MA 201 CMR 17.00 Personal Identity Security

Personal Identity SecurityPersonal Identity Security“Y2K “Y2K plus 10”plus 10”

Are You Ready for March 1, 2010?Are You Ready for March 1, 2010?

The new MA regulation: 201 CMR 17.00 The new MA regulation: 201 CMR 17.00 ––

October 27, 2009 – Woburn, MA

Presented by the:

Boston Business Alliance

The new MA regulation: 201 CMR 17.00 The new MA regulation: 201 CMR 17.00 ––

UpdatedUpdated and including FTC Red Flag Rulesand including FTC Red Flag Rules

SponsorsSponsorsFacilities/Location Sponsor:

Sunbelt Business Sales & AcquisitionsContact: Mariola AndoniPhone: 781-932-7355www.sunbeltne.com

Refreshment Sponsor:

October 27, 2009 Boston Business Alliance 2

Website Sponsor:

TechevolutionContact: Corey TapperPhone: 781-595-2040www.techevolution.com

Analytix SolutionsContact: Jason LefterPhone: 781-503-9000www.analytixsolutions.com

Personal Identity Security Personal Identity Security –– Y2K plus 10Y2K plus 10New MA Regulation New MA Regulation –– 201 CMR 17.00201 CMR 17.00

6:156:15 Refreshments and NetworkingRefreshments and Networking

6:306:30 Overview Overview –– Personal Identity Security & Red FlagPersonal Identity Security & Red Flag

(Attorney Dennis Eagan)(Attorney Dennis Eagan)

6:556:55 Computer Systems & Technical SecurityComputer Systems & Technical Security

October 27; 6:30 PM October 27; 6:30 PM –– 8:30 PM 8:30 PM –– 800 W. Cummings Park, Woburn, MA800 W. Cummings Park, Woburn, MA

6:556:55 Computer Systems & Technical SecurityComputer Systems & Technical Security

(Matt (Matt PettinePettine, Managing Director), Managing Director)

7:207:20 How you can comply How you can comply –– what to do guidelineswhat to do guidelines

(Ray Arpin, Consultant)(Ray Arpin, Consultant)

7:507:50 Questions & Answers & Call to ActionQuestions & Answers & Call to Action

(speakers)(speakers)

8:308:30 AdjournAdjourn

Speakers and Vendors available for questionsSpeakers and Vendors available for questions

October 27, 2009 3Boston Business Alliance

SpeakersSpeakers

Dennis Ford EaganDennis Ford Eagan, attorney with Finneran & Nicholson, P.C., a business law firm located in Newburyport. Attorney Eagan focuses his practice on advising and counseling business clients regarding employment matters and compliance with state and federal laws and regulations. Attorney Eagan also advises business clients in protecting their intellectual property interests. He a member of the Massachusetts Bar Association and the Newburyport Bar Association and has co-chaired presentations before the bar associations, including a recent presentation on the Massachusetts Identity Theft and Data Security Regulations, 201 CMR 17.00.

Matt PettineMatt has over 20 years of experience in business and best practices in the application of technology. He holds no less than 5 certification in these areas. He fully understands business and how the different functions interrelate,


Ray ArpinRay Arpin has 30 years of experience working with small companies and start-ups, to Fortune 10, Global 2000, state and federal organizations, in a wide variety of industries and segments. His specialty is business process improvement to increase sales and reduces costs, professional services, and regulatory compliance. Most recently, he is focused on helping companies and individuals quickly apply business best practices, and specifically to become compliant with personal identity security regulations and MA 201 CMR 17.00.

less than 5 certification in these areas. He fully understands business and how the different functions interrelate, along with the uses technology to compete in today’s business world. He has worked in security and regulatory compliance in MA 201 CMR 17.00, Sarbanes-Oxley, and with other regulations. He is a member of the Information Systems Audit and Control Association.

Personal Identity ProtectionPersonal Identity ProtectionHow it started…How it started…

�� On August 2, 2007, Governor Deval Patrick approved On August 2, 2007, Governor Deval Patrick approved the Massachusetts Act Relative to Security Freezes and the Massachusetts Act Relative to Security Freezes and Notification of Data Breaches.Notification of Data Breaches.

�� One of the most comprehensive One of the most comprehensive Personal Identity Personal Identity Theft PreventionTheft Prevention statutes in the country.statutes in the country.

Three components to the Act:Three components to the Act:


�� Three components to the Act:Three components to the Act:�� Establishing a right to a request security freeze by consumers on Establishing a right to a request security freeze by consumers on

their consumer report (Mass. Gen. Laws c. 93, their consumer report (Mass. Gen. Laws c. 93, §§§§ 58 58 –– 62A);62A);

�� Requiring notification of security breaches to regulators and Requiring notification of security breaches to regulators and affected residents (Mass. Gen. Laws c. 93H);affected residents (Mass. Gen. Laws c. 93H);

�� Establishing procedures for destruction and disposal of personal Establishing procedures for destruction and disposal of personal identity information (Mass. Gen. Laws c. 93I).identity information (Mass. Gen. Laws c. 93I).

