New Massachusetts Data Privacy Regulation

B
becarreno
201 CMR 17.00 • slideshare.net/becarreno • When: 3/1/10 • Who: “entity” that stores PI of residents of the Commonwealth • Similar to PCI DSS • Motivation: avoid another TJ Maxx
Personal Information PI • First name (or initial) + last name + • SSN or • Driver’s license number or • Account number: credit card, bank account, policy number?, ... • Any format: paper, electronic, audio, video ...
Administrative Requirements • WISP • Identify security risks • Ways to detect & prevent security failures • Designate Information Security Officer
Technical Requirements • User authentication, passwords for: software, computer, laptop, flash drive, ... • Access control • Firewalls, antivirus, keep software updated • Wireless networks must be encrypted • VPN for remote access
Technical Requirements • Email must be encrypted • Portable devices must be encrypted: • Laptop hard drive (password not enough) • iPhone, Blackberry, PDA’s • Portable (backup) hard drives • Flash drives
Technical Requirements • Fax, telephone, first class mail are complaint • If not “technically feasible” don’t do it, example: use FedEx instead of email • No need to encrypt if no PI
Recommendations • Easiest ➫ no PI • Example of WISP • Compliance checklist • VPN, WPA, firewalls, updates, antivirus, ...
Recommendations • TrueCrypt • PGP • S/MIME
References • Full Text of Massachusetts 201 CMR 17.00 http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf • Frequently Asked Questions http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf • Regulation explained and practical steps http://www.informit.com/articles/article.aspx?p=1433062
References • Sample WISP http://nengroup.com/the-basics/products-andnengroup.com-services/ma-201-cmr-17/mass-201-cmr-17- comprehensive-information-security-program-example • Compliance checklist http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf • Encryption http://www.truecrypt.org http://www.gnupg.org
Disclaimer I am not a lawyer and this is not legal advice
slideshare.net/becarreno Braulio Carreno @bcarreno bcarreno@gmail.com http://carreno.me
1 of 12

New Massachusetts Data Privacy Regulation

Download to read offline
Business

Lightning presentation on 201 CMR 17.00 for Boston Ruby User Group

B
becarreno

Recommended

Identity theft and data responsibilities by
Identity theft and data responsibilitiesIdentity theft and data responsibilities
Identity theft and data responsibilitiesPeter Henley
253 views21 slides
IT Security Guest Lecture by
IT Security Guest LectureIT Security Guest Lecture
IT Security Guest LectureMurthinty
927 views13 slides
Electronic Security by
Electronic SecurityElectronic Security
Electronic SecurityWe Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
959 views18 slides
Cyber security by
Cyber securityCyber security
Cyber securityPeter Henley
311 views17 slides
Haml, Sass and Compass for Sane Web Development by
Haml, Sass and Compass for Sane Web DevelopmentHaml, Sass and Compass for Sane Web Development
Haml, Sass and Compass for Sane Web Developmentjeremyw
2.4K views55 slides
Monolithic 140503234652-phpapp01 by
Monolithic 140503234652-phpapp01Monolithic 140503234652-phpapp01
Monolithic 140503234652-phpapp01AUT
320 views15 slides

More Related Content

Similar to New Massachusetts Data Privacy Regulation

CNIT 152: 3 Pre-Incident Preparation by
CNIT 152: 3 Pre-Incident PreparationCNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationSam Bowne
140 views70 slides
Internet .ppt by
Internet .pptInternet .ppt
Internet .pptTrust Odia
819 views96 slides
Wfh security risks - Ed Adams, President, Security Innovation by
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
1.9K views24 slides
karsof systems e-visa by
karsof systems e-visakarsof systems e-visa
karsof systems e-visaColin Valencia
2K views15 slides
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl... by
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...Priyanka Aash
297 views20 slides
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400) by
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Precisely
175 views56 slides

Similar to New Massachusetts Data Privacy Regulation(20)

