MA 201 CMR 17.00 is the new Massachusetts regulation requiring everyone who accesses / stores personal identity information (credit card, SSN, etc.) to safeguard the information by March 1, 2010. Learn how.
1. Personal Identity Security
“Y2K plus 10”
Are You Ready for March 1, 2010?
The new MA regulation: 201 CMR 17.00 –
Updated and including FTC Red Flag Rules
Presented by the:
Boston Business Alliance
October 27, 2009 – Woburn, MA
2. Sponsors
Facilities/Location Sponsor:
Sunbelt Business Sales & Acquisitions
Contact: Mariola Andoni
Phone: 781-932-7355
www.sunbeltne.com
Refreshment Sponsor:
Analytix Solutions
Contact: Jason Lefter
Phone: 781-503-9000
www.analytixsolutions.com
Website Sponsor:
Techevolution
Contact: Corey Tapper
Phone: 781-595-2040
www.techevolution.com
October 27, 2009 Boston Business Alliance 2
3. Personal Identity Security – Y2K plus 10
New MA Regulation – 201 CMR 17.00
October 27; 6:30 PM – 8:30 PM – 800 W. Cummings Park, Woburn, MA
6:15 Refreshments and Networking
6:30 Overview – Personal Identity Security & Red Flag
(Attorney Dennis Eagan)
6:55 Computer Systems & Technical Security
(Matt Pettine, Managing Director)
Pettine,
7:20 How you can comply – what to do guidelines
(Ray Arpin, Consultant)
7:50 Questions & Answers & Call to Action
(speakers)
8:30 Adjourn
Speakers and Vendors available for questions
October 27, 2009 Boston Business Alliance 3
4. Speakers
Dennis Ford Eagan
Dennis Ford Eagan, attorney with Finneran & Nicholson, P.C., a business law firm located in Newburyport.
Attorney Eagan focuses his practice on advising and counseling business clients regarding employment matters
and compliance with state and federal laws and regulations. Attorney Eagan also advises business clients in
protecting their intellectual property interests. He a member of the Massachusetts Bar Association and the
Newburyport Bar Association and has co-chaired presentations before the bar associations, including a recent
presentation on the Massachusetts Identity Theft and Data Security Regulations, 201 CMR 17.00.
Matt Pettine
Matt has over 20 years of experience in business and best practices in the application of technology. He holds no
less than 5 certification in these areas. He fully understands business and how the different functions interrelate,
along with the uses technology to compete in today’s business world. He has worked in security and regulatory
compliance in MA 201 CMR 17.00, Sarbanes-Oxley, and with other regulations. He is a member of the
Information Systems Audit and Control Association.
Ray Arpin
Ray Arpin has 30 years of experience working with small companies and start-ups, to Fortune 10, Global 2000,
state and federal organizations, in a wide variety of industries and segments. His specialty is business process
improvement to increase sales and reduces costs, professional services, and regulatory compliance. Most
recently, he is focused on helping companies and individuals quickly apply business best practices, and
specifically to become compliant with personal identity security regulations and MA 201 CMR 17.00.
October 27, 2009 Boston Business Alliance 4
5. Personal Identity Protection
How it started…
On August 2, 2007, Governor Deval Patrick approved
the Massachusetts Act Relative to Security Freezes and
Notification of Data Breaches.
One of the most comprehensive Personal Identity
Theft Prevention statutes in the country.
Three components to the Act:
Establishing a right to a request security freeze by consumers on
their consumer report (Mass. Gen. Laws c. 93, §§ 58 – 62A);
Requiring notification of security breaches to regulators and
affected residents (Mass. Gen. Laws c. 93H);
Establishing procedures for destruction and disposal of personal
identity information (Mass. Gen. Laws c. 93I).
October 27, 2009 Boston Business Alliance 5
6. Mass. General Law c. 93H
Personal Identity Information
Under Mass. Gen. Law c. 93H, § 1, the Legislature
defined Personal Information as:
“A resident’s first name and last name or first initial and last
name in combination with any 1 or more of the following data
elements that relate to such resident:
Social Security Number;
Driver’s License or State-issued Identification Card Number;
State-
Financial Account Number, or Credit or Debit Card Number, with or without
any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account;
Provided, however, that “Personal Information” shall not include
information that is lawfully obtained from publicly available
information, or from federal, state or local government records
lawfully made available to the general public.
October 27, 2009 Boston Business Alliance 6
7. OCABR – 201 CMR 17.00
Purpose
Pursuant to C. 93H, the Department of Consumer Affairs and
Business Regulation (OCABR) issued regulations 201 C.M.R.