Mass. General Law c. 93HMass. General Law c. 93HPersonal Identity InformationPersonal Identity Information

�� Under Mass. Gen. Law c. 93H, Under Mass. Gen. Law c. 93H, §§ 1, the Legislature 1, the Legislature defined Personal Information as:defined Personal Information as:�� “A resident’s first name and last name or first initial and last “A resident’s first name and last name or first initial and last

name in combination with any 1 or more of the following data name in combination with any 1 or more of the following data elements that relate to such resident:elements that relate to such resident:

�� Social Security Number;Social Security Number;


�� Social Security Number;Social Security Number;

�� Driver’s License or StateDriver’s License or State--issued Identification Card Number;issued Identification Card Number;

�� Financial Account Number, or Credit or Debit Card Number, with or without Financial Account Number, or Credit or Debit Card Number, with or without any required security code, access code, personal identification number or any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account;password, that would permit access to a resident’s financial account;

�� Provided, however, that “Personal Information” shall not include Provided, however, that “Personal Information” shall not include information that is lawfully obtained from publicly available information that is lawfully obtained from publicly available information, or from federal, state or local government records information, or from federal, state or local government records lawfully made available to the general public.lawfully made available to the general public.

OCABR OCABR –– 201 CMR 17.00201 CMR 17.00PurposePurpose

�� Pursuant to C. 93H, the Department of Consumer Affairs and Pursuant to C. 93H, the Department of Consumer Affairs and Business Regulation (OCABR) issued regulations 201 C.M.R. Business Regulation (OCABR) issued regulations 201 C.M.R. 17.00, regulating persons and businesses maintaining 17.00, regulating persons and businesses maintaining Personal Information, which were revised in August, 2009..Personal Information, which were revised in August, 2009..

�� Purpose of the regulations:Purpose of the regulations:�� Establish minimum standards for safeguarding Personal Information Establish minimum standards for safeguarding Personal Information

contained in both electronic and hard copy records;contained in both electronic and hard copy records;


�� Establish minimum standards for safeguarding Personal Information Establish minimum standards for safeguarding Personal Information contained in both electronic and hard copy records;contained in both electronic and hard copy records;

�� Insure security and confidential customer information in a manner Insure security and confidential customer information in a manner fully consistent with industry standards;fully consistent with industry standards;

�� Protect against anticipated threats or hazards to security or integrity Protect against anticipated threats or hazards to security or integrity of such information;of such information;

�� Protect against unauthorized access to or use of such information that Protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.may result in substantial harm or inconvenience to any consumer.

�� Compliance required by March 1, 2010Compliance required by March 1, 2010 (extended by the (extended by the OCABR from original compliance dates of January 1)OCABR from original compliance dates of January 1)

Business and IndividualsBusiness and Individuals

�� 201 C.M.R. 17.00 requires 201 C.M.R. 17.00 requires all persons and businessesall persons and businesses that own, that own, license, store or maintain Personal Information of any license, store or maintain Personal Information of any Massachusetts resident.Massachusetts resident.�� As a result, these regulations cover all employers, professional service As a result, these regulations cover all employers, professional service

providers, and most all businesses that that accept credit or debit cardsproviders, and most all businesses that that accept credit or debit cards�� Also, if you have any employees, you need to protect their Social Also, if you have any employees, you need to protect their Social

Security numbersSecurity numbers

Regulations cover all Personal Information, whether paper, hard Regulations cover all Personal Information, whether paper, hard


�� Regulations cover all Personal Information, whether paper, hard Regulations cover all Personal Information, whether paper, hard copy or electronically stored.copy or electronically stored.

�� Requires covered businesses and person to develop, implement, Requires covered businesses and person to develop, implement, maintain a comprehensive Written Information Security Program maintain a comprehensive Written Information Security Program (“WISP”)(“WISP”)

�� The WISP may be in one or more accessible partsThe WISP may be in one or more accessible parts�� WISP shall contain administrative, technical and physical safeguards WISP shall contain administrative, technical and physical safeguards

to ensure the security and confidentiality of Personal Information.to ensure the security and confidentiality of Personal Information.�� Targeted to be reasonably consistent with industry practices and Targeted to be reasonably consistent with industry practices and

consistent with federal regulationsconsistent with federal regulations

Written Information Security Written Information Security Program (WISP)Program (WISP)

�� Basic required elements for WISP:Basic required elements for WISP:�� Designating one or more employees to maintain program;Designating one or more employees to maintain program;

�� Identify risks and Personal Information intake;Identify risks and Personal Information intake;

�� Improve safeguards;Improve safeguards;

�� Limiting access and restricting use and transport;Limiting access and restricting use and transport;

Encryption / Computer system security requirements;Encryption / Computer system security requirements;


�� Encryption / Computer system security requirements;Encryption / Computer system security requirements;

�� Train employees and require compliance;Train employees and require compliance;

�� Detecting and preventing failures and documenting response Detecting and preventing failures and documenting response actions;actions;

�� Third party certification of those contracted to maintain or Third party certification of those contracted to maintain or having access to Personal Information;having access to Personal Information;

�� At least annual review.At least annual review.

