36
Boston Business Alliance Personal Identity Personal Identity Security* Security* “Y2K “Y2K plus 10” plus 10” Are You Ready for January 1, Are You Ready for January 1, 2010? 2010? * First in a series of Informational Breakfast Events with topics of timely and valuable information for small business owners and organization leaders AUGUST 4, 2009 – Woburn, MA Presented by the: Boston Business Alliance The new MA regulation: 201 CMR 17.00 The new MA regulation: 201 CMR 17.00

201 CMR 17.00

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: 201 CMR 17.00

Boston Business Alliance

Personal Identity Security*Personal Identity Security*“Y2K “Y2K plus 10”plus 10”

Are You Ready for January 1, 2010?Are You Ready for January 1, 2010?

* First in a series of Informational Breakfast Events with topics of timely and valuable information for small business owners and organization leaders

AUGUST 4, 2009 – Woburn, MA

Presented by the:

Boston Business Alliance

The new MA regulation: 201 CMR 17.00The new MA regulation: 201 CMR 17.00

Page 2: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 2

SponsorsSponsors

Website Sponsor:

TechevolutionContact: Corey TapperPhone: 781-595-2040www.techevolution.com

Facilities/Location Sponsor:

Sunbelt Business Sales & AcquisitionsContact: Mariola AndoniPhone: 781-932-7355www.sunbeltne.com

Refreshment Sponsor:

Analytix SolutionsContact: Jason LefterPhone: 781-503-9000www.analytixsolutions.com

Page 3: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 3

AgendaAgenda

Overview and ImplicationsOverview and Implications Attorney Dennis Ford EaganAttorney Dennis Ford Eagan

MA Regulation 201 CMR 17.00MA Regulation 201 CMR 17.00 Dennis Ford Eagan and Ray ArpinDennis Ford Eagan and Ray Arpin

How you can comply – what to do How you can comply – what to do guidelinesguidelines Ray Arpin and Matt PettineRay Arpin and Matt Pettine

Questions & Answers and Call to Questions & Answers and Call to ActionAction

Page 4: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 4

Moderator and SpeakersModerator and Speakers

Dennis Ford EaganDennis Ford Eagan, attorney with Finneran & Nicholson, P.C., a business law firm located in Newburyport. Attorney Eagan focuses his practice on advising and counseling business clients regarding employment matters and compliance with state and federal laws and regulations. Attorney Eagan also advises business clients in protecting their intellectual property interests. He a member of the Massachusetts Bar Association and the Newburyport Bar Association and has co-chaired presentations before the bar associations, including a recent presentation on the Massachusetts Identity Theft and Data Security Regulations, 201 CMR 17.00. Ray ArpinRay Arpin has 30 years of experience working with small companies and start-ups, to Fortune 10, Global 2000, state and federal organizations, in a wide variety of industries and segments. His specialty is business process improvement to increase sales and reduces costs, professional services, and regulatory compliance. Most recently, he is focused on helping companies and individuals quickly apply business best practices, and specifically to become compliant with personal identity security regulations and MA 201 CMR 17.00.

Matt PettineMatt has over 20 years of experience in business and best practices in the application of technology. He holds no less than 5 certification in these areas. He fully understands business and how the different functions interrelate, along with the uses technology to compete in today’s business world. He has worked in security and regulatory compliance in MA 201 CMR 17.00, Sarbanes-Oxley, and with other regulations. He is a member of the Information Systems Audit and Control Association.

Steven Stanganelli – ModeratorSteve Stanganelli is a five-star rated, board-certified financial planning professional with over 20 years of experience coaching individuals and businesses on ways to improve and protect their personal or business bottom line. His practice encompasses investment management as well as asset protection strategies for business owners and professionals. He is a published author, been quoted extensively at www.BankRate.com, and has appeared on TV as a subject matter expert guest on “Your Money ABCs.” He is a member of the Financial Planning Association, CFP Board of Standards, and serves the Merrimack Valley Estate Planning Council.

