SlideShare una empresa de Scribd logo

MA 201 CMR 17.00 Personal Identity Security

Arpin Consulting
Arpin Consulting

MA 201 CMR 17.00 is the new Massachusetts regulation requiring everyone who accesses / stores personal identity information (credit card, SSN, etc.) to safeguard the information by March 1, 2010. Learn how.

EmpresarialesTecnología
1 de 43
Descargar para leer sin conexión
Personal Identity Security “Y2K plus 10” Are You Ready for March 1, 2010? The new MA regulation: 201 CMR 17.00 – Updated and including FTC Red Flag Rules Presented by the: Boston Business Alliance October 27, 2009 – Woburn, MA
Sponsors Facilities/Location Sponsor: Sunbelt Business Sales & Acquisitions Contact: Mariola Andoni Phone: 781-932-7355 www.sunbeltne.com Refreshment Sponsor: Analytix Solutions Contact: Jason Lefter Phone: 781-503-9000 www.analytixsolutions.com Website Sponsor: Techevolution Contact: Corey Tapper Phone: 781-595-2040 www.techevolution.com October 27, 2009 Boston Business Alliance 2
Personal Identity Security – Y2K plus 10 New MA Regulation – 201 CMR 17.00 October 27; 6:30 PM – 8:30 PM – 800 W. Cummings Park, Woburn, MA 6:15 Refreshments and Networking 6:30 Overview – Personal Identity Security & Red Flag (Attorney Dennis Eagan) 6:55 Computer Systems & Technical Security (Matt Pettine, Managing Director) Pettine, 7:20 How you can comply – what to do guidelines (Ray Arpin, Consultant) 7:50 Questions & Answers & Call to Action (speakers) 8:30 Adjourn Speakers and Vendors available for questions October 27, 2009 Boston Business Alliance 3
Speakers Dennis Ford Eagan Dennis Ford Eagan, attorney with Finneran & Nicholson, P.C., a business law firm located in Newburyport. Attorney Eagan focuses his practice on advising and counseling business clients regarding employment matters and compliance with state and federal laws and regulations. Attorney Eagan also advises business clients in protecting their intellectual property interests. He a member of the Massachusetts Bar Association and the Newburyport Bar Association and has co-chaired presentations before the bar associations, including a recent presentation on the Massachusetts Identity Theft and Data Security Regulations, 201 CMR 17.00. Matt Pettine Matt has over 20 years of experience in business and best practices in the application of technology. He holds no less than 5 certification in these areas. He fully understands business and how the different functions interrelate, along with the uses technology to compete in today’s business world. He has worked in security and regulatory compliance in MA 201 CMR 17.00, Sarbanes-Oxley, and with other regulations. He is a member of the Information Systems Audit and Control Association. Ray Arpin Ray Arpin has 30 years of experience working with small companies and start-ups, to Fortune 10, Global 2000, state and federal organizations, in a wide variety of industries and segments. His specialty is business process improvement to increase sales and reduces costs, professional services, and regulatory compliance. Most recently, he is focused on helping companies and individuals quickly apply business best practices, and specifically to become compliant with personal identity security regulations and MA 201 CMR 17.00. October 27, 2009 Boston Business Alliance 4
Personal Identity Protection How it started… On August 2, 2007, Governor Deval Patrick approved the Massachusetts Act Relative to Security Freezes and Notification of Data Breaches. One of the most comprehensive Personal Identity Theft Prevention statutes in the country. Three components to the Act: Establishing a right to a request security freeze by consumers on their consumer report (Mass. Gen. Laws c. 93, §§ 58 – 62A); Requiring notification of security breaches to regulators and affected residents (Mass. Gen. Laws c. 93H); Establishing procedures for destruction and disposal of personal identity information (Mass. Gen. Laws c. 93I). October 27, 2009 Boston Business Alliance 5
Mass. General Law c. 93H Personal Identity Information Under Mass. Gen. Law c. 93H, § 1, the Legislature defined Personal Information as: “A resident’s first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident: Social Security Number; Driver’s License or State-issued Identification Card Number; State- Financial Account Number, or Credit or Debit Card Number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; Provided, however, that “Personal Information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. October 27, 2009 Boston Business Alliance 6
OCABR – 201 CMR 17.00 Purpose Pursuant to C. 93H, the Department of Consumer Affairs and Business Regulation (OCABR) issued regulations 201 C.M.R. 17.00, regulating persons and businesses maintaining Personal Information, which were revised in August, 2009.. Purpose of the regulations: Establish minimum standards for safeguarding Personal Information contained in both electronic and hard copy records; Insure security and confidential customer information in a manner fully consistent with industry standards; Protect against anticipated threats or hazards to security or integrity of such information; Protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. Compliance required by March 1, 2010 (extended by the OCABR from original compliance dates of January 1) October 27, 2009 Boston Business Alliance 7
Business and Individuals 201 C.M.R. 17.00 requires all persons and businesses that own, license, store or maintain Personal Information of any Massachusetts resident. As a result, these regulations cover all employers, professional service providers, and most all businesses that that accept credit or debit cards Also, if you have any employees, you need to protect their Social Security numbers Regulations cover all Personal Information, whether paper, hard copy or electronically stored. Requires covered businesses and person to develop, implement, maintain a comprehensive Written Information Security Program (“WISP”) The WISP may be in one or more accessible parts WISP shall contain administrative, technical and physical safeguards to ensure the security and confidentiality of Personal Information. Targeted to be reasonably consistent with industry practices and consistent with federal regulations October 27, 2009 Boston Business Alliance 8
Written Information Security Program (WISP) Basic required elements for WISP: Designating one or more employees to maintain program; Identify risks and Personal Information intake; Improve safeguards; Limiting access and restricting use and transport; Encryption / Computer system security requirements; Train employees and require compliance; Detecting and preventing failures and documenting response actions; Third party certification of those contracted to maintain or having access to Personal Information; At least annual review. October 27, 2009 Boston Business Alliance 9
WISP Components An effective WISP should contain at minimum: technical safeguards (i.e., encryption, firewalls, password protections); physical safeguards (i.e., locked file cabinets, alarm systems, etc.); administrative safeguards (i.e., limiting access, secure storage and transport, proper destructions and disposal; employee oversight, intake processes, etc.); designation of an employee to oversee the program and initiate annual reviews of the program; procedures to identify risks and threats to the personal information; procedures for on-going compliance and monitoring, including disciplinary on- action for violations; oversight provisions, not only for employees but also third party contractors with access to personal information; and procedures to notify regulators and the affected persons upon any security breach, which may include lost or stolen laptops, misdirected e-mails, e- inadvertent disclosure, access by terminated employees, or hacking and other outside infiltration. October 27, 2009 Boston Business Alliance 10
Disposal of Personal Information Mass. Gen. Laws c. 93I requires minimum standards for disposal of Personal Information so that it may not be practicably read or reconstructed: Paper / Hard copies – Redacted, burned, pulverized or shredded; Electronic / Non-paper – Destroyed or erased Non- Requires care in properly shredding Personal Information, i.e., obtaining written certification from third party services. Requires care in destroying, erasing and disposing of hard drives, laptops, computers, cell phones, and PDAs. October 27, 2009 Boston Business Alliance 11