17.00, regulating persons and businesses maintaining
Personal Information, which were revised in August, 2009..
Purpose of the regulations:
Establish minimum standards for safeguarding Personal Information
contained in both electronic and hard copy records;
Insure security and confidential customer information in a manner
fully consistent with industry standards;
Protect against anticipated threats or hazards to security or integrity
of such information;
Protect against unauthorized access to or use of such information that
may result in substantial harm or inconvenience to any consumer.
Compliance required by March 1, 2010 (extended by the
OCABR from original compliance dates of January 1)
October 27, 2009 Boston Business Alliance 7
8. Business and Individuals
201 C.M.R. 17.00 requires all persons and businesses that own,
license, store or maintain Personal Information of any
Massachusetts resident.
As a result, these regulations cover all employers, professional service
providers, and most all businesses that that accept credit or debit cards
Also, if you have any employees, you need to protect their Social
Security numbers
Regulations cover all Personal Information, whether paper, hard
copy or electronically stored.
Requires covered businesses and person to develop, implement,
maintain a comprehensive Written Information Security Program
(“WISP”)
The WISP may be in one or more accessible parts
WISP shall contain administrative, technical and physical safeguards
to ensure the security and confidentiality of Personal Information.
Targeted to be reasonably consistent with industry practices and
consistent with federal regulations
October 27, 2009 Boston Business Alliance 8
9. Written Information Security
Program (WISP)
Basic required elements for WISP:
Designating one or more employees to maintain program;
Identify risks and Personal Information intake;
Improve safeguards;
Limiting access and restricting use and transport;
Encryption / Computer system security requirements;
Train employees and require compliance;
Detecting and preventing failures and documenting response
actions;
Third party certification of those contracted to maintain or
having access to Personal Information;
At least annual review.
October 27, 2009 Boston Business Alliance 9
10. WISP Components
An effective WISP should contain at minimum:
technical safeguards (i.e., encryption, firewalls, password protections);
physical safeguards (i.e., locked file cabinets, alarm systems, etc.);
administrative safeguards (i.e., limiting access, secure storage and transport,
proper destructions and disposal; employee oversight, intake processes, etc.);
designation of an employee to oversee the program and initiate annual
reviews of the program;
procedures to identify risks and threats to the personal information;
procedures for on-going compliance and monitoring, including disciplinary
on-
action for violations;
oversight provisions, not only for employees but also third party contractors
with access to personal information; and
procedures to notify regulators and the affected persons upon any
security breach, which may include lost or stolen laptops, misdirected e-mails,
e-
inadvertent disclosure, access by terminated employees, or hacking and other
outside infiltration.
October 27, 2009 Boston Business Alliance 10
11. Disposal of Personal Information
Mass. Gen. Laws c. 93I requires minimum standards
for disposal of Personal Information so that it may not
be practicably read or reconstructed:
Paper / Hard copies – Redacted, burned, pulverized or shredded;
Electronic / Non-paper – Destroyed or erased
Non-
Requires care in properly shredding Personal
Information, i.e., obtaining written certification from
third party services.
Requires care in destroying, erasing and disposing of
hard drives, laptops, computers, cell phones, and PDAs.
October 27, 2009 Boston Business Alliance 11
12. Enforcement of 201 CMR 17.00
Enforced by the Massachusetts Attorney General.
Attorney General may bring action under Mass. Gen.
Laws c. 93A, §4:
Injunctive relief;
Civil penalties not more than $5,000 for each violation
Costs of investigation, litigation, including attorney’s fees.
Civil liability for any breach / increased duty of care.
Mass. Gen. Laws c. 93I (Destruction) –
Fines of up to $100 per data subject affected;
Not more than $50,000 for each instance of improper disposal.
October 27, 2009 Boston Business Alliance 12
13. Federal Trade Commission
Red Flag Rules
Enforced by the U.S. Federal Trade Commission
Effective November 1, 2009
Red Flag Rules require many businesses to develop and
implement written identity theft programs to identify, detect
and respond to “red flags” of identity theft
The Red Flag Rules apply to financial institutions and
“creditors,” i.e. all businesses that extend credit to clients.
For purposes of the Red Flag Rules the term “creditors” as:
“any person who regularly extends, renews, or continues credit”
which is defined as, the “right granted … to defer payment of debt
or to incur debts and defer its payment or to purchase property or
services and defer payment therefor.”
therefor.”
October 27, 2009 Boston Business Alliance 13
14. Red Flag - Creditors
This broad definition of “creditor” subject to the Red Flag
Rules includes any business that provides its goods and
services to a client or customer before accepting
payment. This may include many service providers:
broker-
broker-dealers, investment advisers,
health care providers;
attorneys; accountants;
IT professionals;
Cleaning service companies; Landscapers
retailers, mortgage brokers, car dealers, and other organizations
that arrange loans or extend consumer credit; AND
many other professional and consumer service providers, who
bill clients rather than accepting full payment at the time of
service.
