New Massachusetts Data Privacy Regulation

857 views

Published on

Lightning presentation on 201 CMR 17.00 for Boston Ruby User Group

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
857
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide


  • All companies have same types of security risks, small variations
    We’ll provide sample of a WISP (not legal advice)
  • Passwords or biometrics
  • PDA software still limited
  • You want to comply because you care about your customer data, don’t you?






  • New Massachusetts Data Privacy Regulation

    1. 1. 201 CMR 17.00 • slideshare.net/becarreno • When: 3/1/10 • Who: “entity” that stores PI of residents of the Commonwealth • Similar to PCI DSS • Motivation: avoid another TJ Maxx
    2. 2. Personal Information PI • First name (or initial) + last name + • SSN or • Driver’s license number or • Account number: credit card, bank account, policy number?, ... • Any format: paper, electronic, audio, video ...
    3. 3. Administrative Requirements • WISP • Identify security risks • Ways to detect & prevent security failures • Designate Information Security Officer
    4. 4. Technical Requirements • User authentication, passwords for: software, computer, laptop, flash drive, ... • Access control • Firewalls, antivirus, keep software updated • Wireless networks must be encrypted • VPN for remote access
    5. 5. Technical Requirements • Email must be encrypted • Portable devices must be encrypted: • Laptop hard drive (password not enough) • iPhone, Blackberry, PDA’s • Portable (backup) hard drives • Flash drives
    6. 6. Technical Requirements • Fax, telephone, first class mail are complaint • If not “technically feasible” don’t do it, example: use FedEx instead of email • No need to encrypt if no PI
    7. 7. Recommendations • Easiest ➫ no PI • Example of WISP • Compliance checklist • VPN, WPA, firewalls, updates, antivirus, ...
    8. 8. Recommendations • TrueCrypt • PGP • S/MIME
    9. 9. References • Full Text of Massachusetts 201 CMR 17.00 http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf • Frequently Asked Questions http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf • Regulation explained and practical steps http://www.informit.com/articles/article.aspx?p=1433062
    10. 10. References • Sample WISP http://nengroup.com/the-basics/products-andnengroup.com-services/ma-201-cmr-17/mass-201-cmr-17- comprehensive-information-security-program-example • Compliance checklist http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf • Encryption http://www.truecrypt.org http://www.gnupg.org
    11. 11. Disclaimer I am not a lawyer and this is not legal advice
    12. 12. slideshare.net/becarreno Braulio Carreno @bcarreno bcarreno@gmail.com http://carreno.me

    ×