CNIT 152: 3 Pre-Incident Preparation by Sam Bowne
CNIT 152: 3 Pre-Incident PreparationCNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident Preparation
Sam Bowne140 views
Internet .ppt by Trust Odia
Internet .pptInternet .ppt
Internet .ppt
Trust Odia819 views
Wfh security risks - Ed Adams, President, Security Innovation by Priyanka Aash
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash1.9K views
karsof systems e-visa by Colin Valencia
karsof systems e-visakarsof systems e-visa
karsof systems e-visa
Colin Valencia2K views
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl... by Priyanka Aash
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...
Priyanka Aash297 views
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400) by Precisely
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Precisely175 views
Pcishrinktofitpresentation 151125162550-lva1-app6891 by Risk Crew
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
Risk Crew63 views
Two factor authentication 2018 by Will Adams
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
Will Adams3K views
CNIT 121: 3 Pre-Incident Preparation by Sam Bowne
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne2K views
DEF CON 23 - Weston Hecker - goodbye memory scraping malware by Felipe Prado
DEF CON 23 - Weston Hecker - goodbye memory scraping malwareDEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
Felipe Prado36 views
PCI Descoping: How to Reduce Controls and Streamline Compliance by TokenEx
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
TokenEx356 views
PCI Compliance (for developers) by Maksim Djackov
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
Maksim Djackov409 views
Cybersecurity.pptx by NOUREDDINEOUNINISSE
Cybersecurity.pptxCybersecurity.pptx
Cybersecurity.pptx
NOUREDDINEOUNINISSE7 views
Protect Your Infrastructure: Basics of Cloud Security | Fpwebinar by Fpweb
Protect Your Infrastructure: Basics of Cloud Security | Fpwebinar Protect Your Infrastructure: Basics of Cloud Security | Fpwebinar
Protect Your Infrastructure: Basics of Cloud Security | Fpwebinar
Fpweb387 views
PCI DSS Compliance for Web Applications by Savan Gadhiya
PCI DSS Compliance for Web ApplicationsPCI DSS Compliance for Web Applications
PCI DSS Compliance for Web Applications
Savan Gadhiya209 views
Stopping Breaches at the Perimeter: Strategies for Secure Access Control by SecureAuth
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
SecureAuth455 views
It security the condensed version by Brian Pichman
It security the condensed version It security the condensed version
It security the condensed version
Brian Pichman376 views
#MFSummit2016 Secure: Mind the gap strengthening the information security model by Micro Focus
#MFSummit2016 Secure: Mind the gap strengthening the information security model#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model
Micro Focus 799 views
Mobile security services 2012 by Tjylen Veselyj
Mobile security services 2012Mobile security services 2012
Mobile security services 2012
Tjylen Veselyj1K views
Iron Bastion: How to Manage Your Clients' Data Responsibly by Gabor Szathmari
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data Responsibly
Gabor Szathmari102 views

Recently uploaded

Pitch Deck Teardown: Scalestack's $1M AI sales tech Seed deck by
Pitch Deck Teardown: Scalestack's $1M AI sales tech Seed deckPitch Deck Teardown: Scalestack's $1M AI sales tech Seed deck
Pitch Deck Teardown: Scalestack's $1M AI sales tech Seed deckHajeJanKamps
29 views18 slides
terms_2.pdf by
terms_2.pdfterms_2.pdf
terms_2.pdfJAWADIQBAL40
15 views8 slides
bookmyshow-1.pptx by
bookmyshow-1.pptxbookmyshow-1.pptx
bookmyshow-1.pptx125071035
8 views11 slides
NYKAA PPT .pptx by
NYKAA PPT .pptxNYKAA PPT .pptx
NYKAA PPT .pptx125071081
9 views9 slides
NewBase 23 November 2023 Energy News issue - 1676 by Khaled Al Awadi_compre... by
NewBase 23 November 2023 Energy News issue - 1676 by Khaled Al Awadi_compre...NewBase 23 November 2023 Energy News issue - 1676 by Khaled Al Awadi_compre...
NewBase 23 November 2023 Energy News issue - 1676 by Khaled Al Awadi_compre...Khaled Al Awadi
17 views26 slides

Recently uploaded(20)

