Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

New Massachusetts Data Privacy Regulation

896 views

Published on

Lightning presentation on 201 CMR 17.00 for Boston Ruby User Group

Published in: Business
  • Be the first to comment

  • Be the first to like this

New Massachusetts Data Privacy Regulation

  1. 1. 201 CMR 17.00 • slideshare.net/becarreno • When: 3/1/10 • Who: “entity” that stores PI of residents of the Commonwealth • Similar to PCI DSS • Motivation: avoid another TJ Maxx
  2. 2. Personal Information PI • First name (or initial) + last name + • SSN or • Driver’s license number or • Account number: credit card, bank account, policy number?, ... • Any format: paper, electronic, audio, video ...
  3. 3. Administrative Requirements • WISP • Identify security risks • Ways to detect & prevent security failures • Designate Information Security Officer
  4. 4. Technical Requirements • User authentication, passwords for: software, computer, laptop, flash drive, ... • Access control • Firewalls, antivirus, keep software updated • Wireless networks must be encrypted • VPN for remote access
  5. 5. Technical Requirements • Email must be encrypted • Portable devices must be encrypted: • Laptop hard drive (password not enough) • iPhone, Blackberry, PDA’s • Portable (backup) hard drives • Flash drives
  6. 6. Technical Requirements • Fax, telephone, first class mail are complaint • If not “technically feasible” don’t do it, example: use FedEx instead of email • No need to encrypt if no PI
  7. 7. Recommendations • Easiest ➫ no PI • Example of WISP • Compliance checklist • VPN, WPA, firewalls, updates, antivirus, ...
  8. 8. Recommendations • TrueCrypt • PGP • S/MIME
  9. 9. References • Full Text of Massachusetts 201 CMR 17.00 http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf • Frequently Asked Questions http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf • Regulation explained and practical steps http://www.informit.com/articles/article.aspx?p=1433062
  10. 10. References • Sample WISP http://nengroup.com/the-basics/products-andnengroup.com-services/ma-201-cmr-17/mass-201-cmr-17- comprehensive-information-security-program-example • Compliance checklist http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf • Encryption http://www.truecrypt.org http://www.gnupg.org
  11. 11. Disclaimer I am not a lawyer and this is not legal advice
  12. 12. slideshare.net/becarreno Braulio Carreno @bcarreno bcarreno@gmail.com http://carreno.me

×