WISP ComponentsWISP Components�� An effective WISP should contain at minimum:An effective WISP should contain at minimum:

�� technical safeguardstechnical safeguards (i.e., encryption, firewalls, password protections);(i.e., encryption, firewalls, password protections);

�� physical safeguards physical safeguards (i.e., locked file cabinets, alarm systems, etc.);(i.e., locked file cabinets, alarm systems, etc.);

�� administrative safeguards (i.e., limiting access, secure storage and transport, administrative safeguards (i.e., limiting access, secure storage and transport, proper destructions and disposal; employee oversight, intake processes, etc.); proper destructions and disposal; employee oversight, intake processes, etc.);

�� designation of an employee designation of an employee to oversee the program and initiate annual to oversee the program and initiate annual reviews of the program;reviews of the program;

�� procedures to identify risks and threats procedures to identify risks and threats to the personal information;to the personal information;�� procedures to identify risks and threats procedures to identify risks and threats to the personal information;to the personal information;

�� procedures for onprocedures for on--going compliance going compliance and monitoring, including disciplinary and monitoring, including disciplinary action for violations; action for violations;

�� oversight provisions,oversight provisions, not only for employees but also third party contractors not only for employees but also third party contractors with access to personal information; and with access to personal information; and

�� procedures to notify regulators and the affected persons procedures to notify regulators and the affected persons upon any upon any security breach, which may include lost or stolen laptops, misdirected esecurity breach, which may include lost or stolen laptops, misdirected e--mails, mails, inadvertent disclosure, access by terminated employees, or hacking and other inadvertent disclosure, access by terminated employees, or hacking and other outside infiltration. outside infiltration.


Disposal of Personal InformationDisposal of Personal Information

�� Mass. Gen. Laws c. 93I requires Mass. Gen. Laws c. 93I requires minimum standards minimum standards for disposalfor disposal of Personal Information so that it may not of Personal Information so that it may not be practicably read or reconstructed:be practicably read or reconstructed:�� Paper / Hard copies Paper / Hard copies –– Redacted, burned, pulverized or shredded;Redacted, burned, pulverized or shredded;

�� Electronic / NonElectronic / Non--paper paper –– Destroyed or erasedDestroyed or erased

Requires care in properly shredding Personal Requires care in properly shredding Personal


�� Requires care in properly shredding Personal Requires care in properly shredding Personal Information, i.e., obtaining written certification from Information, i.e., obtaining written certification from third party services.third party services.

�� Requires care in destroying, erasing and disposing of Requires care in destroying, erasing and disposing of hard drives, laptops, computers, cell phones, and PDAs.hard drives, laptops, computers, cell phones, and PDAs.

Enforcement of 201 CMR 17.00Enforcement of 201 CMR 17.00

�� Enforced by the Massachusetts Attorney General.Enforced by the Massachusetts Attorney General.

�� Attorney General may bring action under Mass. Gen. Attorney General may bring action under Mass. Gen. Laws c. 93A, Laws c. 93A, §§4:4:�� Injunctive relief;Injunctive relief;

�� Civil penalties not more than $5,000 for each violationCivil penalties not more than $5,000 for each violation

Costs of investigation, litigation, including attorney’s fees.Costs of investigation, litigation, including attorney’s fees.


�� Costs of investigation, litigation, including attorney’s fees.Costs of investigation, litigation, including attorney’s fees.

�� Civil liability for any breach / increased duty of care.Civil liability for any breach / increased duty of care.

�� Mass. Gen. Laws c. 93I (Destruction) Mass. Gen. Laws c. 93I (Destruction) ––�� Fines of up to $100 per data subject affected;Fines of up to $100 per data subject affected;

�� Not more than $50,000 for each instance of improper disposal.Not more than $50,000 for each instance of improper disposal.

Federal Trade CommissionFederal Trade CommissionRed Flag RulesRed Flag Rules

�� Enforced by the U.S. Federal Trade CommissionEnforced by the U.S. Federal Trade Commission

�� Effective November 1, 2009Effective November 1, 2009

�� Red Flag Rules require many businesses to develop and Red Flag Rules require many businesses to develop and implement written identity theft programs to identify, detect implement written identity theft programs to identify, detect and respond to “red flags” of identity theftand respond to “red flags” of identity theft


and respond to “red flags” of identity theftand respond to “red flags” of identity theft

�� The Red Flag Rules apply to financial institutions and The Red Flag Rules apply to financial institutions and “creditors,” i.e. all businesses that extend credit to clients.“creditors,” i.e. all businesses that extend credit to clients.

