Personal Identity Security* “Y2K plus 10” Are You Ready for January 1, 2010? * First in a series of Informational Breakfast Events with topics of timely and valuable information for small business owners and organization leaders AUGUST 4, 2009 – Woburn, MA Presented by the: Boston Business Alliance The new MA regulation: 201 CMR 17.00

Sponsors Website Sponsor: Techevolution Contact: Corey Tapper Phone: 781-595-2040 www.techevolution.com Facilities/Location Sponsor: Sunbelt Business Sales & Acquisitions Contact: Mariola Andoni Phone: 781-932-7355 www.sunbeltne.com Refreshment Sponsor: Analytix Solutions Contact: Jason Lefter Phone: 781-503-9000 www.analytixsolutions.com

Agenda Overview and Implications Attorney Dennis Ford Eagan MA Regulation 201 CMR 17.00 Dennis Ford Eagan and Ray Arpin How you can comply – what to do guidelines Ray Arpin and Matt Pettine Questions & Answers and Call to Action

Overview and Implications

Attorney Dennis Ford Eagan

MA Regulation 201 CMR 17.00

Dennis Ford Eagan and Ray Arpin

How you can comply – what to do guidelines

Ray Arpin and Matt Pettine

Questions & Answers and Call to Action

Moderator and Speakers Dennis Ford Eagan Dennis Ford Eagan, attorney with Finneran & Nicholson, P.C., a business law firm located in Newburyport. Attorney Eagan focuses his practice on advising and counseling business clients regarding employment matters and compliance with state and federal laws and regulations. Attorney Eagan also advises business clients in protecting their intellectual property interests. He a member of the Massachusetts Bar Association and the Newburyport Bar Association and has co-chaired presentations before the bar associations, including a recent presentation on the Massachusetts Identity Theft and Data Security Regulations, 201 CMR 17.00. Ray Arpin Ray Arpin has 30 years of experience working with small companies and start-ups, to Fortune 10, Global 2000, state and federal organizations, in a wide variety of industries and segments. His specialty is business process improvement to increase sales and reduces costs, professional services, and regulatory compliance. Most recently, he is focused on helping companies and individuals quickly apply business best practices, and specifically to become compliant with personal identity security regulations and MA 201 CMR 17.00. Matt Pettine Matt has over 20 years of experience in business and best practices in the application of technology. He holds no less than 5 certification in these areas. He fully understands business and how the different functions interrelate, along with the uses technology to compete in today’s business world. He has worked in security and regulatory compliance in MA 201 CMR 17.00, Sarbanes-Oxley, and with other regulations. He is a member of the Information Systems Audit and Control Association. Steven Stanganelli – Moderator Steve Stanganelli is a five-star rated, board-certified financial planning professional with over 20 years of experience coaching individuals and businesses on ways to improve and protect their personal or business bottom line. His practice encompasses investment management as well as asset protection strategies for business owners and professionals. He is a published author, been quoted extensively at www.BankRate.com, and has appeared on TV as a subject matter expert guest on “Your Money ABCs.” He is a member of the Financial Planning Association, CFP Board of Standards, and serves the Merrimack Valley Estate Planning Council.

Personal Identity Protection How it started… On August 2, 2007, Governor Deval Patrick approved the Massachusetts Act Relative to Security Freezes and Notification of Data Breaches. One of the most comprehensive Personal Identity Theft Prevention statutes in the country. Three components to the Act: Establishing a right to a request security freeze by consumers on their consumer report (Mass. Gen. Laws c. 93, §§ 58 – 62A); Requiring notification of security breaches to regulators and affected residents (Mass. Gen. Laws c. 93H); Establishing procedures for destruction and disposal of personal identity information (Mass. Gen. Laws c. 93I).

On August 2, 2007, Governor Deval Patrick approved the Massachusetts Act Relative to Security Freezes and Notification of Data Breaches.

One of the most comprehensive Personal Identity Theft Prevention statutes in the country.

Three components to the Act:

Establishing a right to a request security freeze by consumers on their consumer report (Mass. Gen. Laws c. 93, §§ 58 – 62A);

Requiring notification of security breaches to regulators and affected residents (Mass. Gen. Laws c. 93H);

Establishing procedures for destruction and disposal of personal identity information (Mass. Gen. Laws c. 93I).

