MA 201 CMR 17.00 Personal Identity Security

Personal Identity Security “Y2K plus 10” Are You Ready for March 1, 2010? The new MA regulation: 201 CMR 17.00 – Updated and including FTC Red Flag Rules Presented by the: Boston Business Alliance October 27, 2009 – Woburn, MA

Sponsors Facilities/Location Sponsor: Sunbelt Business Sales & Acquisitions Contact: Mariola Andoni Phone: 781-932-7355 www.sunbeltne.com Refreshment Sponsor: Analytix Solutions Contact: Jason Lefter Phone: 781-503-9000 www.analytixsolutions.com Website Sponsor: Techevolution Contact: Corey Tapper Phone: 781-595-2040 www.techevolution.com October 27, 2009 Boston Business Alliance 2

Personal Identity Security – Y2K plus 10 New MA Regulation – 201 CMR 17.00 October 27; 6:30 PM – 8:30 PM – 800 W. Cummings Park, Woburn, MA 6:15 Refreshments and Networking 6:30 Overview – Personal Identity Security & Red Flag (Attorney Dennis Eagan) 6:55 Computer Systems & Technical Security (Matt Pettine, Managing Director) Pettine, 7:20 How you can comply – what to do guidelines (Ray Arpin, Consultant) 7:50 Questions & Answers & Call to Action (speakers) 8:30 Adjourn Speakers and Vendors available for questions October 27, 2009 Boston Business Alliance 3

Speakers Dennis Ford Eagan Dennis Ford Eagan, attorney with Finneran & Nicholson, P.C., a business law firm located in Newburyport. Attorney Eagan focuses his practice on advising and counseling business clients regarding employment matters and compliance with state and federal laws and regulations. Attorney Eagan also advises business clients in protecting their intellectual property interests. He a member of the Massachusetts Bar Association and the Newburyport Bar Association and has co-chaired presentations before the bar associations, including a recent presentation on the Massachusetts Identity Theft and Data Security Regulations, 201 CMR 17.00. Matt Pettine Matt has over 20 years of experience in business and best practices in the application of technology. He holds no less than 5 certification in these areas. He fully understands business and how the different functions interrelate, along with the uses technology to compete in today’s business world. He has worked in security and regulatory compliance in MA 201 CMR 17.00, Sarbanes-Oxley, and with other regulations. He is a member of the Information Systems Audit and Control Association. Ray Arpin Ray Arpin has 30 years of experience working with small companies and start-ups, to Fortune 10, Global 2000, state and federal organizations, in a wide variety of industries and segments. His specialty is business process improvement to increase sales and reduces costs, professional services, and regulatory compliance. Most recently, he is focused on helping companies and individuals quickly apply business best practices, and specifically to become compliant with personal identity security regulations and MA 201 CMR 17.00. October 27, 2009 Boston Business Alliance 4

Personal Identity Protection How it started… On August 2, 2007, Governor Deval Patrick approved the Massachusetts Act Relative to Security Freezes and Notification of Data Breaches. One of the most comprehensive Personal Identity Theft Prevention statutes in the country. Three components to the Act: Establishing a right to a request security freeze by consumers on their consumer report (Mass. Gen. Laws c. 93, §§ 58 – 62A); Requiring notification of security breaches to regulators and affected residents (Mass. Gen. Laws c. 93H); Establishing procedures for destruction and disposal of personal identity information (Mass. Gen. Laws c. 93I). October 27, 2009 Boston Business Alliance 5

Mass. General Law c. 93H Personal Identity Information Under Mass. Gen. Law c. 93H, § 1, the Legislature defined Personal Information as: “A resident’s first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident: Social Security Number; Driver’s License or State-issued Identification Card Number; State- Financial Account Number, or Credit or Debit Card Number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; Provided, however, that “Personal Information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. October 27, 2009 Boston Business Alliance 6

OCABR – 201 CMR 17.00 Purpose Pursuant to C. 93H, the Department of Consumer Affairs and Business Regulation (OCABR) issued regulations 201 C.M.R. 17.00, regulating persons and businesses maintaining Personal Information, which were revised in August, 2009.. Purpose of the regulations: Establish minimum standards for safeguarding Personal Information contained in both electronic and hard copy records; Insure security and confidential customer information in a manner fully consistent with industry standards; Protect against anticipated threats or hazards to security or integrity of such information; Protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. Compliance required by March 1, 2010 (extended by the OCABR from original compliance dates of January 1) October 27, 2009 Boston Business Alliance 7

