1 / 23

Protecting Personal Information

Protecting Personal Information. 201 CMR 17. Samet and Company PC 1330 Boylston Street Chestnut Hill, MA 02467 www.samet-cpa.com. TechKnowledge Advisors Inc 20 Park Plaza, Suite 400 Boston, MA 02116 www.tech-adv.com. Protecting Personal Information. Professional Experience

noelle-williamson
Download Presentation

Protecting Personal Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Personal Information 201 CMR 17 Samet and Company PC 1330 Boylston Street Chestnut Hill, MA 02467 www.samet-cpa.com TechKnowledge Advisors Inc 20 Park Plaza, Suite 400 Boston, MA 02116 www.tech-adv.com

  2. Protecting Personal Information Professional Experience Norman is the Managing Partner of Samet and Company PC. and has over thirty years experience as a Certified Public Accountant licensed in Massachusetts . Norman provides accounting, auditing, tax planning and preparation expertise to numerous industries including temporary staffing, law firms, real estate, manufacturing and non-profit. OVERVIEW AND RECOMMENDATIONS 201 CMR 17.00 Norman P. Posner, CPA Managing Partner Samet and Company PC. Certified Public Accountants

  3. The Purpose of the Law 201 CMR 17 is intended to: Prevent the Breach of Personal Information (PI). Establish procedures to follow if a breach of PI occurs.

  4. Regulatory Overview • 201 CMR 17.00 is intended to ensure the security and confidentiality of personal information of a Massachusetts resident. • For Compliance, Businesses must develop, implement, maintain and monitor a comprehensive, Written Information Security Plan (WISP) that is consistent with industry standards.

  5. Regulatory Overview • The program must be monitored on a regular basis to help ensure that the program can: • Prevent unauthorized access to PI • Prevent Unauthorized use of PI • Monitoring of the WISP should be done annually or whenever there is a material change in the business practices of the company

  6. Does the law apply to your business? • If you store a Massachusetts resident’s Last Name and First Name (or First Initial) in any form (electronic, paper or some other form) • Plus One of the following (a,b,c or d) • Social Security Number • Driver’s License Number or State ID number • Financial Account number (credit or debit card) • Access code that allows you to access a person’s financial information . Then the law applies to your business!

  7. Remember the TJX Data Breach • Breach may cost the company $1 Billion. • 97 Million credit card numbers are estimated to have been breached. • Unsecured wireless network was the culprit. • Other publicized breaches • Hannaford – 4 million accounts • Bank of America – 1.2 million records • Boeing – 161,000 records

  8. 2008 Identity Theft Statistics • 313,982 Registered Complaints • That is a 10 - Fold increase from 2000 • 5,408 Identity theft complaints reported in Massachusetts alone. (statistics courtesy of FTC consumer Sentinel Network Data Book 2008)

  9. Duty to Protect and Standards for Protecting PI Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to:

  10. Duty to Protect and Standards for Protecting PI (a) the size, scope and type of business… (b) the amount of resources available… (c) the amount of stored data (d) and the need for security and confidentiality of both consumer and employee information

  11. 201 CMR 17.03 – Duty to Protect... • Designating one or more employees to maintain… • Identifying and assessing reasonably foreseeable internal and external risks… • Developing security policies for employees relating to the storage, access and transportation…

  12. 201 CMR 17.03 – Duty to Protect... • Imposing disciplinary measures for violations… • Preventing terminated employees from… • Oversee service providers, by: • Taking reasonable steps to select and retain third-party service providers… • Requiring such Third-party service providers by contract to implement and maintain… (Grandfather provision between March 1, 2010 and March 1, 2012)

  13. 201 CMR 17.03 – Duty to Protect... • Reasonable restrictions upon physical access to… • Regular monitoring to ensure that the comprehensive information security program is… • Reviewing the scope of the security measures at least annually or… • Documenting responsive actions taken in connection with any incident involving a breach of security…

  14. Trigger Events Notice is required when data owner knows that there is: • Unauthorized acquisition or use of: • Unencrypted personal information, or encrypted personal information and the confidential process or key that can unlock the personal information. • That creates a substantial risk of identity theft or fraud against a Massachusetts resident

  15. Who to Notify You must notify: • The Attorney General’s Office. • The data owner

  16. Computer System Security Requirements • Secure user authentication protocols including: • Control of IDs • Secure method of assigning and selecting passwords • Restrict access to active users • Blocking access after multiple unsuccessful attempts • Secure access control measures that: • Restrict access to files to those who need the information to perform their job duties • Assign unique identifications and passwords which are not vendor supplies default passwords • Encryption of all transmitted record and files containing PI.

  17. Computer System Security Requirements RequirementRecommendation • Secure user authentication protocols Use Windows Group Policy • Secure access controls Windows Domain Group Security • Email Encryption Leapfile Tumbleweed Perimeter eSecurity MessageGuard PGP Mailgate PGP Desktop Messenger BitAmor SecureMail

  18. Computer System Security Requirements • Reasonable monitoring of systems for unauthorized use or access. • Encryption of all PI stored on laptops or other portable devices (flash drives).

  19. Computer System Security Requirements RequirementRecommendation • Monitor for unauthorized use Turn on Windows Event and Object Logging Setup event parser to notify through email for events such as unsuccessful logons • Encrypt all portable devices PGP whole disk Encryption BitArmor Disk Encryption MessageGuard Windows 7 Bitlocker (New Hardware) Hardware Encryption

  20. Computer System Security Requirements • Must have an up-to-date firewall that performs stateful packet inspection. • Up-to-date versions of system security agent software including Anti-Virus, Malware protection. • Education and training of employees on the proper use of the computer security system and the importance of personal information security.

  21. Computer System Security Requirements RequirementRecommendation • Firewall and Windows Security Firewalls Patch Management SonicWall Cisco Pix Juniper WatchGuard Windows Patch Management Microsoft SUS server (free)

  22. Computer System Security Requirements RequirementRecommendation • Up to date Anti-Virus, Anti-spyware and Anti-malware. SPAM solution: Postini or Appriver: These are Third Party solutions which are offsite.

  23. Computer System Security Requirements RequirementRecommendation • Backup of Data Backup tapes should be encrypted if they contain PI. Offsite Data Backup uses encryption www.capitalvault.net • Imaging your servers is recommended. Using software like Symantec Live-state recovery is a great solution. Other offsite backup providers

More Related