Enforcement of 201 CMR 17.00 Enforced by the Massachusetts Attorney General. Attorney General may bring action under Mass. Gen. Laws c. 93A, §4: Injunctive relief; Civil penalties not more than $5,000 for each violation Costs of investigation, litigation, including attorney’s fees. Civil liability for any breach / increased duty of care. Mass. Gen. Laws c. 93I (Destruction) – Fines of up to $100 per data subject affected; Not more than $50,000 for each instance of improper disposal. October 27, 2009 Boston Business Alliance 12
Federal Trade Commission Red Flag Rules Enforced by the U.S. Federal Trade Commission Effective November 1, 2009 Red Flag Rules require many businesses to develop and implement written identity theft programs to identify, detect and respond to “red flags” of identity theft The Red Flag Rules apply to financial institutions and “creditors,” i.e. all businesses that extend credit to clients. For purposes of the Red Flag Rules the term “creditors” as: “any person who regularly extends, renews, or continues credit” which is defined as, the “right granted … to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.” therefor.” October 27, 2009 Boston Business Alliance 13
Red Flag - Creditors This broad definition of “creditor” subject to the Red Flag Rules includes any business that provides its goods and services to a client or customer before accepting payment. This may include many service providers: broker- broker-dealers, investment advisers, health care providers; attorneys; accountants; IT professionals; Cleaning service companies; Landscapers retailers, mortgage brokers, car dealers, and other organizations that arrange loans or extend consumer credit; AND many other professional and consumer service providers, who bill clients rather than accepting full payment at the time of service. October 27, 2009 Boston Business Alliance 14
Red Flag & Identity Theft All businesses and entities covered by the Red Flag Rules must adopt and implement an Identity Theft Prevention Program, which must, at minimum: Identify potential Red Flags, or suspicious patterns, specific activities or practices that indicate potential threats for identity theft, that come about in course of business for incoming or existing client accounts; Detect Red Flags that are identified, i.e., procedures to detect and respond to fraudulent identification; Implement appropriate response actions to detected Red Flags; and Periodically and not less than annual review the program. October 27, 2009 Boston Business Alliance 15
Red Flag Penalties Subject to FTC investigations and enforcement actions. May include civil penalties up to $3,500 per violation and injunctive relief. Presently, the Red Flag Rules do not include a private right of action to consumers, but there is a complaint procedure to the FTC. Violations may establish a prima facie case of negligence or intentional misconduct in a civil suit by an affected consumer. October 27, 2009 Boston Business Alliance 16
Possible Implications and Why be Concerned? Applicability – if your organization obtains personal identity information from MA residents, you MUST comply Personal Identity Information – credit card, driver license, or SS numbers Possible Fines – $5,000 per occurrence, and/or per person effected or compromised Past Problems – TJX, Hannaford, {others; reference recent articles} Facility – is your office or facility secure, all the time? Are you at risk for more than personal identity theft? Unauthorized or Unknown Access – Who can get their hands on PI info? Employees, contractors, suppliers, customers How do you know the info is safe? Other Regulations – do you have to comply with HIPPA, Sarbanes-Oxley, etc.? Sarbanes- 201 CMR 17.00 actual requires more and different compliance than other regulations. Professional Malpractice Risks – if you are an attorney, CPA, doctor, or any other professional, did you know that you are at risk for a malpractice lawsuit if you do not advise your client of personal identity theft compliance requirements? Potential {Probable} Cause for Law Suits – violations will be viewed by litigation attorneys as a basis for bringing ADDITIONAL liability law suits against violators. October 27, 2009 Boston Business Alliance 17
Computer System Security Regulation includes specific requirements related to computer system security Authentication Encryption Access Controls Firewalls & OS Patches Data Transmission Viruses & Malware Monitoring Training October 27, 2009 Boston Business Alliance 18
Computer System Security Authentication Control of User Accounts “Control of IDs” “Reasonably secure passwords” Control of password security Restrict access to active users Block access after multiple attempts October 27, 2009 Boston Business Alliance 19
Computer System Security Access Controls Restrict access to those who “need to know” to perform their jobs File system security / permissions Third- Third-party tools available Assign IDs and passwords Unique (not shared) “Not vendor supplied defaults” October 27, 2009 Boston Business Alliance 20
Computer System Security Data Transmission Encryption of transmitted data “Where technically feasible” Web Sites (SSL / https) Email (PGP / 3rd party services) Remote Access Solutions Online Service Providers Wireless (“All Data”) October 27, 2009 Boston Business Alliance 21
Computer System Security Monitoring “Reasonable monitoring of systems for unauthorized use of or access to personal information” Intrusion Detection Application Logs Server Firewalls Network Security Logs File System Auditing October 27, 2009 Boston Business Alliance 22
Computer System Security Encryption of Personal Information Stored on Portable Devices Laptops Encryption vs. Passwords File-based vs. Entire Laptop File- Operating System vs. Third Party Solutions “Other Devices” Portable Hard Drives (USB devices) Backup Media CDs, DVDs, Blackberries, PDAs October 27, 2009 Boston Business Alliance 23
Computer System Security Firewalls & OS Patches Firewall Protection “Reasonably up-to-date” up-to- Vendor supported and routinely updated Operating System Security Patches Automatic update features Servers & workstations User considerations October 27, 2009 Boston Business Alliance 24
Computer System Security Viruses & Malware “Reasonably up-to-date versions” up-to- “Must include malware protection” Supported by vendor Up-to-date patches and definitions Up-to- “Set to receive the most current security updates on a regular basis” October 27, 2009 Boston Business Alliance 25
Computer System Security “Education and training of employees on the proper use of the computer security system and the importance of personal information security.” New hire orientation Specific routine organizational efforts October 27, 2009 Boston Business Alliance 26
Possible Implications and Why be Concerned? Applicability – if your organization obtains personal identity information from MA residents, you MUST comply Personal Identity Information – credit card, driver license, or SS numbers Possible Fines – $5,000 per occurrence, and/or per person effected or compromised Past Problems – TJX, Hannaford, {others; reference recent articles} Facility – is your office or facility secure, all the time? Are you at risk for more than personal identity theft? Unauthorized or Unknown Access – Who can get their hands on PI info? Employees, contractors, suppliers, customers How do you know the info is safe? Other Regulations – do you have to comply with HIPPA, Sarbanes-Oxley, etc.? Sarbanes- 201 CMR 17.00 actual requires more and different compliance than other regulations. Professional Malpractice Risks – if you are an attorney, CPA, doctor, or any other professional, did you know that you are at risk for a malpractice lawsuit if you do not advise your client of personal identity theft compliance requirements? Potential {Probable} Cause for Law Suits – violations will be viewed by litigation attorneys as a basis for bringing ADDITIONAL liability law suits against violators. October 27, 2009 Boston Business Alliance 27