Business and Individuals 201 C.M.R. 17.00 requires all persons and businesses that own, license, store or maintain Personal Information of any Massachusetts resident. As a result, these regulations cover all employers, professional service providers, and most all businesses that that accept credit or debit cards Also, if you have any employees, you need to protect their Social Security numbers Regulations cover all Personal Information, whether paper, hard copy or electronically stored. Requires covered businesses and person to develop, implement, maintain a comprehensive Written Information Security Program (“WISP”) The WISP may be in one or more accessible parts WISP shall contain administrative, technical and physical safeguards to ensure the security and confidentiality of Personal Information. Targeted to be reasonably consistent with industry practices and consistent with federal regulations October 27, 2009 Boston Business Alliance 8

Written Information Security Program (WISP) Basic required elements for WISP: Designating one or more employees to maintain program; Identify risks and Personal Information intake; Improve safeguards; Limiting access and restricting use and transport; Encryption / Computer system security requirements; Train employees and require compliance; Detecting and preventing failures and documenting response actions; Third party certification of those contracted to maintain or having access to Personal Information; At least annual review. October 27, 2009 Boston Business Alliance 9

WISP Components An effective WISP should contain at minimum: technical safeguards (i.e., encryption, firewalls, password protections); physical safeguards (i.e., locked file cabinets, alarm systems, etc.); administrative safeguards (i.e., limiting access, secure storage and transport, proper destructions and disposal; employee oversight, intake processes, etc.); designation of an employee to oversee the program and initiate annual reviews of the program; procedures to identify risks and threats to the personal information; procedures for on-going compliance and monitoring, including disciplinary on- action for violations; oversight provisions, not only for employees but also third party contractors with access to personal information; and procedures to notify regulators and the affected persons upon any security breach, which may include lost or stolen laptops, misdirected e-mails, e- inadvertent disclosure, access by terminated employees, or hacking and other outside infiltration. October 27, 2009 Boston Business Alliance 10

Disposal of Personal Information Mass. Gen. Laws c. 93I requires minimum standards for disposal of Personal Information so that it may not be practicably read or reconstructed: Paper / Hard copies – Redacted, burned, pulverized or shredded; Electronic / Non-paper – Destroyed or erased Non- Requires care in properly shredding Personal Information, i.e., obtaining written certification from third party services. Requires care in destroying, erasing and disposing of hard drives, laptops, computers, cell phones, and PDAs. October 27, 2009 Boston Business Alliance 11

Enforcement of 201 CMR 17.00 Enforced by the Massachusetts Attorney General. Attorney General may bring action under Mass. Gen. Laws c. 93A, §4: Injunctive relief; Civil penalties not more than $5,000 for each violation Costs of investigation, litigation, including attorney’s fees. Civil liability for any breach / increased duty of care. Mass. Gen. Laws c. 93I (Destruction) – Fines of up to $100 per data subject affected; Not more than $50,000 for each instance of improper disposal. October 27, 2009 Boston Business Alliance 12

Federal Trade Commission Red Flag Rules Enforced by the U.S. Federal Trade Commission Effective November 1, 2009 Red Flag Rules require many businesses to develop and implement written identity theft programs to identify, detect and respond to “red flags” of identity theft The Red Flag Rules apply to financial institutions and “creditors,” i.e. all businesses that extend credit to clients. For purposes of the Red Flag Rules the term “creditors” as: “any person who regularly extends, renews, or continues credit” which is defined as, the “right granted … to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.” therefor.” October 27, 2009 Boston Business Alliance 13

Red Flag - Creditors This broad definition of “creditor” subject to the Red Flag Rules includes any business that provides its goods and services to a client or customer before accepting payment. This may include many service providers: broker- broker-dealers, investment advisers, health care providers; attorneys; accountants; IT professionals; Cleaning service companies; Landscapers retailers, mortgage brokers, car dealers, and other organizations that arrange loans or extend consumer credit; AND many other professional and consumer service providers, who bill clients rather than accepting full payment at the time of service. October 27, 2009 Boston Business Alliance 14

