Successfully reported this slideshow.

New Massachusetts Data Privacy Regulation

1

Share

Loading in …3
×
1 of 12
1 of 12

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

New Massachusetts Data Privacy Regulation

  1. 1. 201 CMR 17.00 • slideshare.net/becarreno • When: 3/1/10 • Who: “entity” that stores PI of residents of the Commonwealth • Similar to PCI DSS • Motivation: avoid another TJ Maxx
  2. 2. Personal Information PI • First name (or initial) + last name + • SSN or • Driver’s license number or • Account number: credit card, bank account, policy number?, ... • Any format: paper, electronic, audio, video ...
  3. 3. Administrative Requirements • WISP • Identify security risks • Ways to detect & prevent security failures • Designate Information Security Officer
  4. 4. Technical Requirements • User authentication, passwords for: software, computer, laptop, flash drive, ... • Access control • Firewalls, antivirus, keep software updated • Wireless networks must be encrypted • VPN for remote access
  5. 5. Technical Requirements • Email must be encrypted • Portable devices must be encrypted: • Laptop hard drive (password not enough) • iPhone, Blackberry, PDA’s • Portable (backup) hard drives • Flash drives
  6. 6. Technical Requirements • Fax, telephone, first class mail are complaint • If not “technically feasible” don’t do it, example: use FedEx instead of email • No need to encrypt if no PI
  7. 7. Recommendations • Easiest ➫ no PI • Example of WISP • Compliance checklist • VPN, WPA, firewalls, updates, antivirus, ...
  8. 8. Recommendations • TrueCrypt • PGP • S/MIME
  9. 9. References • Full Text of Massachusetts 201 CMR 17.00 http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf • Frequently Asked Questions http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf • Regulation explained and practical steps http://www.informit.com/articles/article.aspx?p=1433062
  10. 10. References • Sample WISP http://nengroup.com/the-basics/products-andnengroup.com-services/ma-201-cmr-17/mass-201-cmr-17- comprehensive-information-security-program-example • Compliance checklist http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf • Encryption http://www.truecrypt.org http://www.gnupg.org
  11. 11. Disclaimer I am not a lawyer and this is not legal advice
  12. 12. slideshare.net/becarreno Braulio Carreno @bcarreno bcarreno@gmail.com http://carreno.me

Editor's Notes



  • All companies have same types of security risks, small variations
    We’ll provide sample of a WISP (not legal advice)
  • Passwords or biometrics
  • PDA software still limited
  • You want to comply because you care about your customer data, don’t you?






  • ×