October 27, 2009 Boston Business Alliance 14
15. Red Flag & Identity Theft
All businesses and entities covered by the Red Flag Rules
must adopt and implement an Identity Theft Prevention
Program, which must, at minimum:
Identify potential Red Flags, or suspicious patterns, specific
activities or practices that indicate potential threats for identity
theft, that come about in course of business for incoming or
existing client accounts;
Detect Red Flags that are identified, i.e., procedures to detect
and respond to fraudulent identification;
Implement appropriate response actions to detected Red Flags;
and
Periodically and not less than annual review the program.
October 27, 2009 Boston Business Alliance 15
16. Red Flag Penalties
Subject to FTC investigations and enforcement actions.
May include civil penalties up to $3,500 per violation and
injunctive relief.
Presently, the Red Flag Rules do not include a private
right of action to consumers, but there is a complaint
procedure to the FTC.
Violations may establish a prima facie case of negligence
or intentional misconduct in a civil suit by an affected
consumer.
October 27, 2009 Boston Business Alliance 16
17. Possible Implications and Why be
Concerned?
Applicability – if your organization obtains personal identity information from MA
residents, you MUST comply
Personal Identity Information – credit card, driver license, or SS numbers
Possible Fines – $5,000 per occurrence, and/or per person effected or
compromised
Past Problems – TJX, Hannaford, {others; reference recent articles}
Facility – is your office or facility secure, all the time? Are you at risk for more than
personal identity theft?
Unauthorized or Unknown Access – Who can get their hands on PI info?
Employees, contractors, suppliers, customers
How do you know the info is safe?
Other Regulations – do you have to comply with HIPPA, Sarbanes-Oxley, etc.?
Sarbanes-
201 CMR 17.00 actual requires more and different compliance than other regulations.
Professional Malpractice Risks – if you are an attorney, CPA, doctor, or any other
professional, did you know that you are at risk for a malpractice lawsuit if you do not
advise your client of personal identity theft compliance requirements?
Potential {Probable} Cause for Law Suits – violations will be viewed by
litigation attorneys as a basis for bringing ADDITIONAL liability law suits against
violators.
October 27, 2009 Boston Business Alliance 17
18. Computer System Security
Regulation includes specific requirements
related to computer system security
Authentication
Encryption
Access Controls
Firewalls & OS Patches
Data Transmission
Viruses & Malware
Monitoring
Training
October 27, 2009 Boston Business Alliance 18
19. Computer System Security
Authentication
Control of User Accounts
“Control of IDs”
“Reasonably secure passwords”
Control of password security
Restrict access to active users
Block access after multiple attempts
October 27, 2009 Boston Business Alliance 19
20. Computer System Security
Access Controls
Restrict access to those who “need to know”
to perform their jobs
File system security / permissions
Third-
Third-party tools available
Assign IDs and passwords
Unique (not shared)
“Not vendor supplied defaults”
October 27, 2009 Boston Business Alliance 20
21. Computer System Security
Data Transmission
Encryption of transmitted data
“Where technically feasible”
Web Sites (SSL / https)
Email (PGP / 3rd party services)
Remote Access Solutions
Online Service Providers
Wireless (“All Data”)
October 27, 2009 Boston Business Alliance 21
22. Computer System Security
Monitoring
“Reasonable monitoring of systems for
unauthorized use of or access to personal
information”
Intrusion Detection
Application Logs
Server Firewalls
Network Security Logs
File System Auditing
October 27, 2009 Boston Business Alliance 22
23. Computer System Security
Encryption of Personal Information Stored on Portable
Devices
Laptops
Encryption vs. Passwords
File-based vs. Entire Laptop
File-
Operating System vs. Third Party Solutions
“Other Devices”
Portable Hard Drives (USB devices)
Backup Media
CDs, DVDs, Blackberries, PDAs
October 27, 2009 Boston Business Alliance 23
24. Computer System Security
Firewalls & OS Patches
Firewall Protection
“Reasonably up-to-date”
up-to-
Vendor supported and routinely updated
Operating System Security Patches
Automatic update features
Servers & workstations
User considerations
October 27, 2009 Boston Business Alliance 24
25. Computer System Security
Viruses & Malware
“Reasonably up-to-date versions”
up-to-
“Must include malware protection”
Supported by vendor
Up-to-date patches and definitions
Up-to-
“Set to receive the most current security
updates on a regular basis”
October 27, 2009 Boston Business Alliance 25
26. Computer System Security
“Education and training of employees
on the proper use of the computer
security system and the importance of
personal information security.”