Red Flag & Identity Theft All businesses and entities covered by the Red Flag Rules must adopt and implement an Identity Theft Prevention Program, which must, at minimum: Identify potential Red Flags, or suspicious patterns, specific activities or practices that indicate potential threats for identity theft, that come about in course of business for incoming or existing client accounts; Detect Red Flags that are identified, i.e., procedures to detect and respond to fraudulent identification; Implement appropriate response actions to detected Red Flags; and Periodically and not less than annual review the program. October 27, 2009 Boston Business Alliance 15

Red Flag Penalties Subject to FTC investigations and enforcement actions. May include civil penalties up to $3,500 per violation and injunctive relief. Presently, the Red Flag Rules do not include a private right of action to consumers, but there is a complaint procedure to the FTC. Violations may establish a prima facie case of negligence or intentional misconduct in a civil suit by an affected consumer. October 27, 2009 Boston Business Alliance 16

Possible Implications and Why be Concerned? Applicability – if your organization obtains personal identity information from MA residents, you MUST comply Personal Identity Information – credit card, driver license, or SS numbers Possible Fines – $5,000 per occurrence, and/or per person effected or compromised Past Problems – TJX, Hannaford, {others; reference recent articles} Facility – is your office or facility secure, all the time? Are you at risk for more than personal identity theft? Unauthorized or Unknown Access – Who can get their hands on PI info? Employees, contractors, suppliers, customers How do you know the info is safe? Other Regulations – do you have to comply with HIPPA, Sarbanes-Oxley, etc.? Sarbanes- 201 CMR 17.00 actual requires more and different compliance than other regulations. Professional Malpractice Risks – if you are an attorney, CPA, doctor, or any other professional, did you know that you are at risk for a malpractice lawsuit if you do not advise your client of personal identity theft compliance requirements? Potential {Probable} Cause for Law Suits – violations will be viewed by litigation attorneys as a basis for bringing ADDITIONAL liability law suits against violators. October 27, 2009 Boston Business Alliance 17

Computer System Security Regulation includes specific requirements related to computer system security Authentication Encryption Access Controls Firewalls & OS Patches Data Transmission Viruses & Malware Monitoring Training October 27, 2009 Boston Business Alliance 18

Computer System Security Authentication Control of User Accounts “Control of IDs” “Reasonably secure passwords” Control of password security Restrict access to active users Block access after multiple attempts October 27, 2009 Boston Business Alliance 19

Computer System Security Access Controls Restrict access to those who “need to know” to perform their jobs File system security / permissions Third- Third-party tools available Assign IDs and passwords Unique (not shared) “Not vendor supplied defaults” October 27, 2009 Boston Business Alliance 20

Computer System Security Data Transmission Encryption of transmitted data “Where technically feasible” Web Sites (SSL / https) Email (PGP / 3rd party services) Remote Access Solutions Online Service Providers Wireless (“All Data”) October 27, 2009 Boston Business Alliance 21

Computer System Security Monitoring “Reasonable monitoring of systems for unauthorized use of or access to personal information” Intrusion Detection Application Logs Server Firewalls Network Security Logs File System Auditing October 27, 2009 Boston Business Alliance 22

Computer System Security Encryption of Personal Information Stored on Portable Devices Laptops Encryption vs. Passwords File-based vs. Entire Laptop File- Operating System vs. Third Party Solutions “Other Devices” Portable Hard Drives (USB devices) Backup Media CDs, DVDs, Blackberries, PDAs October 27, 2009 Boston Business Alliance 23

Computer System Security Firewalls & OS Patches Firewall Protection “Reasonably up-to-date” up-to- Vendor supported and routinely updated Operating System Security Patches Automatic update features Servers & workstations User considerations October 27, 2009 Boston Business Alliance 24

Computer System Security Viruses & Malware “Reasonably up-to-date versions” up-to- “Must include malware protection” Supported by vendor Up-to-date patches and definitions Up-to- “Set to receive the most current security updates on a regular basis” October 27, 2009 Boston Business Alliance 25

Computer System Security “Education and training of employees on the proper use of the computer security system and the importance of personal information security.” New hire orientation Specific routine organizational efforts October 27, 2009 Boston Business Alliance 26

