feedback/survey
Thank you!!! http://www.kma-llc.net

http://www.compliancebuilding.com	77
http://static.slidesharecdn.com	1
http://webcache.googleusercontent.com	1

KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law

by Knowledge Management Associates, LLC on Jul 29, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 79

Statistics

KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law — Presentation Transcript