How to Comply with 201 CMR 17.00 We will go into more detail on each bullet point Assess your current situation Create a detailed WISP Establish processes and procedures Notifications of any security breach Other Good Business Practices Education & Training Estimated cost of compliance Opportunities for savings Free limited assessment October 27, 2009 Boston Business Alliance 28
Dave’s Top 10 10 - Your login screen says ‘Win XP’ 9 - I will sleep better 8 - My inbox is full of SPAM and I can’t find anything 7 - My passwords include: ‘password’, ’null’ (no password) ‘sa’, ‘admin’, ‘asdf1234’, ‘root’, or my name 6 - My computer and the internet takes forever! #@$%&’ or, ‘My computer takes forever to boot up! 5 - A customer asked me about this new law the other day, and if we were compliant? 4 - My insurance company was asking about this new data law 3 - My credit card processors mentioned something about an $880,000 fine for TJX stores 2 - My lawyer mentioned something about not only fines, but other legal suits and more costs 1 - It’s not only the law and I don’t want to be fined or sued; but it is just good business! October 27, 2009 Boston Business Alliance 29
Assess Information Security Overall approach Identify gaps between your operations and the regulation Identify areas for potential risks Paper and electronic List specific action items for corrective measures Facilities and equipment, etc. Are your facilities locked and secured? Are any computers allowed to leave the premises? Are your network connections completely secure? How is personal identity info handled today? Paper and electronic Who has access vs. a need to know or handle? See audit/assessment spreadsheet October 27, 2009 Boston Business Alliance 30
Create a Detailed WISP Written Information Security Program (WISP) General headings and categories Specific detail of Processes and procedures to follow to: Protect Personal Identity (PI) Take in the case of a breach (loss of PI) Prepare supporting documents and templates Additional guidelines are available from the Mass.gov website – see www.BostonBusinessAlliance.com for links Example start of a WISP October 27, 2009 Boston Business Alliance 31
Establish Process & Procedures Establish and then test all processes and procedures to make sure they work Add details as needed These documents will be part of an audit Bridge any gaps in your assessment Implement electronic security and protection Train all employees, including annual re-training re- Annual audits and reviews are required by the regulation October 27, 2009 Boston Business Alliance 32
Required Notifications In the case of ANY potential security breach, you are required to notify MA OCABR MA AG office {link to sample letter} {link letter} Each MA resident that you have any personal identity information {link to sample letter} {link letter} Other entities Credit card processing companies Employees … October 27, 2009 Boston Business Alliance 33
Other Good Business Practices Put a compliance statement on your website Make sure that you do comply! Notify any of your partners, vendors, or suppliers that they MUST comply if they access any of your PI information for MA residents Ask them for a statement of compliance Example of MA IT Contractor Certification October 27, 2009 Boston Business Alliance 34
Education and Training “Education and training of employees on the proper use of the computer security system and the importance of personal information security.” New hire orientation Specific routine organizational efforts What to do if they experience any potential security risk or problem October 27, 2009 Boston Business Alliance 35
Estimated Cost of Compliance 30000 25000 20000 15000 One time Recurring 10000 Total 5000 Options: 0 1 Potential High Cost OCABR Real Worst world Case 2 Possible Outsource 3 OCABR Estimates* Based on OCABR estimates for: 10 person business with 3 laptops and 4 Do it yourself?? 1 network server, serving 7 desktops 5 Yourself & Expert October 27, 2009 Boston Business Alliance 36
Back Up Cost Information* 1 Server, 3 laptops, 7 desktops OCABR Real World Cost Worst Case One Time Recurring One Time Recurring` One Time Recurring Hardware (New PC's) $3,750 $7,500 Software $1,000 $1,000 Professional Service (WISP,audit,apply patches, instal s/w) $500 $3,000 $750 $3,000 $750 Training $250 $500 "Systems Complaince" $3,000 "Data Audit and Compliance" $1,000 $4,000 $6,000 $8,000 $9,000 $11,500 $15,000 Total $10,000 $17,000 $26,500 * OCABR assumption is the ‘business’ would already have retained such a consultant to monitor and maintain the current installation and software in connection with protecting the company’s own, and customer, information. October 27, 2009 Boston Business Alliance 37
Opportunities for savings Hire professionals Make sure they cover the entire regulation Or you know the regulation well to be selective Appropriately scope and estimate effort Negotiate responsibilities and resources Other options: Research and learn all the requirements and nuances Use the ‘legalzoom’ approach Use free and open source software Leverage your current investment A sound business decision to combine various options with some outside help October 27, 2009 Boston Business Alliance 38
Free Limited Assessment Arpin Consulting will provide a free, limited, one-hour 201 CMR one- 17.00 compliance audit for any attendees; including sole proprietors, businesses, and organizations Focus: Specific processes and procedures required to ensure compliance High level electronic information security (PCs, network, etc.) Deliverables: An assessment of potential risks or problems that may interfere with compliance An assessment of electronic information, specifically, high level, network and computer security A Preliminary Report that will point out potential problems, suggested corrective actions, and any urgent items to meet the March 1, 2010 1, deadline You decide what you will do with the report Do it yourself; assign it to someone; hire someone; or a mix Security Compliance Audit information - handouts Contact to schedule your free assessment: Ray Arpin, 617-435-1159, email: Ray@RayArpin.com Bob Carroll, 617-314-9813, email: Bob@Bob-Carroll.com October 27, 2009 Boston Business Alliance 39
Questions & Answers & Call to Action Will you be ready for March 1, 2010? Is your customer personal identity information really protected for loss or theft? Are all your facilities, computers, network, and files adequately protected, by law? October 27, 2009 Boston Business Alliance 40
Sponsors Facilities/Location Sponsor: Sunbelt Business Sales & Acquisitions Contact: Mariola Andoni Phone: 781-932-7355 www.sunbeltne.com Refreshment Sponsor: Analytix Solutions Contact: Jason Lefter Phone: 781-503-9000 www.analytixsolutions.com Website Sponsor: Techevolution Contact: Corey Tapper Phone: 781-595-2040 www.techevolution.com October 27, 2009 Boston Business Alliance 41
Closing and Adjourn Reminder about Boston Business Alliance Visit website for suggesting Hot Topics for these type of meetings Invite other small business owners and peers who might benefit Register for future meetings Ask us to put your name on our email list to be notified of future meetings and events Evaluation form Please complete and leave on the table going out so that we can continuously improve October 27, 2009 Boston Business Alliance 42
Contact Information Boston Business Alliance www.BostonBusinessAlliance.com See website for additional Contact and Member information Attorney Dennis Ford Eagan Finneran & Nicholson, PC -- www.FinneranNicholson.com 978-462- 978-462-1514 – Email: Dennis@FinNic.com Matt Pettine MFA - Moody, Famiglietti & Andronico, LLP – www.MFA-CPA.com www.MFA- 978-557- 978-557-5300 – Email: MPettine@MFACornerstone.com Ray Arpin Arpin Consulting – www.RayArpin.com 617-435- 617-435-1159 – Email: Ray@RayArpin.com See our website and handouts for other contacts, along with information on 201 CMR, the BBA, and our sponsors www.BostonBusinessAlliance.com Feel free to pick up any of the handouts on the table. October 27, 2009 Boston Business Alliance 43