�� For purposes of the Red Flag Rules the term “creditors” as:For purposes of the Red Flag Rules the term “creditors” as:�� “any person who regularly extends, renews, or continues credit” “any person who regularly extends, renews, or continues credit”

which is defined as, the “right granted … to defer payment of debt which is defined as, the “right granted … to defer payment of debt or to incur debts and defer its payment or to purchase property or or to incur debts and defer its payment or to purchase property or services and defer payment services and defer payment therefortherefor.”.”

Red Flag Red Flag -- CreditorsCreditors

�� This broad definition of “creditor” subject to the Red Flag This broad definition of “creditor” subject to the Red Flag Rules includes any business that provides its goods and Rules includes any business that provides its goods and services to a client or customer before accepting services to a client or customer before accepting payment. This may include many service providers:payment. This may include many service providers:�� brokerbroker--dealers, investment advisers, dealers, investment advisers,

health care providers;health care providers;


�� health care providers;health care providers;

�� attorneys; accountants;attorneys; accountants;

�� IT professionals;IT professionals;

�� Cleaning service companies; LandscapersCleaning service companies; Landscapers

�� retailers, mortgage brokers, car dealers, and other organizations retailers, mortgage brokers, car dealers, and other organizations that arrange loans or extend consumer credit; ANDthat arrange loans or extend consumer credit; AND

�� many other professional and consumer service providers, who many other professional and consumer service providers, who bill clients rather than accepting full payment at the time of bill clients rather than accepting full payment at the time of service.service.

Red Flag & Identity TheftRed Flag & Identity Theft

�� All businesses and entities covered by the Red Flag Rules All businesses and entities covered by the Red Flag Rules must adopt and implement an Identity Theft Prevention must adopt and implement an Identity Theft Prevention Program, which must, at minimum:Program, which must, at minimum:�� Identify potential Red Flags, or suspicious patterns, specific Identify potential Red Flags, or suspicious patterns, specific

activities or practices that indicate potential threats for identity activities or practices that indicate potential threats for identity theft, that come about in course of business for incoming or theft, that come about in course of business for incoming or


theft, that come about in course of business for incoming or theft, that come about in course of business for incoming or existing client accounts;existing client accounts;

�� Detect Red Flags that are identified, i.e., procedures to detect Detect Red Flags that are identified, i.e., procedures to detect and respond to fraudulent identification;and respond to fraudulent identification;

�� Implement appropriate response actions to detected Red Flags; Implement appropriate response actions to detected Red Flags; andand

�� Periodically and not less than annual review the program. Periodically and not less than annual review the program.

Red Flag PenaltiesRed Flag Penalties

�� Subject to FTC investigations and enforcement actions.Subject to FTC investigations and enforcement actions.

�� May include civil penalties up to $3,500 per violation and May include civil penalties up to $3,500 per violation and injunctive relief.injunctive relief.

�� Presently, the Red Flag Rules do not include a private Presently, the Red Flag Rules do not include a private right of action to consumers, but there is a complaint right of action to consumers, but there is a complaint procedure to the FTC.procedure to the FTC.


right of action to consumers, but there is a complaint right of action to consumers, but there is a complaint procedure to the FTC.procedure to the FTC.

�� Violations may establish a prima facie case of negligence Violations may establish a prima facie case of negligence or intentional misconduct in a civil suit by an affected or intentional misconduct in a civil suit by an affected consumer.consumer.

Possible Implications and Why be Possible Implications and Why be Concerned?Concerned?

�� ApplicabilityApplicability –– if your organization obtains personal identity information from MA if your organization obtains personal identity information from MA residents, you residents, you MUSTMUST complycomply

�� Personal Identity InformationPersonal Identity Information –– credit card, driver license, or SS numberscredit card, driver license, or SS numbers

�� Possible FinesPossible Fines –– $5,000 per occurrence, and/or per person effected or $5,000 per occurrence, and/or per person effected or compromisedcompromised

�� Past ProblemsPast Problems –– TJX, Hannaford, {others; reference recent articles}TJX, Hannaford, {others; reference recent articles}

�� FacilityFacility –– is your office or facility secure, all the time? Are you at risk for more than is your office or facility secure, all the time? Are you at risk for more than personal identity theft?personal identity theft?


personal identity theft?personal identity theft?

�� Unauthorized or Unknown AccessUnauthorized or Unknown Access –– Who can get their hands on PI info?Who can get their hands on PI info?

�� Employees, contractors, suppliers, customersEmployees, contractors, suppliers, customers

�� How do you know the info is safe?How do you know the info is safe?

�� Other RegulationsOther Regulations –– do you have to comply with HIPPA, Sarbanesdo you have to comply with HIPPA, Sarbanes--Oxley, etc.? Oxley, etc.? 201 CMR 17.00 actual requires more and different compliance than other regulations.201 CMR 17.00 actual requires more and different compliance than other regulations.

