Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Webinar Series<br />July 29, 2009<br />Preparing for the Strictest Privacy Law in the Nation:            MA Privacy Law 20...
About the Speakers<br />            Doug Cornelius          Bob Boonstra              Sean Megley<br />
Agenda<br />Overview of the Law: MA Privacy Law 201 CMR 17<br />Implications and Best Practices<br />10 Questions to Deter...
Overview of the Law:MA Privacy Law 201 CMR 17<br />
Law Overview<br />Doug Cornelius, Chief Compliance Officer<br />Publisher of Compliance Building<br />
Disclaimer<br />I am a lawyer, but I am not your lawyer.<br />This overview is for information purposes. Please seek your ...
Background<br />
Background<br />
Background<br />The breaches affected over 600,000 Massachusetts residents. <br />
Image source: http://www.massachusetts-map.org/detailed.htm<br />The breaches affected over 600,000 Massachusetts resident...
The breaches affected over 600,000 Massachusetts residents. <br />
The breaches affected over 600,000 Massachusetts residents. <br />
Federal Regulation<br />Gramm-Leach-Bliley<br />HIPPA<br />
Massachusetts Data Privacy Law<br />Massachusetts General Laws Chapter 93H<br />Statute on security breaches<br />shall pr...
Massachusetts Data Privacy Law<br />201 CMR 17.00 <br />Regulations from 93H to safeguard the personal information of the ...
Personal Information<br />Massachusetts resident&apos;s <br />first name and last name, or first initial and last name <br...
Duty to Protect<br />Written Information Security Program<br />Computer System Security Requirements <br />
Information Security Program<br />Written<br />
Information Security Program<br />Reasonably consistent with industry standards<br />
Information Security Program<br />Designee<br />
Information Security Program<br />Identify and assess internal and external risks:<br />Employee training<br />Employee co...
Information Security Program<br />Taking it outside<br />
Information Security Program<br />Discipline<br />
Information Security Program<br />Terminating access for terminated employees<br />
Information Security Program<br />Third Party compliance<br />
Information Security Program<br />Limiting the amount of personal information <br />
Information Security Program<br />Identify storage locations<br />
Information Security Program<br />Restrict physical access <br />
Information Security Program<br />Monitor<br />Review<br />Document<br />
Computer System Security<br />
Computer System Security<br />Secure user authentication protocols <br />
Computer System Security<br />Secure access control measures <br />
Computer System Security<br />Encryption<br />
Computer System Security<br />Monitor<br />
Computer System Security<br />Virus Protection<br />Firewall<br />Malware <br />
Computer System Security<br />Training<br />
Resources<br />Massachusetts General Laws Chapter 93H<br />http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm<br />201 CMR ...
Implications & Best Practices<br />
Implications & Best Practices<br />Brief Indevus Pharmaceuticals background<br />201 CMR 17, Rounds 1, 2, and 3<br />Asses...
Indevus Pharmaceuticals Background<br />Focused on development and marketing of drugs in urology and endocrinology<br />26...
201 CMR 17 at Indevus<br />Assessment effort launched Oct, 2008<br />Re-planned after 14 Nov deadline postponement to 1 Ma...
Assessment Approach<br />Does the new law even apply?<br />What personal information do we have, who has it, and where is ...
Assessment Results<br />Where do we stand?<br />Policies<br />Security policy:  Exists, but needs augmentation<br />Risk a...
Final Observations<br />Take advantage of synergies with sound IT management practices and other compliance activities<br ...
Sneak Peak of SharePoint Based Compliance Management Solution<br />
10 Key Questions<br />Do you have policies that apply? Policy - Write a high level policy that indicates your company inte...
10 Key Questions (continued)<br />Do your job descriptions consider PI? Need to know - Review job descriptions and note if...
Privacy Law Objectives<br />
Objectives Facilitated by SharePoint<br />
Key Compliance Indicators<br />
Questions and Answers<br />            Doug Cornelius          Bob Boonstra              Sean Megley<br />Overview of law<...
In Closing…<br />How to get (and share) a copy of today’s slides<br />Continue the compliance conversation with KMA – pilo...
Upcoming SlideShare
Loading in …5
×

KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law

1,980 views

Published on

KMA Insights Webinar Series - 29 July 2009 presentation on MA Privacy readiness and SharePoint compliance portal