Recomendados

201 CMR 17.00
201 CMR 17.00201 CMR 17.00
201 CMR 17.00bob carroll
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsBrian Honan
 
1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-mainCaio Sanchez Christino
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White PaperDmcenter
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1Marlon Moodley
 
Customers in the cloud pulse final
Customers in the cloud pulse finalCustomers in the cloud pulse final
Customers in the cloud pulse finalFLUZO
 
Personally Identifiable Information Protection
Personally Identifiable Information ProtectionPersonally Identifiable Information Protection
Personally Identifiable Information ProtectionPECB
 

Recomendados

201 CMR 17.00
201 CMR 17.00201 CMR 17.00
201 CMR 17.00bob carroll
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsBrian Honan
 
1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-mainCaio Sanchez Christino
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White PaperDmcenter
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1Marlon Moodley
 
Customers in the cloud pulse final
Customers in the cloud pulse finalCustomers in the cloud pulse final
Customers in the cloud pulse finalFLUZO
 
Personally Identifiable Information Protection
Personally Identifiable Information ProtectionPersonally Identifiable Information Protection
Personally Identifiable Information ProtectionPECB
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
Be aware of the laws in South Africa that apply to email
Be aware of the laws in South Africa that apply to emailBe aware of the laws in South Africa that apply to email
Be aware of the laws in South Africa that apply to emailLance Michalson
 
Noctress Presentation
Noctress PresentationNoctress Presentation
Noctress Presentationnoctress
 
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...David Cunningham
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Servicegorsline
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law padler01
 
Powerpoint mack jackson
Powerpoint mack jacksonPowerpoint mack jackson
Powerpoint mack jacksonaiimnevada
 
Data Privacy & Security Update 2012
Data Privacy & Security Update 2012Data Privacy & Security Update 2012
Data Privacy & Security Update 2012Jason Haislmaier
 
electronic transactions law lecture series: lecture 1 introduction
electronic transactions law lecture series: lecture 1 introductionelectronic transactions law lecture series: lecture 1 introduction
electronic transactions law lecture series: lecture 1 introductionCaroline B Ncube
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHealthCare Too, LLC
 
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...HospitalityLawyer.com
 
E business sme workshop
E business sme workshopE business sme workshop
E business sme workshopNixx F
 
(Sony) Risk assignment final high profile security breach of Sony’s Playstat...
(Sony) Risk assignment final high profile security breach of Sony’s Playstat... (Sony) Risk assignment final high profile security breach of Sony’s Playstat...
(Sony) Risk assignment final high profile security breach of Sony’s Playstat...James Dellinger
 
Vendor Contracts & Cyber Risks
Vendor Contracts & Cyber RisksVendor Contracts & Cyber Risks
Vendor Contracts & Cyber RisksHB Litigation Conferences
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
Electronic transactions law lecture series: lecture 2 - basic principles
Electronic transactions law lecture series: lecture 2 - basic principlesElectronic transactions law lecture series: lecture 2 - basic principles
Electronic transactions law lecture series: lecture 2 - basic principlesCaroline B Ncube
 
Legal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & UsersLegal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & Usersjyates
 
Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627Jason Haislmaier
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
Digital Identity and Personal Learning Networks
Digital Identity and Personal Learning NetworksDigital Identity and Personal Learning Networks
Digital Identity and Personal Learning NetworksSue Beckingham
 
Conceptualizing the Maker: Empowering Personal Identity through Creative Appr...
Conceptualizing the Maker: Empowering Personal Identity through Creative Appr...Conceptualizing the Maker: Empowering Personal Identity through Creative Appr...
Conceptualizing the Maker: Empowering Personal Identity through Creative Appr...Binaebi Akah
 

Más contenido relacionado

La actualidad más candente

Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
Be aware of the laws in South Africa that apply to email
Be aware of the laws in South Africa that apply to emailBe aware of the laws in South Africa that apply to email
Be aware of the laws in South Africa that apply to emailLance Michalson
 
Noctress Presentation
Noctress PresentationNoctress Presentation
Noctress Presentationnoctress
 
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...David Cunningham
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Servicegorsline
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law padler01
 
Powerpoint mack jackson
Powerpoint mack jacksonPowerpoint mack jackson
Powerpoint mack jacksonaiimnevada
 
Data Privacy & Security Update 2012
Data Privacy & Security Update 2012Data Privacy & Security Update 2012
Data Privacy & Security Update 2012Jason Haislmaier
 
electronic transactions law lecture series: lecture 1 introduction
electronic transactions law lecture series: lecture 1 introductionelectronic transactions law lecture series: lecture 1 introduction
electronic transactions law lecture series: lecture 1 introductionCaroline B Ncube
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHealthCare Too, LLC
 
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...HospitalityLawyer.com
 
E business sme workshop
E business sme workshopE business sme workshop
E business sme workshopNixx F
 
(Sony) Risk assignment final high profile security breach of Sony’s Playstat...
(Sony) Risk assignment final high profile security breach of Sony’s Playstat... (Sony) Risk assignment final high profile security breach of Sony’s Playstat...
(Sony) Risk assignment final high profile security breach of Sony’s Playstat...James Dellinger
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
Electronic transactions law lecture series: lecture 2 - basic principles
Electronic transactions law lecture series: lecture 2 - basic principlesElectronic transactions law lecture series: lecture 2 - basic principles
Electronic transactions law lecture series: lecture 2 - basic principlesCaroline B Ncube
 
Legal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & UsersLegal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & Usersjyates
 
Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627Jason Haislmaier
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 

La actualidad más candente (20)

Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information Security
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017
 
Be aware of the laws in South Africa that apply to email
Be aware of the laws in South Africa that apply to emailBe aware of the laws in South Africa that apply to email
Be aware of the laws in South Africa that apply to email
 
Noctress Presentation
Noctress PresentationNoctress Presentation
Noctress Presentation
 
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law
 
Powerpoint mack jackson
Powerpoint mack jacksonPowerpoint mack jackson
Powerpoint mack jackson
 
Data Privacy & Security Update 2012
Data Privacy & Security Update 2012Data Privacy & Security Update 2012
Data Privacy & Security Update 2012
 
electronic transactions law lecture series: lecture 1 introduction
electronic transactions law lecture series: lecture 1 introductionelectronic transactions law lecture series: lecture 1 introduction
electronic transactions law lecture series: lecture 1 introduction
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach Overview
 
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...
 