Business Process Reengineering (BPR) by Operational Excellence Consulting (Singapore)
Business Process Reengineering (BPR)Business Process Reengineering (BPR)
Business Process Reengineering (BPR)
Operational Excellence Consulting (Singapore)14 views
Pitch Deck Teardown: Scalestack's $1M AI sales tech Seed deck by HajeJanKamps
Pitch Deck Teardown: Scalestack's $1M AI sales tech Seed deckPitch Deck Teardown: Scalestack's $1M AI sales tech Seed deck
Pitch Deck Teardown: Scalestack's $1M AI sales tech Seed deck
HajeJanKamps29 views
terms_2.pdf by JAWADIQBAL40
terms_2.pdfterms_2.pdf
terms_2.pdf
JAWADIQBAL4015 views
bookmyshow-1.pptx by 125071035
bookmyshow-1.pptxbookmyshow-1.pptx
bookmyshow-1.pptx
1250710358 views
NYKAA PPT .pptx by 125071081
NYKAA PPT .pptxNYKAA PPT .pptx
NYKAA PPT .pptx
1250710819 views
NewBase 23 November 2023 Energy News issue - 1676 by Khaled Al Awadi_compre... by Khaled Al Awadi
NewBase 23 November 2023 Energy News issue - 1676 by Khaled Al Awadi_compre...NewBase 23 November 2023 Energy News issue - 1676 by Khaled Al Awadi_compre...
NewBase 23 November 2023 Energy News issue - 1676 by Khaled Al Awadi_compre...
Khaled Al Awadi17 views
voice logger software aegis.pdf by Nirmal Sharma
voice logger software aegis.pdfvoice logger software aegis.pdf
voice logger software aegis.pdf
Nirmal Sharma10 views
Discover the Finest Interior Painting Services in Miami Elevate Your Space wi... by Florida Painting Miami
Discover the Finest Interior Painting Services in Miami Elevate Your Space wi...Discover the Finest Interior Painting Services in Miami Elevate Your Space wi...
Discover the Finest Interior Painting Services in Miami Elevate Your Space wi...
Florida Painting Miami9 views
TNR Gold Investor Presentation - Building The Green Energy Metals Royalty and... by Kirill Klip
TNR Gold Investor Presentation - Building The Green Energy Metals Royalty and...TNR Gold Investor Presentation - Building The Green Energy Metals Royalty and...
TNR Gold Investor Presentation - Building The Green Energy Metals Royalty and...
Kirill Klip74 views
Amazon Music - Market Analysis by Ana Weathers
Amazon Music - Market AnalysisAmazon Music - Market Analysis
Amazon Music - Market Analysis
Ana Weathers37 views
Building Careers at Specialty TRE 2023 by Jennifer Sanborn
Building Careers at Specialty TRE 2023Building Careers at Specialty TRE 2023
Building Careers at Specialty TRE 2023
Jennifer Sanborn39 views
Supercharge & Make Your Business Searchable on Google.pptx by IMSeoKing.com
Supercharge & Make Your Business Searchable on Google.pptxSupercharge & Make Your Business Searchable on Google.pptx
Supercharge & Make Your Business Searchable on Google.pptx
IMSeoKing.com7 views
Forex secret by konghatatih
Forex secret Forex secret
Forex secret
konghatatih15 views
Accel_Series_2023Autumn_En.pptx by NTTDATA INTRAMART
Accel_Series_2023Autumn_En.pptxAccel_Series_2023Autumn_En.pptx
Accel_Series_2023Autumn_En.pptx
NTTDATA INTRAMART77 views
Leading in A Culture by Seta Wicaksana
Leading in A CultureLeading in A Culture
Leading in A Culture
Seta Wicaksana11 views
Rangell Auto Detailing by rangellautodetailing
Rangell Auto Detailing Rangell Auto Detailing
Rangell Auto Detailing
rangellautodetailing7 views
See the new MTN tariffs effected November 28, 2023 by Kweku Zurek
See the new MTN tariffs effected November 28, 2023See the new MTN tariffs effected November 28, 2023
See the new MTN tariffs effected November 28, 2023
Kweku Zurek29.4K views
duck railing.pdf by aluminumdeckrailingc
duck railing.pdfduck railing.pdf
duck railing.pdf
aluminumdeckrailingc6 views
ANTHROPOIDS WHITE PAPER.pdf by Anthropoids Nfts
ANTHROPOIDS WHITE PAPER.pdfANTHROPOIDS WHITE PAPER.pdf
ANTHROPOIDS WHITE PAPER.pdf
Anthropoids Nfts 39 views
terms_2.pdf by JAWADIQBAL40
terms_2.pdfterms_2.pdf
terms_2.pdf
JAWADIQBAL4050 views

New Massachusetts Data Privacy Regulation

  • 1. 201 CMR 17.00 • slideshare.net/becarreno • When: 3/1/10 • Who: “entity” that stores PI of residents of the Commonwealth • Similar to PCI DSS • Motivation: avoid another TJ Maxx
  • 2. Personal Information PI • First name (or initial) + last name + • SSN or • Driver’s license number or • Account number: credit card, bank account, policy number?, ... • Any format: paper, electronic, audio, video ...
  • 3. Administrative Requirements • WISP • Identify security risks • Ways to detect & prevent security failures • Designate Information Security Officer
  • 4. Technical Requirements • User authentication, passwords for: software, computer, laptop, flash drive, ... • Access control • Firewalls, antivirus, keep software updated • Wireless networks must be encrypted • VPN for remote access
  • 5. Technical Requirements • Email must be encrypted • Portable devices must be encrypted: • Laptop hard drive (password not enough) • iPhone, Blackberry, PDA’s • Portable (backup) hard drives • Flash drives
  • 6. Technical Requirements • Fax, telephone, first class mail are complaint • If not “technically feasible” don’t do it, example: use FedEx instead of email • No need to encrypt if no PI
  • 7. Recommendations • Easiest ➫ no PI • Example of WISP • Compliance checklist • VPN, WPA, firewalls, updates, antivirus, ...
  • 9. References • Full Text of Massachusetts 201 CMR 17.00 http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf • Frequently Asked Questions http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf • Regulation explained and practical steps http://www.informit.com/articles/article.aspx?p=1433062
  • 10. References • Sample WISP http://nengroup.com/the-basics/products-andnengroup.com-services/ma-201-cmr-17/mass-201-cmr-17- comprehensive-information-security-program-example • Compliance checklist http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf • Encryption http://www.truecrypt.org http://www.gnupg.org
  • 11. Disclaimer I am not a lawyer and this is not legal advice
  • 12. slideshare.net/becarreno Braulio Carreno @bcarreno bcarreno@gmail.com http://carreno.me

Editor's Notes

  3. All companies have same types of security risks, small variations We’ll provide sample of a WISP (not legal advice)
  4. Passwords or biometrics
  5. PDA software still limited
  6. You want to comply because you care about your customer data, don’t you?