Published in: Business
  • Be the first to comment

KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law

  1. 1. Webinar Series<br />July 29, 2009<br />Preparing for the Strictest Privacy Law in the Nation: MA Privacy Law 201 CMR 17<br />Presented by:<br />
  2. 2. About the Speakers<br /> Doug Cornelius Bob Boonstra Sean Megley<br />
  3. 3. Agenda<br />Overview of the Law: MA Privacy Law 201 CMR 17<br />Implications and Best Practices<br />10 Questions to Determine if You will be Compliant by 1/1/2010<br />A First Look at a SharePoint-based Compliance Management Solution<br />Questions & Answers <br />
  4. 4. Overview of the Law:MA Privacy Law 201 CMR 17<br />
  5. 5. Law Overview<br />Doug Cornelius, Chief Compliance Officer<br />Publisher of Compliance Building<br />
  6. 6. Disclaimer<br />I am a lawyer, but I am not your lawyer.<br />This overview is for information purposes. Please seek your own attorney for advice.<br />These are my views and not necessarily the views of my employer. <br />
  7. 7. Background<br />
  8. 8.
  9. 9.
  10. 10.
  11. 11.
  12. 12. Background<br />
  13. 13. Background<br />The breaches affected over 600,000 Massachusetts residents. <br />
  14. 14. Image source: http://www.massachusetts-map.org/detailed.htm<br />The breaches affected over 600,000 Massachusetts residents. <br />
  15. 15. The breaches affected over 600,000 Massachusetts residents. <br />
  16. 16. The breaches affected over 600,000 Massachusetts residents. <br />
  17. 17. Federal Regulation<br />Gramm-Leach-Bliley<br />HIPPA<br />
  18. 18. Massachusetts Data Privacy Law<br />Massachusetts General Laws Chapter 93H<br />Statute on security breaches<br />shall provide notice, as soon as practicable and without unreasonable delay<br />
  19. 19. Massachusetts Data Privacy Law<br />201 CMR 17.00 <br />Regulations from 93H to safeguard the personal information of the residents of the Commonwealth<br />
  20. 20. Personal Information<br />Massachusetts resident&apos;s <br />first name and last name, or first initial and last name <br />in combination with: <br />Social Security number; <br />driver&apos;s license number or state-issued identification card number; or<br />financial account number, or credit or debit card number (with or without any required security code, access code, personal identification number or password)<br />
  21. 21. Duty to Protect<br />Written Information Security Program<br />Computer System Security Requirements <br />
  22. 22. Information Security Program<br />Written<br />
  23. 23. Information Security Program<br />Reasonably consistent with industry standards<br />
  24. 24. Information Security Program<br />Designee<br />
  25. 25. Information Security Program<br />Identify and assess internal and external risks:<br />Employee training<br />Employee compliance<br />Detect security failures <br />
  26. 26. Information Security Program<br />Taking it outside<br />
  27. 27. Information Security Program<br />Discipline<br />
  28. 28. Information Security Program<br />Terminating access for terminated employees<br />
  29. 29. Information Security Program<br />Third Party compliance<br />
  30. 30. Information Security Program<br />Limiting the amount of personal information <br />
  31. 31. Information Security Program<br />Identify storage locations<br />
  32. 32. Information Security Program<br />Restrict physical access <br />
  33. 33. Information Security Program<br />Monitor<br />Review<br />Document<br />
  34. 34. Computer System Security<br />
  35. 35. Computer System Security<br />Secure user authentication protocols <br />
  36. 36. Computer System Security<br />Secure access control measures <br />
  37. 37. Computer System Security<br />Encryption<br />
  38. 38. Computer System Security<br />Monitor<br />
  39. 39. Computer System Security<br />Virus Protection<br />Firewall<br />Malware <br />
  40. 40. Computer System Security<br />Training<br />
  41. 41. Resources<br />Massachusetts General Laws Chapter 93H<br />http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm<br />201 CMR 17.00 <br />http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf<br />Compliance Building Posts<br />http://www.compliancebuilding.com/tag/mass-data-privacy-law/<br />
  42. 42. Implications & Best Practices<br />
  43. 43. Implications & Best Practices<br />Brief Indevus Pharmaceuticals background<br />201 CMR 17, Rounds 1, 2, and 3<br />Assessment approach<br />Assessment results<br />Final observations<br />
  44. 44. Indevus Pharmaceuticals Background<br />Focused on development and marketing of drugs in urology and endocrinology<br />260 staff, including 115 person sales force (Jan 2009)<br />2 locations: Lexington, MA, and Cranbury NJ<br />Indevusacquired in Mar 2009, and the Lexington location is being closed by Dec 31, 2009<br />