�� Professional Malpractice RisksProfessional Malpractice Risks –– if you are an attorney, CPA, doctor, or any other if you are an attorney, CPA, doctor, or any other professional, did you know that you are at risk for a malpractice lawsuit if you do not professional, did you know that you are at risk for a malpractice lawsuit if you do not advise your client of personal identity theft compliance requirements?advise your client of personal identity theft compliance requirements?

�� Potential {Probable} Cause for Law SuitsPotential {Probable} Cause for Law Suits –– violations will be viewed by violations will be viewed by litigation attorneys as a basis for bringing litigation attorneys as a basis for bringing ADDITIONALADDITIONAL liability law suits against liability law suits against violators.violators.

Computer System SecurityComputer System Security

�� Regulation includes specific requirements Regulation includes specific requirements related to computer system securityrelated to computer system security

�� AuthenticationAuthentication

�� EncryptionEncryption

�� Access ControlsAccess Controls

18


�� Firewalls & OS PatchesFirewalls & OS Patches

�� Data TransmissionData Transmission

�� Viruses & MalwareViruses & Malware

�� MonitoringMonitoring

�� TrainingTraining

October 27, 2009 Boston Business Alliance


�� AuthenticationAuthentication

�� Control of User AccountsControl of User Accounts

�� “Control of IDs”“Control of IDs”

19

“Control of IDs”“Control of IDs”

�� “Reasonably secure passwords” “Reasonably secure passwords”

�� Control of password security Control of password security

�� Restrict access to active usersRestrict access to active users

�� Block access after multiple attemptsBlock access after multiple attempts




�� Restrict access to those who “need to know” Restrict access to those who “need to know” to perform their jobsto perform their jobs

�� File system security / permissionsFile system security / permissions

20

�� File system security / permissionsFile system security / permissions

�� ThirdThird--party tools availableparty tools available

�� Assign IDs and passwordsAssign IDs and passwords

�� Unique (not shared)Unique (not shared)

�� “Not vendor supplied defaults”“Not vendor supplied defaults”



�� Data TransmissionData Transmission

�� Encryption of transmitted dataEncryption of transmitted data

�� “Where technically feasible”“Where technically feasible”

21

“Where technically feasible”“Where technically feasible”

�� Web Sites (SSL / https)Web Sites (SSL / https)

�� Email (PGP / 3Email (PGP / 3rdrd party services)party services)

�� Remote Access Solutions Remote Access Solutions

�� Online Service Providers Online Service Providers

�� Wireless (“All Data”)Wireless (“All Data”)



�� MonitoringMonitoring

�� “Reasonable monitoring of systems for “Reasonable monitoring of systems for unauthorized use of or access to personal unauthorized use of or access to personal information”information”

22

information”information”

�� Intrusion Detection Intrusion Detection

�� Application LogsApplication Logs

�� Server FirewallsServer Firewalls

�� Network Security LogsNetwork Security Logs

�� File System AuditingFile System Auditing



�� Encryption of Personal Information Stored on Portable Encryption of Personal Information Stored on Portable DevicesDevices

�� LaptopsLaptops

�� Encryption vs. PasswordsEncryption vs. Passwords

FileFile--based vs. Entire Laptopbased vs. Entire Laptop

23

�� FileFile--based vs. Entire Laptopbased vs. Entire Laptop

�� Operating System vs. Third Party SolutionsOperating System vs. Third Party Solutions

�� “Other Devices”“Other Devices”

�� Portable Hard Drives (USB devices)Portable Hard Drives (USB devices)

�� Backup MediaBackup Media

�� CDs, DVDs, Blackberries, PDAsCDs, DVDs, Blackberries, PDAs



�� Firewalls & OS PatchesFirewalls & OS Patches

�� Firewall ProtectionFirewall Protection

�� “Reasonably up“Reasonably up--toto--date”date”

24

“Reasonably up“Reasonably up--toto--date”date”

�� Vendor supported and routinely updatedVendor supported and routinely updated

�� Operating System Security PatchesOperating System Security Patches

�� Automatic update featuresAutomatic update features

�� Servers & workstationsServers & workstations

�� User considerationsUser considerationsOctober 27, 2009 Boston Business Alliance


�� Viruses & MalwareViruses & Malware

�� “Reasonably up“Reasonably up--toto--date versions”date versions”

�� “Must include malware protection”“Must include malware protection”

25

�� “Must include malware protection”“Must include malware protection”

�� Supported by vendorSupported by vendor

�� UpUp--toto--date patches and definitionsdate patches and definitions

�� “Set to receive the most current security “Set to receive the most current security updates on a regular basis”updates on a regular basis”



�� “Education and training of employees “Education and training of employees on the proper use of the computer on the proper use of the computer security system and the importance of security system and the importance of personal information security.”personal information security.”

26

personal information security.”personal information security.”

�� New hire orientationNew hire orientation

�� Specific routine organizational effortsSpecific routine organizational efforts


Possible Implications and Why be Possible Implications and Why be Concerned?Concerned?