E business sme workshop
E business sme workshopE business sme workshop
E business sme workshop
 
(Sony) Risk assignment final high profile security breach of Sony’s Playstat...
(Sony) Risk assignment final high profile security breach of Sony’s Playstat... (Sony) Risk assignment final high profile security breach of Sony’s Playstat...
(Sony) Risk assignment final high profile security breach of Sony’s Playstat...
 
Vendor Contracts & Cyber Risks
Vendor Contracts & Cyber RisksVendor Contracts & Cyber Risks
Vendor Contracts & Cyber Risks
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
 
Electronic transactions law lecture series: lecture 2 - basic principles
Electronic transactions law lecture series: lecture 2 - basic principlesElectronic transactions law lecture series: lecture 2 - basic principles
Electronic transactions law lecture series: lecture 2 - basic principles
 
Legal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & UsersLegal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & Users
 
Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
 

Destacado

Digital Identity and Personal Learning Networks
Digital Identity and Personal Learning NetworksDigital Identity and Personal Learning Networks
Digital Identity and Personal Learning NetworksSue Beckingham
 
Conceptualizing the Maker: Empowering Personal Identity through Creative Appr...
Conceptualizing the Maker: Empowering Personal Identity through Creative Appr...Conceptualizing the Maker: Empowering Personal Identity through Creative Appr...
Conceptualizing the Maker: Empowering Personal Identity through Creative Appr...Binaebi Akah
 
Introduction to personal identity 2012
Introduction to personal identity 2012Introduction to personal identity 2012
Introduction to personal identity 2012jcbrignell
 
Personal identity
Personal identityPersonal identity
Personal identityFarhan Ali
 
The Problem Of Personal Identity
The Problem Of Personal IdentityThe Problem Of Personal Identity
The Problem Of Personal Identityt0nywilliams
 
'Who am I?' Exploring Personal Identity
'Who am I?' Exploring Personal Identity'Who am I?' Exploring Personal Identity
'Who am I?' Exploring Personal IdentityDr Funke Baffour
 

Destacado (6)

Digital Identity and Personal Learning Networks
Digital Identity and Personal Learning NetworksDigital Identity and Personal Learning Networks
Digital Identity and Personal Learning Networks
 
Conceptualizing the Maker: Empowering Personal Identity through Creative Appr...
Conceptualizing the Maker: Empowering Personal Identity through Creative Appr...Conceptualizing the Maker: Empowering Personal Identity through Creative Appr...
Conceptualizing the Maker: Empowering Personal Identity through Creative Appr...
 
Introduction to personal identity 2012
Introduction to personal identity 2012Introduction to personal identity 2012
Introduction to personal identity 2012
 
Personal identity
Personal identityPersonal identity
Personal identity
 
The Problem Of Personal Identity
The Problem Of Personal IdentityThe Problem Of Personal Identity
The Problem Of Personal Identity
 
'Who am I?' Exploring Personal Identity
'Who am I?' Exploring Personal Identity'Who am I?' Exploring Personal Identity
'Who am I?' Exploring Personal Identity
 

Similar a MA 201 CMR 17.00 Personal Identity Security

MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Lawtravismd
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Arpin Consulting
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltRochester Security Summit
 
Legal issues of domain names & trademarks
Legal issues of domain names & trademarksLegal issues of domain names & trademarks
Legal issues of domain names & trademarksMatt Siltala
 
Answer the Below Question. APA format. 300 words.Textbook .docx
Answer the Below Question. APA format. 300 words.Textbook .docxAnswer the Below Question. APA format. 300 words.Textbook .docx
Answer the Below Question. APA format. 300 words.Textbook .docxnolanalgernon
 
NYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsNYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsJon Bosco
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
White Paper: Windstream's Position on Security Compliance
White Paper: Windstream's Position on Security ComplianceWhite Paper: Windstream's Position on Security Compliance
White Paper: Windstream's Position on Security ComplianceWindstream Enterprise
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)Craig Mullins
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelManaging Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelAffiliate Summit
 
The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...
The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...
The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...Legal Evolution PBC
 
Adrs Presentation Folder 051909
Adrs Presentation Folder 051909Adrs Presentation Folder 051909
Adrs Presentation Folder 051909julchap
 

Similar a MA 201 CMR 17.00 Personal Identity Security (20)

MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Law
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
 
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork Quilt
 
Legal issues of domain names & trademarks
Legal issues of domain names & trademarksLegal issues of domain names & trademarks
Legal issues of domain names & trademarks
 
Answer the Below Question. APA format. 300 words.Textbook .docx
Answer the Below Question. APA format. 300 words.Textbook .docxAnswer the Below Question. APA format. 300 words.Textbook .docx
Answer the Below Question. APA format. 300 words.Textbook .docx
 
NYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsNYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity Regulations
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
2018-11-15 IT Assessment
2018-11-15 IT Assessment2018-11-15 IT Assessment
2018-11-15 IT Assessment
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
White Paper: Windstream's Position on Security Compliance
White Paper: Windstream's Position on Security ComplianceWhite Paper: Windstream's Position on Security Compliance
White Paper: Windstream's Position on Security Compliance
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David Mink
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelManaging Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
 
Identity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for BusinessIdentity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for Business
 
The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...
The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...
The Future of Legal Services, NCSB Committee to Study Regulatory Reform, July...
 
Adrs Presentation Folder 051909
Adrs Presentation Folder 051909Adrs Presentation Folder 051909
Adrs Presentation Folder 051909
 

Último

Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
HONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsHONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsMichael W. Hawkins
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetDenis Gagné
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxAndy Lambert
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRavindra Nath Shukla
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyEthan lee
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in managementchhavia330
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Tina Ji
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Delhi Call girls
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdfRenandantas16
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 

Último (20)

Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
HONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsHONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael Hawkins
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in management
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 