Mass. General Law c. 93H Personal Identity Information Under Mass. Gen. Law c. 93H, § 1, the Legislature defined Personal Information as : “ A resident’s first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident: Social Security Number; Driver’s License or State-issued Identification Card Number; Financial Account Number, or Credit or Debit Card Number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; Provided, however, that “Personal Information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

Under Mass. Gen. Law c. 93H, § 1, the Legislature defined Personal Information as :

“ A resident’s first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident:

Social Security Number;

Driver’s License or State-issued Identification Card Number;

Financial Account Number, or Credit or Debit Card Number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account;

Provided, however, that “Personal Information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

OCABR – 201 CMR 17.00 Purpose Pursuant to C. 93H, the Department of Consumer Affairs and Business Regulation (OCABR) issued regulations 201 C.M.R. 17.00, regulating persons and businesses maintaining Personal Information. Purpose of the regulations: Insure security and confidential customer information in a manner fully consistent with industry standards; Protect against anticipated threats or hazards to security or integrity of such information; Protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. Compliance required by January 1, 2010 (previously extended by the OCABR from original compliance date of January 1, 2009)

Pursuant to C. 93H, the Department of Consumer Affairs and Business Regulation (OCABR) issued regulations 201 C.M.R. 17.00, regulating persons and businesses maintaining Personal Information.

Purpose of the regulations:

Insure security and confidential customer information in a manner fully consistent with industry standards;

Protect against anticipated threats or hazards to security or integrity of such information;

Protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

Compliance required by January 1, 2010 (previously extended by the OCABR from original compliance date of January 1, 2009)

Business and Individuals 201 C.M.R. 17.00 requires all persons and businesses that own, license, store or maintain Personal Information of any Massachusetts resident. As a result, these regulations cover all employers, professional service providers, and most all businesses that that accept credit or debit cards Also, if you have any employees, you need to protect their Social Security numbers Regulations cover all Personal Information, whether paper, hard copy or electronically stored. Requires covered businesses and person to develop, implement, maintain a comprehensive Written Information Security Program (“WISP”). WISP shall contain administrative, technical and physical safeguards to ensure the security and confidentiality of Personal Information. Targeted to be reasonably consistent with industry practices and consistent with federal regulations

201 C.M.R. 17.00 requires all persons and businesses that own, license, store or maintain Personal Information of any Massachusetts resident.

As a result, these regulations cover all employers, professional service providers, and most all businesses that that accept credit or debit cards

Also, if you have any employees, you need to protect their Social Security numbers

Regulations cover all Personal Information, whether paper, hard copy or electronically stored.

Requires covered businesses and person to develop, implement, maintain a comprehensive Written Information Security Program (“WISP”).

WISP shall contain administrative, technical and physical safeguards to ensure the security and confidentiality of Personal Information.

Targeted to be reasonably consistent with industry practices and consistent with federal regulations

Written Information Security Program (WISP) Basic required elements for WISP: Designating one or more employees to maintain program; Identify risks and Personal Information intake; Improve safeguards; Limiting access and restricting use and transport; Encryption / Computer system security requirements; Train employees and require compliance; Detecting and preventing failures and documenting response actions; Third party certification of those contracted to maintain or having access to Personal Information; At least annual review.

Basic required elements for WISP:

Designating one or more employees to maintain program;

Identify risks and Personal Information intake;

Improve safeguards;

Limiting access and restricting use and transport;

Encryption / Computer system security requirements;

Train employees and require compliance;

Detecting and preventing failures and documenting response actions;

Third party certification of those contracted to maintain or having access to Personal Information;

At least annual review.

Disposal of Personal Information Mass. Gen. Laws c. 93I requires minimum standards for disposal of Personal Information so that it may not be practicably read or reconstructed: Paper / Hard copies – Redacted, burned, pulverized or shredded; Electronic / Non-paper – Destroyed or erased Requires care in properly shredding Personal Information, i.e., obtaining written certification from third party services. Requires care in destroying, erasing and disposing of hard drives, laptops, computers, cell phones, and PDAs.