Possible Implications and Why be Concerned? Applicability – if your organization obtains personal identity information from MA residents, you MUST comply Personal Identity Information – credit card, driver license, or SS numbers Possible Fines – $5,000 per occurrence, and/or per person effected or compromised Past Problems – TJX, Hannaford, {others; reference recent articles} Facility – is your office or facility secure, all the time? Are you at risk for more than personal identity theft? Unauthorized or Unknown Access – Who can get their hands on PI info? Employees, contractors, suppliers, customers How do you know the info is safe? Other Regulations – do you have to comply with HIPPA, Sarbanes-Oxley, etc.? Sarbanes- 201 CMR 17.00 actual requires more and different compliance than other regulations. Professional Malpractice Risks – if you are an attorney, CPA, doctor, or any other professional, did you know that you are at risk for a malpractice lawsuit if you do not advise your client of personal identity theft compliance requirements? Potential {Probable} Cause for Law Suits – violations will be viewed by litigation attorneys as a basis for bringing ADDITIONAL liability law suits against violators. October 27, 2009 Boston Business Alliance 27

How to Comply with 201 CMR 17.00 We will go into more detail on each bullet point Assess your current situation Create a detailed WISP Establish processes and procedures Notifications of any security breach Other Good Business Practices Education & Training Estimated cost of compliance Opportunities for savings Free limited assessment October 27, 2009 Boston Business Alliance 28

Dave’s Top 10 10 - Your login screen says ‘Win XP’ 9 - I will sleep better 8 - My inbox is full of SPAM and I can’t find anything 7 - My passwords include: ‘password’, ’null’ (no password) ‘sa’, ‘admin’, ‘asdf1234’, ‘root’, or my name 6 - My computer and the internet takes forever! #@$%&’ or, ‘My computer takes forever to boot up! 5 - A customer asked me about this new law the other day, and if we were compliant? 4 - My insurance company was asking about this new data law 3 - My credit card processors mentioned something about an $880,000 fine for TJX stores 2 - My lawyer mentioned something about not only fines, but other legal suits and more costs 1 - It’s not only the law and I don’t want to be fined or sued; but it is just good business! October 27, 2009 Boston Business Alliance 29

Assess Information Security Overall approach Identify gaps between your operations and the regulation Identify areas for potential risks Paper and electronic List specific action items for corrective measures Facilities and equipment, etc. Are your facilities locked and secured? Are any computers allowed to leave the premises? Are your network connections completely secure? How is personal identity info handled today? Paper and electronic Who has access vs. a need to know or handle? See audit/assessment spreadsheet October 27, 2009 Boston Business Alliance 30

Create a Detailed WISP Written Information Security Program (WISP) General headings and categories Specific detail of Processes and procedures to follow to: Protect Personal Identity (PI) Take in the case of a breach (loss of PI) Prepare supporting documents and templates Additional guidelines are available from the Mass.gov website – see www.BostonBusinessAlliance.com for links Example start of a WISP October 27, 2009 Boston Business Alliance 31

Establish Process & Procedures Establish and then test all processes and procedures to make sure they work Add details as needed These documents will be part of an audit Bridge any gaps in your assessment Implement electronic security and protection Train all employees, including annual re-training re- Annual audits and reviews are required by the regulation October 27, 2009 Boston Business Alliance 32

Required Notifications In the case of ANY potential security breach, you are required to notify MA OCABR MA AG office {link to sample letter} {link letter} Each MA resident that you have any personal identity information {link to sample letter} {link letter} Other entities Credit card processing companies Employees … October 27, 2009 Boston Business Alliance 33

Other Good Business Practices Put a compliance statement on your website Make sure that you do comply! Notify any of your partners, vendors, or suppliers that they MUST comply if they access any of your PI information for MA residents Ask them for a statement of compliance Example of MA IT Contractor Certification October 27, 2009 Boston Business Alliance 34

Education and Training “Education and training of employees on the proper use of the computer security system and the importance of personal information security.” New hire orientation Specific routine organizational efforts What to do if they experience any potential security risk or problem October 27, 2009 Boston Business Alliance 35

Estimated Cost of Compliance 30000 25000 20000 15000 One time Recurring 10000 Total 5000 Options: 0 1 Potential High Cost OCABR Real Worst world Case 2 Possible Outsource 3 OCABR Estimates* Based on OCABR estimates for: 10 person business with 3 laptops and 4 Do it yourself?? 1 network server, serving 7 desktops 5 Yourself & Expert October 27, 2009 Boston Business Alliance 36