MA 201 CMR 17.00 Personal Identity Security

  • 1. Personal Identity Security “Y2K plus 10” Are You Ready for March 1, 2010? The new MA regulation: 201 CMR 17.00 – Updated and including FTC Red Flag Rules Presented by the: Boston Business Alliance October 27, 2009 – Woburn, MA
  • 2. Sponsors Facilities/Location Sponsor: Sunbelt Business Sales & Acquisitions Contact: Mariola Andoni Phone: 781-932-7355 www.sunbeltne.com Refreshment Sponsor: Analytix Solutions Contact: Jason Lefter Phone: 781-503-9000 www.analytixsolutions.com Website Sponsor: Techevolution Contact: Corey Tapper Phone: 781-595-2040 www.techevolution.com October 27, 2009 Boston Business Alliance 2
  • 3. Personal Identity Security – Y2K plus 10 New MA Regulation – 201 CMR 17.00 October 27; 6:30 PM – 8:30 PM – 800 W. Cummings Park, Woburn, MA 6:15 Refreshments and Networking 6:30 Overview – Personal Identity Security & Red Flag (Attorney Dennis Eagan) 6:55 Computer Systems & Technical Security (Matt Pettine, Managing Director) Pettine, 7:20 How you can comply – what to do guidelines (Ray Arpin, Consultant) 7:50 Questions & Answers & Call to Action (speakers) 8:30 Adjourn Speakers and Vendors available for questions October 27, 2009 Boston Business Alliance 3
  • 4. Speakers Dennis Ford Eagan Dennis Ford Eagan, attorney with Finneran & Nicholson, P.C., a business law firm located in Newburyport. Attorney Eagan focuses his practice on advising and counseling business clients regarding employment matters and compliance with state and federal laws and regulations. Attorney Eagan also advises business clients in protecting their intellectual property interests. He a member of the Massachusetts Bar Association and the Newburyport Bar Association and has co-chaired presentations before the bar associations, including a recent presentation on the Massachusetts Identity Theft and Data Security Regulations, 201 CMR 17.00. Matt Pettine Matt has over 20 years of experience in business and best practices in the application of technology. He holds no less than 5 certification in these areas. He fully understands business and how the different functions interrelate, along with the uses technology to compete in today’s business world. He has worked in security and regulatory compliance in MA 201 CMR 17.00, Sarbanes-Oxley, and with other regulations. He is a member of the Information Systems Audit and Control Association. Ray Arpin Ray Arpin has 30 years of experience working with small companies and start-ups, to Fortune 10, Global 2000, state and federal organizations, in a wide variety of industries and segments. His specialty is business process improvement to increase sales and reduces costs, professional services, and regulatory compliance. Most recently, he is focused on helping companies and individuals quickly apply business best practices, and specifically to become compliant with personal identity security regulations and MA 201 CMR 17.00. October 27, 2009 Boston Business Alliance 4
  • 5. Personal Identity Protection How it started… On August 2, 2007, Governor Deval Patrick approved the Massachusetts Act Relative to Security Freezes and Notification of Data Breaches. One of the most comprehensive Personal Identity Theft Prevention statutes in the country. Three components to the Act: Establishing a right to a request security freeze by consumers on their consumer report (Mass. Gen. Laws c. 93, §§ 58 – 62A); Requiring notification of security breaches to regulators and affected residents (Mass. Gen. Laws c. 93H); Establishing procedures for destruction and disposal of personal identity information (Mass. Gen. Laws c. 93I). October 27, 2009 Boston Business Alliance 5
  • 6. Mass. General Law c. 93H Personal Identity Information Under Mass. Gen. Law c. 93H, § 1, the Legislature defined Personal Information as: “A resident’s first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident: Social Security Number; Driver’s License or State-issued Identification Card Number; State- Financial Account Number, or Credit or Debit Card Number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; Provided, however, that “Personal Information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. October 27, 2009 Boston Business Alliance 6
  • 7. OCABR – 201 CMR 17.00 Purpose Pursuant to C. 93H, the Department of Consumer Affairs and Business Regulation (OCABR) issued regulations 201 C.M.R. 17.00, regulating persons and businesses maintaining Personal Information, which were revised in August, 2009.. Purpose of the regulations: Establish minimum standards for safeguarding Personal Information contained in both electronic and hard copy records; Insure security and confidential customer information in a manner fully consistent with industry standards; Protect against anticipated threats or hazards to security or integrity of such information; Protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. Compliance required by March 1, 2010 (extended by the OCABR from original compliance dates of January 1) October 27, 2009 Boston Business Alliance 7
  • 8. Business and Individuals 201 C.M.R. 17.00 requires all persons and businesses that own, license, store or maintain Personal Information of any Massachusetts resident. As a result, these regulations cover all employers, professional service providers, and most all businesses that that accept credit or debit cards Also, if you have any employees, you need to protect their Social Security numbers Regulations cover all Personal Information, whether paper, hard copy or electronically stored. Requires covered businesses and person to develop, implement, maintain a comprehensive Written Information Security Program (“WISP”) The WISP may be in one or more accessible parts WISP shall contain administrative, technical and physical safeguards to ensure the security and confidentiality of Personal Information. Targeted to be reasonably consistent with industry practices and consistent with federal regulations October 27, 2009 Boston Business Alliance 8
  • 9. Written Information Security Program (WISP) Basic required elements for WISP: Designating one or more employees to maintain program; Identify risks and Personal Information intake; Improve safeguards; Limiting access and restricting use and transport; Encryption / Computer system security requirements; Train employees and require compliance; Detecting and preventing failures and documenting response actions; Third party certification of those contracted to maintain or having access to Personal Information; At least annual review. October 27, 2009 Boston Business Alliance 9
  • 10. WISP Components An effective WISP should contain at minimum: technical safeguards (i.e., encryption, firewalls, password protections); physical safeguards (i.e., locked file cabinets, alarm systems, etc.); administrative safeguards (i.e., limiting access, secure storage and transport, proper destructions and disposal; employee oversight, intake processes, etc.); designation of an employee to oversee the program and initiate annual reviews of the program; procedures to identify risks and threats to the personal information; procedures for on-going compliance and monitoring, including disciplinary on- action for violations; oversight provisions, not only for employees but also third party contractors with access to personal information; and procedures to notify regulators and the affected persons upon any security breach, which may include lost or stolen laptops, misdirected e-mails, e- inadvertent disclosure, access by terminated employees, or hacking and other outside infiltration. October 27, 2009 Boston Business Alliance 10
  • 11. Disposal of Personal Information Mass. Gen. Laws c. 93I requires minimum standards for disposal of Personal Information so that it may not be practicably read or reconstructed: Paper / Hard copies – Redacted, burned, pulverized or shredded; Electronic / Non-paper – Destroyed or erased Non- Requires care in properly shredding Personal Information, i.e., obtaining written certification from third party services. Requires care in destroying, erasing and disposing of hard drives, laptops, computers, cell phones, and PDAs. October 27, 2009 Boston Business Alliance 11
