All companies have same types of security risks, small variations We&#x2019;ll provide sample of a WISP (not legal advice)
Passwords or biometrics
PDA software still limited
You want to comply because you care about your customer data, don&#x2019;t you?
New Massachusetts Data Privacy Regulation
201 CMR 17.00
• When: 3/1/10
• Who: “entity” that stores PI of residents of
• Similar to PCI DSS
• Motivation: avoid another TJ Maxx
Personal Information PI
• First name (or initial) + last name +
• SSN or
• Driver’s license number or
• Account number: credit card, bank
account, policy number?, ...
• Any format: paper, electronic, audio, video ...
• User authentication, passwords for:
software, computer, laptop, ﬂash drive, ...
• Access control
• Firewalls, antivirus, keep software updated
• Wireless networks must be encrypted
• VPN for remote access
• Email must be encrypted
• Portable devices must be encrypted:
• Laptop hard drive (password not enough)
• iPhone, Blackberry, PDA’s
• Portable (backup) hard drives
• Flash drives
• Fax, telephone, ﬁrst class mail are complaint
• If not “technically feasible” don’t do it,
example: use FedEx instead of email
• No need to encrypt if no PI
• Easiest ➫ no PI
• Example of WISP
• Compliance checklist
• VPN, WPA, ﬁrewalls, updates, antivirus, ...