Mass. Gen. Laws c. 93I requires minimum standards for disposal of Personal Information so that it may not be practicably read or reconstructed:

Paper / Hard copies – Redacted, burned, pulverized or shredded;

Electronic / Non-paper – Destroyed or erased

Requires care in properly shredding Personal Information, i.e., obtaining written certification from third party services.

Requires care in destroying, erasing and disposing of hard drives, laptops, computers, cell phones, and PDAs.

Enforcement of 201 CMR 17.00 Enforced by the Massachusetts Attorney General. Attorney General may bring action under Mass. Gen. Laws c. 93A, §4: Injunctive relief; Civil penalties not more than $5,000 for each violation Costs of investigation, litigation, including attorney’s fees. Civil liability for any breach / increased duty of care. Mass. Gen. Laws c. 93I (Destruction) – Fines of up to $100 per data subject affected; Not more than $50,000 for each instance of improper disposal.

Enforced by the Massachusetts Attorney General.

Attorney General may bring action under Mass. Gen. Laws c. 93A, §4:

Injunctive relief;

Civil penalties not more than $5,000 for each violation

Costs of investigation, litigation, including attorney’s fees.

Civil liability for any breach / increased duty of care.

Mass. Gen. Laws c. 93I (Destruction) –

Fines of up to $100 per data subject affected;

Not more than $50,000 for each instance of improper disposal.

Possible Implications and Why be Concerned? Applicability – if your organization obtains personal identity information from MA residents, you MUST comply Personal Identity Information – credit card, driver license, or SS numbers Possible Fines – $5,000 per occurrence, and/or per person effected or compromised Past Problems – TJX, Hannaford, {others; reference recent articles} Facility – is your office or facility secure, all the time? Are you at risk for more than personal identity theft? Unauthorized or Unknown Access – Who can get their hands on PI info? Employees, contractors, suppliers, customers How do you know the info is safe? Other Regulations – do you have to comply with HIPPA, Sarbanes-Oxley, etc.? 201 CMR 17.00 actual requires more and different compliance than other regulations. Professional Malpractice Risks – if you are an attorney, CPA, doctor, or any other professional, did you know that you are at risk for a malpractice lawsuit if you do not advise your client of personal identity theft compliance requirements? Potential {Probable} Cause for Law Suits – violations will be viewed by litigation attorneys as a basis for bringing ADDITIONAL liability law suits against violators.

Applicability – if your organization obtains personal identity information from MA residents, you MUST comply

Personal Identity Information – credit card, driver license, or SS numbers

Possible Fines – $5,000 per occurrence, and/or per person effected or compromised

Past Problems – TJX, Hannaford, {others; reference recent articles}

Facility – is your office or facility secure, all the time? Are you at risk for more than personal identity theft?

Unauthorized or Unknown Access – Who can get their hands on PI info?

Employees, contractors, suppliers, customers

How do you know the info is safe?

Other Regulations – do you have to comply with HIPPA, Sarbanes-Oxley, etc.? 201 CMR 17.00 actual requires more and different compliance than other regulations.

Professional Malpractice Risks – if you are an attorney, CPA, doctor, or any other professional, did you know that you are at risk for a malpractice lawsuit if you do not advise your client of personal identity theft compliance requirements?

Potential {Probable} Cause for Law Suits – violations will be viewed by litigation attorneys as a basis for bringing ADDITIONAL liability law suits against violators.

How to Comply with 201 CMR 17.00 Assess your current situation Create a detailed WISP Establish detailed information security processes and procedures Notify key parties of any security breach Other Good Business Practices Computer and Electronic Security Aspects We will go into more detail on each bullet point

Assess your current situation

Create a detailed WISP

Establish detailed information security processes and procedures

Notify key parties of any security breach

Other Good Business Practices

Computer and Electronic Security Aspects

Dave’s Top 10 10 - Your login screen says ‘Win XP’ 9 - I will sleep better 8 - My inbox is full of SPAM and I can’t find anything 7 - My passwords include: ‘password’, ’null’ (no password) ‘sa’, ‘admin’, ‘asdf1234’, ‘root’, or my name 6 - My computer and the internet takes forever! #@$%&’ or, ‘My computer takes forever to boot up! 5 - A customer asked me about this new law the other day, and if we were compliant? 4 - My insurance company was asking about this new data law 3 - My credit card processors mentioned something about an $880,000 fine for TJX stores 2 - My lawyer mentioned something about not only fines, but other legal suits and more costs 1 - It’s not only the law and I don’t want to be fined or sued; but it is just good business!