  • 12. Enforcement of 201 CMR 17.00 Enforced by the Massachusetts Attorney General. Attorney General may bring action under Mass. Gen. Laws c. 93A, §4: Injunctive relief; Civil penalties not more than $5,000 for each violation Costs of investigation, litigation, including attorney’s fees. Civil liability for any breach / increased duty of care. Mass. Gen. Laws c. 93I (Destruction) – Fines of up to $100 per data subject affected; Not more than $50,000 for each instance of improper disposal. October 27, 2009 Boston Business Alliance 12
  • 13. Federal Trade Commission Red Flag Rules Enforced by the U.S. Federal Trade Commission Effective November 1, 2009 Red Flag Rules require many businesses to develop and implement written identity theft programs to identify, detect and respond to “red flags” of identity theft The Red Flag Rules apply to financial institutions and “creditors,” i.e. all businesses that extend credit to clients. For purposes of the Red Flag Rules the term “creditors” as: “any person who regularly extends, renews, or continues credit” which is defined as, the “right granted … to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.” therefor.” October 27, 2009 Boston Business Alliance 13
  • 14. Red Flag - Creditors This broad definition of “creditor” subject to the Red Flag Rules includes any business that provides its goods and services to a client or customer before accepting payment. This may include many service providers: broker- broker-dealers, investment advisers, health care providers; attorneys; accountants; IT professionals; Cleaning service companies; Landscapers retailers, mortgage brokers, car dealers, and other organizations that arrange loans or extend consumer credit; AND many other professional and consumer service providers, who bill clients rather than accepting full payment at the time of service. October 27, 2009 Boston Business Alliance 14
  • 15. Red Flag & Identity Theft All businesses and entities covered by the Red Flag Rules must adopt and implement an Identity Theft Prevention Program, which must, at minimum: Identify potential Red Flags, or suspicious patterns, specific activities or practices that indicate potential threats for identity theft, that come about in course of business for incoming or existing client accounts; Detect Red Flags that are identified, i.e., procedures to detect and respond to fraudulent identification; Implement appropriate response actions to detected Red Flags; and Periodically and not less than annual review the program. October 27, 2009 Boston Business Alliance 15
  • 16. Red Flag Penalties Subject to FTC investigations and enforcement actions. May include civil penalties up to $3,500 per violation and injunctive relief. Presently, the Red Flag Rules do not include a private right of action to consumers, but there is a complaint procedure to the FTC. Violations may establish a prima facie case of negligence or intentional misconduct in a civil suit by an affected consumer. October 27, 2009 Boston Business Alliance 16
  • 17. Possible Implications and Why be Concerned? Applicability – if your organization obtains personal identity information from MA residents, you MUST comply Personal Identity Information – credit card, driver license, or SS numbers Possible Fines – $5,000 per occurrence, and/or per person effected or compromised Past Problems – TJX, Hannaford, {others; reference recent articles} Facility – is your office or facility secure, all the time? Are you at risk for more than personal identity theft? Unauthorized or Unknown Access – Who can get their hands on PI info? Employees, contractors, suppliers, customers How do you know the info is safe? Other Regulations – do you have to comply with HIPPA, Sarbanes-Oxley, etc.? Sarbanes- 201 CMR 17.00 actual requires more and different compliance than other regulations. Professional Malpractice Risks – if you are an attorney, CPA, doctor, or any other professional, did you know that you are at risk for a malpractice lawsuit if you do not advise your client of personal identity theft compliance requirements? Potential {Probable} Cause for Law Suits – violations will be viewed by litigation attorneys as a basis for bringing ADDITIONAL liability law suits against violators. October 27, 2009 Boston Business Alliance 17
  • 18. Computer System Security Regulation includes specific requirements related to computer system security Authentication Encryption Access Controls Firewalls & OS Patches Data Transmission Viruses & Malware Monitoring Training October 27, 2009 Boston Business Alliance 18
  • 19. Computer System Security Authentication Control of User Accounts “Control of IDs” “Reasonably secure passwords” Control of password security Restrict access to active users Block access after multiple attempts October 27, 2009 Boston Business Alliance 19
  • 20. Computer System Security Access Controls Restrict access to those who “need to know” to perform their jobs File system security / permissions Third- Third-party tools available Assign IDs and passwords Unique (not shared) “Not vendor supplied defaults” October 27, 2009 Boston Business Alliance 20
  • 21. Computer System Security Data Transmission Encryption of transmitted data “Where technically feasible” Web Sites (SSL / https) Email (PGP / 3rd party services) Remote Access Solutions Online Service Providers Wireless (“All Data”) October 27, 2009 Boston Business Alliance 21
  • 22. Computer System Security Monitoring “Reasonable monitoring of systems for unauthorized use of or access to personal information” Intrusion Detection Application Logs Server Firewalls Network Security Logs File System Auditing October 27, 2009 Boston Business Alliance 22
  • 23. Computer System Security Encryption of Personal Information Stored on Portable Devices Laptops Encryption vs. Passwords File-based vs. Entire Laptop File- Operating System vs. Third Party Solutions “Other Devices” Portable Hard Drives (USB devices) Backup Media CDs, DVDs, Blackberries, PDAs October 27, 2009 Boston Business Alliance 23
  • 24. Computer System Security Firewalls & OS Patches Firewall Protection “Reasonably up-to-date” up-to- Vendor supported and routinely updated Operating System Security Patches Automatic update features Servers & workstations User considerations October 27, 2009 Boston Business Alliance 24
  • 25. Computer System Security Viruses & Malware “Reasonably up-to-date versions” up-to- “Must include malware protection” Supported by vendor Up-to-date patches and definitions Up-to- “Set to receive the most current security updates on a regular basis” October 27, 2009 Boston Business Alliance 25
  • 26. Computer System Security “Education and training of employees on the proper use of the computer security system and the importance of personal information security.” New hire orientation Specific routine organizational efforts October 27, 2009 Boston Business Alliance 26
  • 27. Possible Implications and Why be Concerned? Applicability – if your organization obtains personal identity information from MA residents, you MUST comply Personal Identity Information – credit card, driver license, or SS numbers Possible Fines – $5,000 per occurrence, and/or per person effected or compromised Past Problems – TJX, Hannaford, {others; reference recent articles} Facility – is your office or facility secure, all the time? Are you at risk for more than personal identity theft? Unauthorized or Unknown Access – Who can get their hands on PI info? Employees, contractors, suppliers, customers How do you know the info is safe? Other Regulations – do you have to comply with HIPPA, Sarbanes-Oxley, etc.? Sarbanes- 201 CMR 17.00 actual requires more and different compliance than other regulations. Professional Malpractice Risks – if you are an attorney, CPA, doctor, or any other professional, did you know that you are at risk for a malpractice lawsuit if you do not advise your client of personal identity theft compliance requirements? Potential {Probable} Cause for Law Suits – violations will be viewed by litigation attorneys as a basis for bringing ADDITIONAL liability law suits against violators. October 27, 2009 Boston Business Alliance 27