�� ApplicabilityApplicability –– if your organization obtains personal identity information from MA if your organization obtains personal identity information from MA residents, you residents, you MUSTMUST complycomply

�� Personal Identity InformationPersonal Identity Information –– credit card, driver license, or SS numberscredit card, driver license, or SS numbers

�� Possible FinesPossible Fines –– $5,000 per occurrence, and/or per person effected or $5,000 per occurrence, and/or per person effected or compromisedcompromised

�� Past ProblemsPast Problems –– TJX, Hannaford, {others; reference recent articles}TJX, Hannaford, {others; reference recent articles}

�� FacilityFacility –– is your office or facility secure, all the time? Are you at risk for more than is your office or facility secure, all the time? Are you at risk for more than personal identity theft?personal identity theft?


personal identity theft?personal identity theft?

�� Unauthorized or Unknown AccessUnauthorized or Unknown Access –– Who can get their hands on PI info?Who can get their hands on PI info?

�� Employees, contractors, suppliers, customersEmployees, contractors, suppliers, customers

�� How do you know the info is safe?How do you know the info is safe?

�� Other RegulationsOther Regulations –– do you have to comply with HIPPA, Sarbanesdo you have to comply with HIPPA, Sarbanes--Oxley, etc.? Oxley, etc.? 201 CMR 17.00 actual requires more and different compliance than other regulations.201 CMR 17.00 actual requires more and different compliance than other regulations.

�� Professional Malpractice RisksProfessional Malpractice Risks –– if you are an attorney, CPA, doctor, or any other if you are an attorney, CPA, doctor, or any other professional, did you know that you are at risk for a malpractice lawsuit if you do not professional, did you know that you are at risk for a malpractice lawsuit if you do not advise your client of personal identity theft compliance requirements?advise your client of personal identity theft compliance requirements?

�� Potential {Probable} Cause for Law SuitsPotential {Probable} Cause for Law Suits –– violations will be viewed by violations will be viewed by litigation attorneys as a basis for bringing litigation attorneys as a basis for bringing ADDITIONALADDITIONAL liability law suits against liability law suits against violators.violators.

How to Comply with 201 CMR 17.00How to Comply with 201 CMR 17.00

�� Assess your current situationAssess your current situation

�� Create a detailed WISPCreate a detailed WISP

�� Establish processes and proceduresEstablish processes and procedures

Notifications of any security breachNotifications of any security breach

We will go into more detail on each bullet point


�� Notifications of any security breachNotifications of any security breach

�� Other Good Business PracticesOther Good Business Practices

�� Education & TrainingEducation & Training

�� Estimated cost of complianceEstimated cost of compliance

�� Opportunities for savingsOpportunities for savings

�� Free limited assessmentFree limited assessment

Dave’s Top 10Dave’s Top 10

10 10 -- Your login screen says ‘Win XP’Your login screen says ‘Win XP’9 9 -- I will sleep betterI will sleep better8 8 -- My inbox is full of SPAM and I can’t find anythingMy inbox is full of SPAM and I can’t find anything7 7 -- My passwords include: ‘password’, ’null’ (no password) ‘sa’, My passwords include: ‘password’, ’null’ (no password) ‘sa’,

‘admin’, ‘asdf1234’, ‘root’, or my name‘admin’, ‘asdf1234’, ‘root’, or my name6 6 -- My computer and the internet takes forever! #@$%&’ or, ‘My My computer and the internet takes forever! #@$%&’ or, ‘My


6 6 -- My computer and the internet takes forever! #@$%&’ or, ‘My My computer and the internet takes forever! #@$%&’ or, ‘My computer takes forever to boot up!computer takes forever to boot up!

5 5 -- A customer asked me about this new law the other day, and if we A customer asked me about this new law the other day, and if we were compliant?were compliant?

4 4 -- My insurance company was asking about this new data lawMy insurance company was asking about this new data law3 3 -- My credit card processors mentioned something about an My credit card processors mentioned something about an

$880,000 fine for TJX stores$880,000 fine for TJX stores2 2 -- My lawyer mentioned something about not only fines, but other My lawyer mentioned something about not only fines, but other

legal suits and more costslegal suits and more costs1 1 -- It’s not only the law and I don’t want to be fined or sued; It’s not only the law and I don’t want to be fined or sued;

but it is just good business!but it is just good business!

Assess Information SecurityAssess Information Security

�� Overall approachOverall approach�� Identify gaps between your operations and the regulationIdentify gaps between your operations and the regulation

�� Identify areas for potential risksIdentify areas for potential risks

�� Paper and electronicPaper and electronic

�� List specific action items for corrective measuresList specific action items for corrective measures

Facilities and equipment, etc.Facilities and equipment, etc.


�� Facilities and equipment, etc.Facilities and equipment, etc.�� Are your facilities locked and secured?Are your facilities locked and secured?

�� Are any computers allowed to leave the premises?Are any computers allowed to leave the premises?

�� Are your network connections completely secure?Are your network connections completely secure?