New hire orientation
Specific routine organizational efforts
October 27, 2009 Boston Business Alliance 26
27. Possible Implications and Why be
Concerned?
Applicability – if your organization obtains personal identity information from MA
residents, you MUST comply
Personal Identity Information – credit card, driver license, or SS numbers
Possible Fines – $5,000 per occurrence, and/or per person effected or
compromised
Past Problems – TJX, Hannaford, {others; reference recent articles}
Facility – is your office or facility secure, all the time? Are you at risk for more than
personal identity theft?
Unauthorized or Unknown Access – Who can get their hands on PI info?
Employees, contractors, suppliers, customers
How do you know the info is safe?
Other Regulations – do you have to comply with HIPPA, Sarbanes-Oxley, etc.?
Sarbanes-
201 CMR 17.00 actual requires more and different compliance than other regulations.
Professional Malpractice Risks – if you are an attorney, CPA, doctor, or any other
professional, did you know that you are at risk for a malpractice lawsuit if you do not
advise your client of personal identity theft compliance requirements?
Potential {Probable} Cause for Law Suits – violations will be viewed by
litigation attorneys as a basis for bringing ADDITIONAL liability law suits against
violators.
October 27, 2009 Boston Business Alliance 27
28. How to Comply with 201 CMR 17.00
We will go into more detail on each bullet point
Assess your current situation
Create a detailed WISP
Establish processes and procedures
Notifications of any security breach
Other Good Business Practices
Education & Training
Estimated cost of compliance
Opportunities for savings
Free limited assessment
October 27, 2009 Boston Business Alliance 28
29. Dave’s Top 10
10 - Your login screen says ‘Win XP’
9 - I will sleep better
8 - My inbox is full of SPAM and I can’t find anything
7 - My passwords include: ‘password’, ’null’ (no password) ‘sa’,
‘admin’, ‘asdf1234’, ‘root’, or my name
6 - My computer and the internet takes forever! #@$%&’ or, ‘My
computer takes forever to boot up!
5 - A customer asked me about this new law the other day, and if we
were compliant?
4 - My insurance company was asking about this new data law
3 - My credit card processors mentioned something about an
$880,000 fine for TJX stores
2 - My lawyer mentioned something about not only fines, but other
legal suits and more costs
1 - It’s not only the law and I don’t want to be fined or sued;
but it is just good business!
October 27, 2009 Boston Business Alliance 29
30. Assess Information Security
Overall approach
Identify gaps between your operations and the regulation
Identify areas for potential risks
Paper and electronic
List specific action items for corrective measures
Facilities and equipment, etc.
Are your facilities locked and secured?
Are any computers allowed to leave the premises?
Are your network connections completely secure?
How is personal identity info handled today?
Paper and electronic
Who has access vs. a need to know or handle?
See audit/assessment spreadsheet
October 27, 2009 Boston Business Alliance 30
31. Create a Detailed WISP
Written Information Security Program (WISP)
General headings and categories
Specific detail of
Processes and procedures to follow to:
Protect Personal Identity (PI)
Take in the case of a breach (loss of PI)
Prepare supporting documents and templates
Additional guidelines are available from the
Mass.gov website – see
www.BostonBusinessAlliance.com for links
Example start of a WISP
October 27, 2009 Boston Business Alliance 31
32. Establish Process & Procedures
Establish and then test all processes and
procedures to make sure they work
Add details as needed
These documents will be part of an audit
Bridge any gaps in your assessment
Implement electronic security and protection
Train all employees, including annual re-training
re-
Annual audits and reviews are required by the
regulation
October 27, 2009 Boston Business Alliance 32
33. Required Notifications
In the case of ANY potential security breach, you
are required to notify
MA OCABR
MA AG office {link to sample letter}
{link letter}
Each MA resident that you have any personal identity
information {link to sample letter}
{link letter}
Other entities
Credit card processing companies
Employees
…
October 27, 2009 Boston Business Alliance 33
34. Other Good Business Practices
Put a compliance statement on your
website
Make sure that you do comply!
Notify any of your partners, vendors, or
suppliers that they MUST comply if they
access any of your PI information for MA
residents
Ask them for a statement of compliance
Example of MA IT Contractor Certification
October 27, 2009 Boston Business Alliance 34
35. Education and Training
“Education and training of employees on
the proper use of the computer security
system and the importance of personal
information security.”
