The document outlines the requirements for organizations in Massachusetts regarding the protection and management of personal information as mandated by legislative regulations such as 201 CMR 17.00. It details components of a Written Information Security Program (WISP), including risk assessment, employee training, access control, and incident response protocols in case of data breaches. The document also emphasizes the responsibilities of various stakeholders, penalties for non-compliance, and best practices for maintaining data security.

2. WelcomeAbout the LawAffected OrganizationsPresentersPrivacy PartnersComplianceAccountingLegalInsuranceTechnology

3. Seminar Agenda

4. Regulatory ComplianceWhich Organizations are required to comply with the new law?Verbiage: Organizations, “who own, license, store or maintain personalinformation about a resident of the Commonwealth of Massachusetts.”Personally Identifiable Information (PII) Includes:Electronic Transaction and Billing Data (cc #s, bank data, etc)Identity-Theft Target Data (ss#, identification, etc)Customer Records

5. What is Required?Four Main Components:Risk Assessment and WISPData Privacy Awareness PolicySecurity (A/V, Firewall, Encryption)Vendor WISP or Sign-Off

6. 201 CMR 17.00CustomersVendorsWeb SitesRemote WorkersSuppliersExternal Requirements

7. Inman TechnologyAbout Inman Technology Sarah CortesEducation

8. Clients

9. ProjectsServices Provided

10. HistoryRecent Breach History:TJ Maxx

11. Heartland

12. CVS

13. Every day there are new breaches

14. Verizon report, April 2009: three-fold increase in breaches in 2008

15. Industry sources: average cost per stolen record at ~ $202Massachusetts LawsMass General Laws ch. 93H and Consumer Affairs Legislature Directed formulation of regulation

16. Goal – protect the Personal Information of all Mass residentsBusiness Regulation 201 CMR 17.00: Standards for the Protection of Personal Information of Resident of the CommonwealthEstablished a minimum standard

17. Compliance is based on size, scope, type of business

18. Resources available, amount and type of data storedMass General Laws ch. 93I – Disposition and DestructionPaper Documents

19. Electronic MediaData Security RegulationsRisk-Based ApproachAdministrative, technical and physical safeguards appropriate to:

20. Size, scope and type of business

21. Amount of resources available to business

22. Amount of data stored

23. Need for security and confidentiality of both consumer and employee information

24. All persons, businesses, agencies must destroy records containing Personal Information “such that the data cannot be practicably read or reconstructed after disposal or destruction”The Program = Your WISP

25. Your WISP ProgramScopePersonally Identifiable Information (PII) – defined as:First Name (or initial), and last name, PLUS

26. SSN,

27. Driver’s License # (or state-issued ID)

28. Financial Account Number, or

29. Credit / debit CardSpecific Requirements: All people / organizations who store PII of Mass residentsDesignate employee(s) to maintain Program

30. Identify and assess reasonable foreseeable internal and external risks

31. Evaluate and improve (where necessary) effectiveness of current safeguards for limiting risks

32. Develop security policies for employees for storage, access, and transportation of Personal Information Required Compliance Activities1. Written Information Security Program(ISO, IEE, NIST, etc)2. Identification of RecordsNormalization; Data Classification: Know where your PII exists3. Third Party ProvidersMust be evaluated for compliance4. Rethinking the Collection, Storage and Access to PIIDo NOT collect or store data you do not need5. Implementing and Monitoring Protective MeasuresMinimum: Annual evaluationsYour WISP ProgramSpecific RequirementsImpose disciplinary measures for violations

33. Prevent terminated employees from accessing records

34. Oversee service providers

35. Reasonable restrict physical access to, and storage of, recording containing Personal Information

36. Regularly monitor Program and upgrade safeguards as necessary

37. Review Scope of security measures at least annually, or whenever there is a material change in business practices

38. Document responsive actions taken after any breach and conduct post-incident review of events and actions takenIn case of breach, REACT IMMEDIATELY (see addendum for directions to be followed)

39. Your WISP ProgramControl AccessUser ID control

40. Assign unique ID’s plus Passwords – that are NOT vendor supplied defaults passwords

41. User Passwords / Biometric / Token devices

42. Control of Data Security Passwords (keys to vault)

43. Restricting Access to Active Users

44. Blocking Access after Multiple Attempts

45. Restrict Access to Records and Files to Needed Personnel

46. Physical AccessCommon Causes of Data BreachesSome Common CausesStolen LaptopsRogue EmployeesInadvertent DisclosureIntra-company EmailHacking

47. Common Causes of Data BreachesMALwareProblemsWorms, Viruses, Trojan Horses, Rootkits, Spyware, Dishonest softwareThe ProtectionsEducation, Antivirus Software, AntiSpyware, SPAM eliminationWirelessPublicPrivate

48. SolutionsBackUp and Disaster Recovery:TEST your systems regularlyStorage Media: Secure

49. Rotation

50. StaffHard Drive Based BackUpLimited RotationDisaster Recovery with BackUp