�� How is personal identity info handled today?How is personal identity info handled today?�� Paper and electronicPaper and electronic

�� Who has access vs. a need to know or handle?Who has access vs. a need to know or handle?

See audit/assessment spreadsheet

Create a Detailed WISPCreate a Detailed WISP

�� General headings and categoriesGeneral headings and categories�� Specific detail ofSpecific detail of

�� Processes and procedures to follow to:Processes and procedures to follow to:�� Protect Personal Identity (PI)Protect Personal Identity (PI)

Take in the case of a breach (loss of PI)Take in the case of a breach (loss of PI)

Written Information Security Program (WISP)


�� Take in the case of a breach (loss of PI)Take in the case of a breach (loss of PI)

�� Prepare supporting documents and templatesPrepare supporting documents and templates

�� Additional guidelines are available from the Additional guidelines are available from the Mass.gov website Mass.gov website –– see see www.BostonBusinessAlliance.comwww.BostonBusinessAlliance.com for linksfor links

Example start of a WISPExample start of a WISP

Establish Process & ProceduresEstablish Process & Procedures

�� Establish and then test all processes and Establish and then test all processes and procedures to make sure they workprocedures to make sure they work

�� Add details as neededAdd details as needed

�� These documents will be part of an auditThese documents will be part of an audit


�� Bridge any gaps in your assessmentBridge any gaps in your assessment

�� Implement electronic security and protectionImplement electronic security and protection

�� Train all employees, including annual reTrain all employees, including annual re--trainingtraining

�� Annual audits and reviews are required by the Annual audits and reviews are required by the regulationregulation

Required NotificationsRequired Notifications

�� In the case of ANY potential security breach, you In the case of ANY potential security breach, you are required to notifyare required to notify

�� MA OCABRMA OCABR

�� MA AG office {MA AG office {link to sample letterlink to sample letter}}


�� Each MA resident that you have any personal identity Each MA resident that you have any personal identity information {information {link to sample letterlink to sample letter}}

�� Other entitiesOther entities

�� Credit card processing companiesCredit card processing companies

�� EmployeesEmployees

�� ……

Other Good Business PracticesOther Good Business Practices

�� Put a compliance statement on your Put a compliance statement on your websitewebsite

�� Make sure that you do comply!Make sure that you do comply!

�� Notify any of your partners, vendors, or Notify any of your partners, vendors, or


�� Notify any of your partners, vendors, or Notify any of your partners, vendors, or suppliers that they MUST comply if they suppliers that they MUST comply if they access any of your PI information for MA access any of your PI information for MA residentsresidents

�� Ask them for a statement of complianceAsk them for a statement of compliance

Example of MA IT Contractor CertificationExample of MA IT Contractor Certification

Education and TrainingEducation and Training

�� “Education and training of employees on “Education and training of employees on the proper use of the computer security the proper use of the computer security system and the importance of personal system and the importance of personal information security.”information security.”


information security.”information security.”

�� New hire orientationNew hire orientation

�� Specific routine organizational effortsSpecific routine organizational efforts

�� What to do if they experience any potential What to do if they experience any potential security risk or problemsecurity risk or problem

Estimated Cost of ComplianceEstimated Cost of Compliance

15000

20000

25000

30000

One time

Recurring


Based on OCABR estimates for:10 person business with 3 laptops and1 network server, serving 7 desktops

0

5000

10000

OCABR Real

world

Worst

Case

Recurring

Total

Options:Options:

1 Potential High Cost1 Potential High Cost

2 Possible Outsource2 Possible Outsource

3 OCABR Estimates*3 OCABR Estimates*

4 Do it yourself??4 Do it yourself??

5 Yourself & Expert5 Yourself & Expert

Back Up Cost Information*Back Up Cost Information*

1 Server, 3 laptops, 7 desktops

One Time Recurring One Time Recurring` One Time Recurring

Hardware (New PC's) $3,750 $7,500

Software $1,000 $1,000

Professional Service

(WISP,audit,apply patches, instal

s/w) $500 $3,000 $750 $3,000 $750

Worst CaseReal World CostOCABR


* OCABR assumption is the ‘business’ would already have retained such a consultant to monitor and maintain the current installation and software in connection with protecting the company’s own, and customer, information.

s/w) $500 $3,000 $750 $3,000 $750

Training $250 $500

"Systems Complaince" $3,000

"Data Audit and Compliance" $1,000

$4,000 $6,000 $8,000 $9,000 $11,500 $15,000

Total $10,000 $17,000 $26,500

Opportunities for savingsOpportunities for savings

�� Hire professionalsHire professionals�� Make sure they cover the entire regulationMake sure they cover the entire regulation

�� Or you know the regulation well to be selectiveOr you know the regulation well to be selective

�� Appropriately scope and estimate effortAppropriately scope and estimate effort�� Negotiate responsibilities and resourcesNegotiate responsibilities and resources

Other options:Other options:


�� Other options:Other options:�� Research and learn all the requirements and nuancesResearch and learn all the requirements and nuances�� Use the ‘legalzoom’ approachUse the ‘legalzoom’ approach�� Use free and open source softwareUse free and open source software�� Leverage your current investmentLeverage your current investment�� A sound business decision to combine various options A sound business decision to combine various options with some outside helpwith some outside help

Free Limited AssessmentFree Limited Assessment�� Arpin Consulting will provide a free, limited, oneArpin Consulting will provide a free, limited, one--hour 201 CMR hour 201 CMR

17.00 compliance audit for any attendees; including sole 17.00 compliance audit for any attendees; including sole proprietors, businesses, and organizationsproprietors, businesses, and organizations

�� Focus:Focus:�� Specific processes and procedures required to ensure complianceSpecific processes and procedures required to ensure compliance�� High level electronic information security (PCs, network, etc.)High level electronic information security (PCs, network, etc.)

�� Deliverables:Deliverables:�� An assessment of potential risks or problems that may interfere with An assessment of potential risks or problems that may interfere with

compliancecompliance


compliancecompliance�� An assessment of electronic information, specifically, high level, An assessment of electronic information, specifically, high level,

network and computer securitynetwork and computer security�� A Preliminary Report that will point out potential problems, suggested A Preliminary Report that will point out potential problems, suggested

corrective actions, and any urgent items to meet the corrective actions, and any urgent items to meet the March 1March 1, 2010 , 2010 deadlinedeadline

�� You decide what you will do with the reportYou decide what you will do with the report�� Do it yourself; assign it to someone; hire someone; or a mixDo it yourself; assign it to someone; hire someone; or a mix�� Security Compliance Audit information Security Compliance Audit information -- handoutshandouts

Contact to schedule your free assessment:Ray Arpin, 617-435-1159, email: [email protected]

Bob Carroll, 617-314-9813, email: [email protected]

Questions & Answers &Questions & Answers &Call to ActionCall to Action

�� Will you be ready for March 1, 2010?Will you be ready for March 1, 2010?

�� Is your customer personal identity Is your customer personal identity information really protected for loss or theft?information really protected for loss or theft?


information really protected for loss or theft?information really protected for loss or theft?

�� Are all your facilities, computers, network, Are all your facilities, computers, network, and files adequately protected, and files adequately protected, by lawby law??

SponsorsSponsorsFacilities/Location Sponsor:

Sunbelt Business Sales & AcquisitionsContact: Mariola AndoniPhone: 781-932-7355www.sunbeltne.com

Refreshment Sponsor:


Website Sponsor:

TechevolutionContact: Corey TapperPhone: 781-595-2040www.techevolution.com

Analytix SolutionsContact: Jason LefterPhone: 781-503-9000www.analytixsolutions.com

Closing and AdjournClosing and Adjourn

�� Reminder about Boston Business AllianceReminder about Boston Business Alliance�� Visit website for suggesting Hot Topics for these type Visit website for suggesting Hot Topics for these type of meetingsof meetings

�� Invite other small business owners and peers who Invite other small business owners and peers who might benefitmight benefit


might benefitmight benefit

�� Register for future meetingsRegister for future meetings

�� Ask us to put your name on our email list to be Ask us to put your name on our email list to be notified of future meetings and eventsnotified of future meetings and events

�� Evaluation formEvaluation form�� Please complete and leave on the table going out so Please complete and leave on the table going out so that we can continuously improvethat we can continuously improve

Contact InformationContact Information�� Boston Business AllianceBoston Business Alliance

�� www.BostonBusinessAlliance.comwww.BostonBusinessAlliance.com�� See website for additional Contact and Member informationSee website for additional Contact and Member information

�� Attorney Dennis Ford EaganAttorney Dennis Ford Eagan�� FinneranFinneran & Nicholson, PC & Nicholson, PC ---- www.FinneranNicholson.comwww.FinneranNicholson.com�� 978978--462462--1514 1514 –– Email: Email: [email protected]@FinNic.com

�� Matt PettineMatt Pettine�� MFA MFA -- Moody, Famiglietti & Andronico, LLP Moody, Famiglietti & Andronico, LLP –– www.MFAwww.MFA--CPA.comCPA.com


�� MFA MFA -- Moody, Famiglietti & Andronico, LLP Moody, Famiglietti & Andronico, LLP –– www.MFAwww.MFA--CPA.comCPA.com�� 978978--557557--5300 5300 –– Email: Email: [email protected]@MFACornerstone.com

�� Ray ArpinRay Arpin�� Arpin Consulting Arpin Consulting –– www.RayArpin.comwww.RayArpin.com�� 617617--435435--1159 1159 –– Email: Email: [email protected]@RayArpin.com

�� See our website and handouts for other contacts, along with See our website and handouts for other contacts, along with information on 201 CMR, the BBA, and our sponsorsinformation on 201 CMR, the BBA, and our sponsors�� www.BostonBusinessAlliance.comwww.BostonBusinessAlliance.com

Feel free to pick up any of the handouts on the table.