10 - Your login screen says ‘Win XP’

9 - I will sleep better

8 - My inbox is full of SPAM and I can’t find anything

7 - My passwords include: ‘password’, ’null’ (no password) ‘sa’, ‘admin’, ‘asdf1234’, ‘root’, or my name

6 - My computer and the internet takes forever! #@$%&’ or, ‘My computer takes forever to boot up!

5 - A customer asked me about this new law the other day, and if we were compliant?

4 - My insurance company was asking about this new data law

3 - My credit card processors mentioned something about an $880,000 fine for TJX stores

2 - My lawyer mentioned something about not only fines, but other legal suits and more costs

1 - It’s not only the law and I don’t want to be fined or sued; but it is just good business!

Assess Information Security Overall approach Identify gaps between your operations and the regulation Identify areas for potential risks Paper and electronic List specific action items for corrective measures Facilities and equipment, etc. Are your facilities locked and secured? Are any computers allowed to leave the premises? Are your network connections completely secure? How is personal identity info handled today? Paper and electronic Who has access vs. a need to know or handle? See audit/assessment spreadsheet

Overall approach

Identify gaps between your operations and the regulation

Identify areas for potential risks

Paper and electronic

List specific action items for corrective measures

Facilities and equipment, etc.

Are your facilities locked and secured?

Are any computers allowed to leave the premises?

Are your network connections completely secure?

How is personal identity info handled today?

Paper and electronic

Who has access vs. a need to know or handle?

Create a Detailed WISP General headings and categories Specific detail of Processes and procedures to follow to: Protect Personal Identity (PI) Take in the case of a breach (loss of PI) Prepare supporting documents and templates Additional guidelines are available from the Mass.gov website – see www.BostonBusinessAlliance.com for links Written Information Security Program (WISP) Example start of a WISP

General headings and categories

Specific detail of

Processes and procedures to follow to:

Protect Personal Identity (PI)

Take in the case of a breach (loss of PI)

Prepare supporting documents and templates

Additional guidelines are available from the Mass.gov website – see www.BostonBusinessAlliance.com for links

Establish Process & Procedures Establish and then test all processes and procedures to make sure they work Add details as needed These documents will be part of an audit Bridge any gaps in your assessment Implement electronic security and protection Train all employees, including annual re-training Annual audits and reviews are required by the regulation

Establish and then test all processes and procedures to make sure they work

Add details as needed

These documents will be part of an audit

Bridge any gaps in your assessment

Implement electronic security and protection

Train all employees, including annual re-training

Annual audits and reviews are required by the regulation

Required Notifications In the case of ANY potential security breach, you are required to notify MA OCABR MA AG office { link to sample letter and handouts } Each MA resident that you have any personal identity information { link to sample letter and handouts } Other entities Credit card processing companies Employees …

In the case of ANY potential security breach, you are required to notify

MA OCABR

MA AG office { link to sample letter and handouts }

Each MA resident that you have any personal identity information { link to sample letter and handouts }

Other entities

Credit card processing companies

Employees

…

Other Good Business Practices Put a compliance statement on your website Make sure that you do comply! Notify any of your partners, vendors, or suppliers that they MUST comply if they access any of your PI information for MA residents Ask them for a statement of compliance Example of MA IT Contractor Certification

Put a compliance statement on your website

Make sure that you do comply!