Back Up Cost Information* 1 Server, 3 laptops, 7 desktops OCABR Real World Cost Worst Case One Time Recurring One Time Recurring` One Time Recurring Hardware (New PC's) $3,750 $7,500 Software $1,000 $1,000 Professional Service (WISP,audit,apply patches, instal s/w) $500 $3,000 $750 $3,000 $750 Training $250 $500 "Systems Complaince" $3,000 "Data Audit and Compliance" $1,000 $4,000 $6,000 $8,000 $9,000 $11,500 $15,000 Total $10,000 $17,000 $26,500 * OCABR assumption is the ‘business’ would already have retained such a consultant to monitor and maintain the current installation and software in connection with protecting the company’s own, and customer, information. October 27, 2009 Boston Business Alliance 37

Opportunities for savings Hire professionals Make sure they cover the entire regulation Or you know the regulation well to be selective Appropriately scope and estimate effort Negotiate responsibilities and resources Other options: Research and learn all the requirements and nuances Use the ‘legalzoom’ approach Use free and open source software Leverage your current investment A sound business decision to combine various options with some outside help October 27, 2009 Boston Business Alliance 38

Free Limited Assessment Arpin Consulting will provide a free, limited, one-hour 201 CMR one- 17.00 compliance audit for any attendees; including sole proprietors, businesses, and organizations Focus: Specific processes and procedures required to ensure compliance High level electronic information security (PCs, network, etc.) Deliverables: An assessment of potential risks or problems that may interfere with compliance An assessment of electronic information, specifically, high level, network and computer security A Preliminary Report that will point out potential problems, suggested corrective actions, and any urgent items to meet the March 1, 2010 1, deadline You decide what you will do with the report Do it yourself; assign it to someone; hire someone; or a mix Security Compliance Audit information - handouts Contact to schedule your free assessment: Ray Arpin, 617-435-1159, email: Ray@RayArpin.com Bob Carroll, 617-314-9813, email: Bob@Bob-Carroll.com October 27, 2009 Boston Business Alliance 39

Questions & Answers & Call to Action Will you be ready for March 1, 2010? Is your customer personal identity information really protected for loss or theft? Are all your facilities, computers, network, and files adequately protected, by law? October 27, 2009 Boston Business Alliance 40

Sponsors Facilities/Location Sponsor: Sunbelt Business Sales & Acquisitions Contact: Mariola Andoni Phone: 781-932-7355 www.sunbeltne.com Refreshment Sponsor: Analytix Solutions Contact: Jason Lefter Phone: 781-503-9000 www.analytixsolutions.com Website Sponsor: Techevolution Contact: Corey Tapper Phone: 781-595-2040 www.techevolution.com October 27, 2009 Boston Business Alliance 41

Closing and Adjourn Reminder about Boston Business Alliance Visit website for suggesting Hot Topics for these type of meetings Invite other small business owners and peers who might benefit Register for future meetings Ask us to put your name on our email list to be notified of future meetings and events Evaluation form Please complete and leave on the table going out so that we can continuously improve October 27, 2009 Boston Business Alliance 42

Contact Information Boston Business Alliance www.BostonBusinessAlliance.com See website for additional Contact and Member information Attorney Dennis Ford Eagan Finneran & Nicholson, PC -- www.FinneranNicholson.com 978-462- 978-462-1514 – Email: Dennis@FinNic.com Matt Pettine MFA - Moody, Famiglietti & Andronico, LLP – www.MFA-CPA.com www.MFA- 978-557- 978-557-5300 – Email: MPettine@MFACornerstone.com Ray Arpin Arpin Consulting – www.RayArpin.com 617-435- 617-435-1159 – Email: Ray@RayArpin.com See our website and handouts for other contacts, along with information on 201 CMR, the BBA, and our sponsors www.BostonBusinessAlliance.com Feel free to pick up any of the handouts on the table. October 27, 2009 Boston Business Alliance 43

MA 201 CMR 17.00 Personal Identity Security

by Ray Arpin on Nov 06, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 22

Statistics

MA 201 CMR 17.00 Personal Identity Security — Presentation Transcript