New hire orientation
Specific routine organizational efforts
What to do if they experience any potential
security risk or problem
October 27, 2009 Boston Business Alliance 35
36. Estimated Cost of Compliance
30000
25000
20000
15000 One time
Recurring
10000
Total
5000
Options:
0 1 Potential High Cost
OCABR Real Worst
world Case 2 Possible Outsource
3 OCABR Estimates*
Based on OCABR estimates for:
10 person business with 3 laptops and 4 Do it yourself??
1 network server, serving 7 desktops 5 Yourself & Expert
October 27, 2009 Boston Business Alliance 36
37. Back Up Cost Information*
1 Server, 3 laptops, 7 desktops OCABR Real World Cost Worst Case
One Time Recurring One Time Recurring` One Time Recurring
Hardware (New PC's) $3,750 $7,500
Software $1,000 $1,000
Professional Service
(WISP,audit,apply patches, instal
s/w) $500 $3,000 $750 $3,000 $750
Training $250 $500
"Systems Complaince" $3,000
"Data Audit and Compliance" $1,000
$4,000 $6,000 $8,000 $9,000 $11,500 $15,000
Total $10,000 $17,000 $26,500
* OCABR assumption is the ‘business’ would already have retained such a consultant
to monitor and maintain the current installation and software in connection with
protecting the company’s own, and customer, information.
October 27, 2009 Boston Business Alliance 37
38. Opportunities for savings
Hire professionals
Make sure they cover the entire regulation
Or you know the regulation well to be selective
Appropriately scope and estimate effort
Negotiate responsibilities and resources
Other options:
Research and learn all the requirements and nuances
Use the ‘legalzoom’ approach
Use free and open source software
Leverage your current investment
A sound business decision to combine various options
with some outside help
October 27, 2009 Boston Business Alliance 38
39. Free Limited Assessment
Arpin Consulting will provide a free, limited, one-hour 201 CMR
one-
17.00 compliance audit for any attendees; including sole
proprietors, businesses, and organizations
Focus:
Specific processes and procedures required to ensure compliance
High level electronic information security (PCs, network, etc.)
Deliverables:
An assessment of potential risks or problems that may interfere with
compliance
An assessment of electronic information, specifically, high level,
network and computer security
A Preliminary Report that will point out potential problems, suggested
corrective actions, and any urgent items to meet the March 1, 2010
1,
deadline
You decide what you will do with the report
Do it yourself; assign it to someone; hire someone; or a mix
Security Compliance Audit information - handouts
Contact to schedule your free assessment:
Ray Arpin, 617-435-1159, email: Ray@RayArpin.com
Bob Carroll, 617-314-9813, email: Bob@Bob-Carroll.com
October 27, 2009 Boston Business Alliance 39
40. Questions & Answers &
Call to Action
Will you be ready for March 1, 2010?
Is your customer personal identity
information really protected for loss or theft?
Are all your facilities, computers, network,
and files adequately protected, by law?
October 27, 2009 Boston Business Alliance 40
41. Sponsors
Facilities/Location Sponsor:
Sunbelt Business Sales & Acquisitions
Contact: Mariola Andoni
Phone: 781-932-7355
www.sunbeltne.com
Refreshment Sponsor:
Analytix Solutions
Contact: Jason Lefter
Phone: 781-503-9000
www.analytixsolutions.com
Website Sponsor:
Techevolution
Contact: Corey Tapper
Phone: 781-595-2040
www.techevolution.com
October 27, 2009 Boston Business Alliance 41
42. Closing and Adjourn
Reminder about Boston Business Alliance
Visit website for suggesting Hot Topics for these type
of meetings
Invite other small business owners and peers who
might benefit
Register for future meetings
Ask us to put your name on our email list to be
notified of future meetings and events
Evaluation form
Please complete and leave on the table going out so
that we can continuously improve
October 27, 2009 Boston Business Alliance 42
43. Contact Information
Boston Business Alliance
www.BostonBusinessAlliance.com
See website for additional Contact and Member information
Attorney Dennis Ford Eagan
Finneran & Nicholson, PC -- www.FinneranNicholson.com
978-462-
978-462-1514 – Email: Dennis@FinNic.com
Matt Pettine
MFA - Moody, Famiglietti & Andronico, LLP – www.MFA-CPA.com
www.MFA-
978-557-
978-557-5300 – Email: MPettine@MFACornerstone.com
Ray Arpin
Arpin Consulting – www.RayArpin.com
617-435-
617-435-1159 – Email: Ray@RayArpin.com
See our website and handouts for other contacts, along with
information on 201 CMR, the BBA, and our sponsors
www.BostonBusinessAlliance.com
Feel free to pick up any of the handouts on the table.
October 27, 2009 Boston Business Alliance 43