  • 28. How to Comply with 201 CMR 17.00 We will go into more detail on each bullet point Assess your current situation Create a detailed WISP Establish processes and procedures Notifications of any security breach Other Good Business Practices Education & Training Estimated cost of compliance Opportunities for savings Free limited assessment October 27, 2009 Boston Business Alliance 28
  • 29. Dave’s Top 10 10 - Your login screen says ‘Win XP’ 9 - I will sleep better 8 - My inbox is full of SPAM and I can’t find anything 7 - My passwords include: ‘password’, ’null’ (no password) ‘sa’, ‘admin’, ‘asdf1234’, ‘root’, or my name 6 - My computer and the internet takes forever! #@$%&’ or, ‘My computer takes forever to boot up! 5 - A customer asked me about this new law the other day, and if we were compliant? 4 - My insurance company was asking about this new data law 3 - My credit card processors mentioned something about an $880,000 fine for TJX stores 2 - My lawyer mentioned something about not only fines, but other legal suits and more costs 1 - It’s not only the law and I don’t want to be fined or sued; but it is just good business! October 27, 2009 Boston Business Alliance 29
  • 30. Assess Information Security Overall approach Identify gaps between your operations and the regulation Identify areas for potential risks Paper and electronic List specific action items for corrective measures Facilities and equipment, etc. Are your facilities locked and secured? Are any computers allowed to leave the premises? Are your network connections completely secure? How is personal identity info handled today? Paper and electronic Who has access vs. a need to know or handle? See audit/assessment spreadsheet October 27, 2009 Boston Business Alliance 30
  • 31. Create a Detailed WISP Written Information Security Program (WISP) General headings and categories Specific detail of Processes and procedures to follow to: Protect Personal Identity (PI) Take in the case of a breach (loss of PI) Prepare supporting documents and templates Additional guidelines are available from the Mass.gov website – see www.BostonBusinessAlliance.com for links Example start of a WISP October 27, 2009 Boston Business Alliance 31
  • 32. Establish Process & Procedures Establish and then test all processes and procedures to make sure they work Add details as needed These documents will be part of an audit Bridge any gaps in your assessment Implement electronic security and protection Train all employees, including annual re-training re- Annual audits and reviews are required by the regulation October 27, 2009 Boston Business Alliance 32
  • 33. Required Notifications In the case of ANY potential security breach, you are required to notify MA OCABR MA AG office {link to sample letter} {link letter} Each MA resident that you have any personal identity information {link to sample letter} {link letter} Other entities Credit card processing companies Employees … October 27, 2009 Boston Business Alliance 33
  • 34. Other Good Business Practices Put a compliance statement on your website Make sure that you do comply! Notify any of your partners, vendors, or suppliers that they MUST comply if they access any of your PI information for MA residents Ask them for a statement of compliance Example of MA IT Contractor Certification October 27, 2009 Boston Business Alliance 34
  • 35. Education and Training “Education and training of employees on the proper use of the computer security system and the importance of personal information security.” New hire orientation Specific routine organizational efforts What to do if they experience any potential security risk or problem October 27, 2009 Boston Business Alliance 35
  • 36. Estimated Cost of Compliance 30000 25000 20000 15000 One time Recurring 10000 Total 5000 Options: 0 1 Potential High Cost OCABR Real Worst world Case 2 Possible Outsource 3 OCABR Estimates* Based on OCABR estimates for: 10 person business with 3 laptops and 4 Do it yourself?? 1 network server, serving 7 desktops 5 Yourself & Expert October 27, 2009 Boston Business Alliance 36
  • 37. Back Up Cost Information* 1 Server, 3 laptops, 7 desktops OCABR Real World Cost Worst Case One Time Recurring One Time Recurring` One Time Recurring Hardware (New PC's) $3,750 $7,500 Software $1,000 $1,000 Professional Service (WISP,audit,apply patches, instal s/w) $500 $3,000 $750 $3,000 $750 Training $250 $500 "Systems Complaince" $3,000 "Data Audit and Compliance" $1,000 $4,000 $6,000 $8,000 $9,000 $11,500 $15,000 Total $10,000 $17,000 $26,500 * OCABR assumption is the ‘business’ would already have retained such a consultant to monitor and maintain the current installation and software in connection with protecting the company’s own, and customer, information. October 27, 2009 Boston Business Alliance 37
  • 38. Opportunities for savings Hire professionals Make sure they cover the entire regulation Or you know the regulation well to be selective Appropriately scope and estimate effort Negotiate responsibilities and resources Other options: Research and learn all the requirements and nuances Use the ‘legalzoom’ approach Use free and open source software Leverage your current investment A sound business decision to combine various options with some outside help October 27, 2009 Boston Business Alliance 38
  • 39. Free Limited Assessment Arpin Consulting will provide a free, limited, one-hour 201 CMR one- 17.00 compliance audit for any attendees; including sole proprietors, businesses, and organizations Focus: Specific processes and procedures required to ensure compliance High level electronic information security (PCs, network, etc.) Deliverables: An assessment of potential risks or problems that may interfere with compliance An assessment of electronic information, specifically, high level, network and computer security A Preliminary Report that will point out potential problems, suggested corrective actions, and any urgent items to meet the March 1, 2010 1, deadline You decide what you will do with the report Do it yourself; assign it to someone; hire someone; or a mix Security Compliance Audit information - handouts Contact to schedule your free assessment: Ray Arpin, 617-435-1159, email: Ray@RayArpin.com Bob Carroll, 617-314-9813, email: Bob@Bob-Carroll.com October 27, 2009 Boston Business Alliance 39
  • 40. Questions & Answers & Call to Action Will you be ready for March 1, 2010? Is your customer personal identity information really protected for loss or theft? Are all your facilities, computers, network, and files adequately protected, by law? October 27, 2009 Boston Business Alliance 40
  • 41. Sponsors Facilities/Location Sponsor: Sunbelt Business Sales & Acquisitions Contact: Mariola Andoni Phone: 781-932-7355 www.sunbeltne.com Refreshment Sponsor: Analytix Solutions Contact: Jason Lefter Phone: 781-503-9000 www.analytixsolutions.com Website Sponsor: Techevolution Contact: Corey Tapper Phone: 781-595-2040 www.techevolution.com October 27, 2009 Boston Business Alliance 41
  • 42. Closing and Adjourn Reminder about Boston Business Alliance Visit website for suggesting Hot Topics for these type of meetings Invite other small business owners and peers who might benefit Register for future meetings Ask us to put your name on our email list to be notified of future meetings and events Evaluation form Please complete and leave on the table going out so that we can continuously improve October 27, 2009 Boston Business Alliance 42
  • 43. Contact Information Boston Business Alliance www.BostonBusinessAlliance.com See website for additional Contact and Member information Attorney Dennis Ford Eagan Finneran & Nicholson, PC -- www.FinneranNicholson.com 978-462- 978-462-1514 – Email: Dennis@FinNic.com Matt Pettine MFA - Moody, Famiglietti & Andronico, LLP – www.MFA-CPA.com www.MFA- 978-557- 978-557-5300 – Email: MPettine@MFACornerstone.com Ray Arpin Arpin Consulting – www.RayArpin.com 617-435- 617-435-1159 – Email: Ray@RayArpin.com See our website and handouts for other contacts, along with information on 201 CMR, the BBA, and our sponsors www.BostonBusinessAlliance.com Feel free to pick up any of the handouts on the table. October 27, 2009 Boston Business Alliance 43