Notify any of your partners, vendors, or suppliers that they MUST comply if they access any of your PI information for MA residents

Ask them for a statement of compliance

Computer System Security Regulation includes specific requirements related to computer system security Authentication – Encryption Access Controls – Firewalls and related Data Transmission – Viruses & Malware Monitoring – Training

Regulation includes specific requirements related to computer system security

Authentication – Encryption

Access Controls – Firewalls and related

Data Transmission – Viruses & Malware

Monitoring – Training

Authentication Control of User Accounts “Control of IDs” “Reasonably secure passwords” Control of password security Restrict access to active users Block access after multiple attempts

Control of User Accounts

“Control of IDs”

“Reasonably secure passwords”

Control of password security

Restrict access to active users

Block access after multiple attempts

Access Controls Restrict access to those who “need to know” to perform their jobs File system security / permissions Third-party tools available Assign IDs and passwords Unique (not shared) “Not vendor supplied defaults” Immediately remove access if they leave or are terminated

Restrict access to those who “need to know” to perform their jobs

File system security / permissions

Third-party tools available

Assign IDs and passwords

Unique (not shared)

“Not vendor supplied defaults”

Immediately remove access if they leave or are terminated

Data Transmission Encryption of transmitted data “Where technically feasible” Web Sites (SSL / https) Email (PGP / 3 rd party services) Remote Access Solutions Online Service Providers Wireless (“All Data”)

Encryption of transmitted data

“Where technically feasible”

Web Sites (SSL / https)

Email (PGP / 3 rd party services)

Remote Access Solutions

Online Service Providers

Wireless (“All Data”)

Monitoring “Reasonable monitoring of systems for unauthorized use of or access to personal information” Intrusion Detection Application Logs Server Firewalls Network Security Logs File System Auditing

“Reasonable monitoring of systems for unauthorized use of or access to personal information”

Intrusion Detection

Application Logs

Server Firewalls

Network Security Logs

File System Auditing

Encryption Laptops Encryption vs. Passwords File-based vs. Entire Laptop Operating System vs. Third Party Solutions “ Other Devices” Portable Hard Drives (USB devices) Backup Media CDs, DVDs, Blackberries, PDAs

Laptops

Encryption vs. Passwords

File-based vs. Entire Laptop

Operating System vs. Third Party Solutions

“ Other Devices”

Portable Hard Drives (USB devices)

Backup Media

CDs, DVDs, Blackberries, PDAs

Firewalls and Operating Systems Firewall Protection “Reasonably up-to-date” Vendor supported and routinely updated Operating System Security Patches Automatic update features Servers & workstations User considerations

Firewall Protection

“Reasonably up-to-date”

Vendor supported and routinely updated

Operating System Security Patches

Automatic update features

Servers & workstations

User considerations

Viruses and Malware “Reasonably up-to-date versions” “Must include malware protection” Supported by vendor Up-to-date patches and definitions “Set to receive the most current security updates on a regular basis”

“Reasonably up-to-date versions”

“Must include malware protection”

Supported by vendor

Up-to-date patches and definitions

“Set to receive the most current security updates on a regular basis”

Education and Training “Education and training of employees on the proper use of the computer security system and the importance of personal information security.” New hire orientation Specific routine organizational efforts What to do if they experience any potential security risk or problem

“Education and training of employees on the proper use of the computer security system and the importance of personal information security.”

New hire orientation

Specific routine organizational efforts

What to do if they experience any potential security risk or problem

Estimated Cost of Compliance Based on OCABR estimates for: 10 person business with 3 laptops and 1 network server, serving 7 desktops Options: 1 Potential High Cost 2 Possible Outsource 3 OCABR Estimates* 4 Do it yourself?? 5 Yourself & Expert

Back Up Cost Information* * OCABR assumption is the ‘business’ would already have retained such a consultant to monitor and maintain the current installation and software in connection with protecting the company’s own, and customer, information.

Opportunities for savings Hire professionals Make sure they cover the entire regulation Or you know the regulation well to be selective Appropriately scope and estimate effort Negotiate responsibilities and resources Other options: Research and learn all the requirements and nuances Use the ‘legalzoom’ approach Use free and open source software Leverage your current investment A sound business decision to combine various options with some outside help

Hire professionals

Make sure they cover the entire regulation

Or you know the regulation well to be selective

Appropriately scope and estimate effort

Negotiate responsibilities and resources

Other options:

Research and learn all the requirements and nuances

Use the ‘legalzoom’ approach

Use free and open source software

Leverage your current investment

A sound business decision to combine various options with some outside help

Free Limited Assessment Arpin Consulting will provide a free, limited, one-hour 201 CMR 17.00 compliance assessment for any attendees Focus: Specific processes and procedures required to ensure compliance High level electronic information security (PCs, network, etc.) Deliverables: An assessment of potential risks or problems that may interfere with compliance An assessment of electronic information, specifically, high level, network and computer security A Preliminary Report that will point out potential problems, suggested corrective actions, and any urgent items to meet the January 1, 2010 deadline You decide what you will do with the report Do it yourself; assign it to someone; hire someone; or a mix Security Compliance Audit information - handouts Contact to schedule your free assessment: Ray Arpin, 617-435-1159, email: [email_address] Bob Carroll, 617-314-9813, email: [email_address]

Arpin Consulting will provide a free, limited, one-hour 201 CMR 17.00 compliance assessment for any attendees

Focus:

Specific processes and procedures required to ensure compliance

High level electronic information security (PCs, network, etc.)

Deliverables:

An assessment of potential risks or problems that may interfere with compliance

An assessment of electronic information, specifically, high level, network and computer security

A Preliminary Report that will point out potential problems, suggested corrective actions, and any urgent items to meet the January 1, 2010 deadline

You decide what you will do with the report

Do it yourself; assign it to someone; hire someone; or a mix

Security Compliance Audit information - handouts

Questions & Call to Action Moderator: Steven Stanganelli If necessary, the moderator or speakers will suggest taking the question “off line” (after the Q&A) for a more detailed answers Speakers, BBA Members, and Security Consultants/Vendors will be available after the meeting for a limited time

Moderator: Steven Stanganelli

If necessary, the moderator or speakers will suggest taking the question “off line” (after the Q&A) for a more detailed answers

Speakers, BBA Members, and Security Consultants/Vendors will be available after the meeting for a limited time

Sponsors Website Sponsor: Techevolution Contact: Corey Tapper Phone: 781-595-2040 www.techevolution.com Facilities/Location Sponsor: Sunbelt Business Sales & Acquisitions Contact: Mariola Andoni Phone: 781-932-7355 www.sunbeltne.com Refreshment Sponsor: Analytix Solutions Contact: Jason Lefter Phone: 781-503-9000 www.analytixsolutions.com

Closing and Adjourn Reminder about Boston Business Alliance Visit website for suggesting Hot Topics for these type of meetings Invite other small business owners and peers who might benefit Register for future meetings Ask us to put your name on our email list to be notified of future meetings and events Evaluation form Please complete and leave on the table going out so that we can continuously improve

Reminder about Boston Business Alliance

Visit website for suggesting Hot Topics for these type of meetings

Invite other small business owners and peers who might benefit

Register for future meetings

Ask us to put your name on our email list to be notified of future meetings and events

Evaluation form

Please complete and leave on the table going out so that we can continuously improve

Contact Information Boston Business Alliance www.BostonBusinessAlliance.com See website for additional Contact and Member information Attorney Dennis Ford Eagan Finneran & Nicholson, PC -- www.finnerannicholson.com 978-462-1514 – Email: [email_address] Ray Arpin Arpin Consulting – www.rayarpin.com 617-435-1159 – Email: [email_address] Matt Pettine MFA - Moody, Famiglietti & Andronico, LLP – www.mfa-cpa.com 978-557-5300 – Email: [email_address] See our website and handouts for other contacts, along with information on 201 CMR, the BBA, and our sponsors www.BostonBusinessAlliance.com Feel free to pick up any of the handouts on the table.

Boston Business Alliance

www.BostonBusinessAlliance.com

See website for additional Contact and Member information

Attorney Dennis Ford Eagan

Finneran & Nicholson, PC -- www.finnerannicholson.com

978-462-1514 – Email: [email_address]

Ray Arpin

Arpin Consulting – www.rayarpin.com

617-435-1159 – Email: [email_address]

Matt Pettine

MFA - Moody, Famiglietti & Andronico, LLP – www.mfa-cpa.com

978-557-5300 – Email: [email_address]

See our website and handouts for other contacts, along with information on 201 CMR, the BBA, and our sponsors

www.BostonBusinessAlliance.com