  45. 45. 201 CMR 17 at Indevus<br />Assessment effort launched Oct, 2008<br />Re-planned after 14 Nov deadline postponement to 1 May 09<br />Coordination with acquiring company<br />Re-replanned after Feb 09 postponement to 2010<br />
  46. 46. Assessment Approach<br />Does the new law even apply?<br />What personal information do we have, who has it, and where is it<br />HR, Finance<br />Others?<br />What do we need to have in place?<br />Policies<br />“Comprehensive, written information security program”, security policies regarding personal information, annual review<br />Risk assessment<br />Practices<br />Designated information security employee<br />Identify record locations<br />Restrict physical access to personal information<br />Verify 3rd party compliance<br />Technology<br />Access control<br />Encryption<br />Firewall protection, malware protection<br />Monitoring<br />Monitoring and enforcement<br />Enforcement and disciplinary mechanisms<br />
  47. 47. Assessment Results<br />Where do we stand?<br />Policies<br />Security policy: Exists, but needs augmentation<br />Risk assessment: Needed to be accomplished for personal information<br />Practices<br />Designated information security employee: Already in place<br />Identify record locations: Needed to be accomplished for personal information<br />Restrict physical access to personal information: Already in place<br />Verify 3rd party compliance: Reasonable covered by SAS 70, verification needed<br />Technology<br />Access control: Already in place<br />Encryption: Need to be accomplished for laptops with personal data<br />Firewall protection, malware protection: Already in place<br />Monitoring: Already in place<br />Monitoring and enforcement<br />Enforcement and disciplinary mechanisms: Needed to be accomplished for PI<br />
  48. 48. Final Observations<br />Take advantage of synergies with sound IT management practices and other compliance activities<br />Use both process and technology<br />Don’t overreact: “… compliance … shall be evaluated taking into account … size, scope, and type of business …. resources available …. amount of stored data ….”<br />Remember to stay current with evolving systems architecture, business practices, regulatory changes<br />
  49. 49. Sneak Peak of SharePoint Based Compliance Management Solution<br />
  50. 50. 10 Key Questions<br />Do you have policies that apply? Policy - Write a high level policy that indicates your company intends to comply with the spirit and letter of the law, completely.<br />Do your business leaders understand the new law? Exposure - Give your business leaders and executives a crash course on the ramifications of the law in terms of business risk. A couple of hours should be enough to cover the basics.<br />Are you communicating the changes? Communication - Inform the company staff that the law is coming and request their help in meeting the compliance obligations.<br />Have you classified your data and systems? Data classification - Create a classification scheme for all the likely PI types of information: Public, Company Private, Company Protected, etc.<br />Where is the PI? Discovery - Use a search engine on suspected harbors of PI to find out where the PI resides in your data structures. Survey employees to identify PI in the workplace.<br />
  51. 51. 10 Key Questions (continued)<br />Do your job descriptions consider PI? Need to know - Review job descriptions and note if a position requires PI access. Technical security policies can then be adjusted using role based security tools, such as Active Directory groups.<br />How do you use PI? Lifecycle - Look at your business processes to understand the lifecycle of PI in your enterprise.<br />Who is administering and enforcing your policies? Administration - Assign a senior person to be responsible for compliance and have them assign business line or location deputies for enforcement. Make sure they have the proper authority.<br />Do you allow PI on laptops? Technical -Encryption options should be considered, but a policy that prohibits PI from being stored on a vulnerable laptop is a much easier solution.<br />Got Security? Physical - Data centers, network closets and front doors need to be properly secured. This recommendation is just common sense even if you have no PI.<br />
  52. 52. Privacy Law Objectives<br />
  53. 53. Objectives Facilitated by SharePoint<br />
  54. 54. Key Compliance Indicators<br />
  55. 55.
  56. 56.
  57. 57.
  58. 58.
  59. 59.
  60. 60.
  61. 61.
  62. 62.
  63. 63.
  64. 64.
  65. 65. Questions and Answers<br /> Doug Cornelius Bob Boonstra Sean Megley<br />Overview of law<br />Practitioner’s view<br />Solution Overview<br />
  66. 66. In Closing…<br />How to get (and share) a copy of today’s slides<br />Continue the compliance conversation with KMA – pilot the portal!<br />Next KMA Insights Webinar – watch for invitation:<br />SharePoint and Enterprise Social Computing<br />Wednesday, August 26, 12:30 pm<br />Feedback/survey<br />Thank you!!! http://www.kma-llc.net<br />

×