Page 5: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 5

Personal Identity ProtectionPersonal Identity ProtectionHow it started…How it started…

On August 2, 2007, Governor Deval Patrick On August 2, 2007, Governor Deval Patrick approved the Massachusetts Act Relative to Security approved the Massachusetts Act Relative to Security Freezes and Notification of Data Breaches.Freezes and Notification of Data Breaches.

One of the most comprehensive One of the most comprehensive Personal Identity Personal Identity Theft PreventionTheft Prevention statutes in the country. statutes in the country.

Three components to the Act:Three components to the Act: Establishing a right to a request security freeze by Establishing a right to a request security freeze by

consumers on their consumer report (Mass. Gen. Laws c. consumers on their consumer report (Mass. Gen. Laws c. 93, §§ 58 – 62A);93, §§ 58 – 62A);

Requiring notification of security breaches to regulators and Requiring notification of security breaches to regulators and affected residents (Mass. Gen. Laws c. 93H);affected residents (Mass. Gen. Laws c. 93H);

Establishing procedures for destruction and disposal of Establishing procedures for destruction and disposal of personal identity information (Mass. Gen. Laws c. 93I).personal identity information (Mass. Gen. Laws c. 93I).

Page 6: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 6

Mass. General Law c. 93HMass. General Law c. 93HPersonal Identity InformationPersonal Identity Information

Under Mass. Gen. Law c. 93H, § 1, the Legislature Under Mass. Gen. Law c. 93H, § 1, the Legislature defined Personal Information asdefined Personal Information as:: ““A resident’s first name and last name or first initial and A resident’s first name and last name or first initial and

last name in combination with any 1 or more of the last name in combination with any 1 or more of the following data elements that relate to such resident:following data elements that relate to such resident:

Social Security Number;Social Security Number; Driver’s License or State-issued Identification Card Number;Driver’s License or State-issued Identification Card Number; Financial Account Number, or Credit or Debit Card Number, Financial Account Number, or Credit or Debit Card Number,

with or without any required security code, access code, with or without any required security code, access code, personal identification number or password, that would personal identification number or password, that would permit access to a resident’s financial account;permit access to a resident’s financial account;

Provided, however, that “Personal Information” shall not Provided, however, that “Personal Information” shall not include information that is lawfully obtained from publicly include information that is lawfully obtained from publicly available information, or from federal, state or local available information, or from federal, state or local government records lawfully made available to the government records lawfully made available to the general public.general public.

Page 7: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 7

OCABR – 201 CMR 17.00OCABR – 201 CMR 17.00PurposePurpose

Pursuant to C. 93H, the Department of Consumer Pursuant to C. 93H, the Department of Consumer Affairs and Business Regulation (OCABR) issued Affairs and Business Regulation (OCABR) issued regulations 201 C.M.R. 17.00, regulating persons regulations 201 C.M.R. 17.00, regulating persons and businesses maintaining Personal Information.and businesses maintaining Personal Information.

Purpose of the regulations:Purpose of the regulations: Insure security and confidential customer information in Insure security and confidential customer information in

a manner fully consistent with industry standards;a manner fully consistent with industry standards; Protect against anticipated threats or hazards to security Protect against anticipated threats or hazards to security

or integrity of such information;or integrity of such information; Protect against unauthorized access to or use of such Protect against unauthorized access to or use of such

information that may result in substantial harm or information that may result in substantial harm or inconvenience to any consumer.inconvenience to any consumer.

Compliance required by January 1, 2010Compliance required by January 1, 2010 (previously extended by the OCABR from original (previously extended by the OCABR from original compliance date of January 1, 2009)compliance date of January 1, 2009)

Page 8: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 8

Business and IndividualsBusiness and Individuals 201 C.M.R. 17.00 requires 201 C.M.R. 17.00 requires all persons and businessesall persons and businesses that that

own, license, store or maintain Personal Information of any own, license, store or maintain Personal Information of any Massachusetts resident.Massachusetts resident. As a result, these regulations cover all employers, professional As a result, these regulations cover all employers, professional

service providers, and most all businesses that that accept service providers, and most all businesses that that accept credit or debit cardscredit or debit cards

Also, if you have any employees, you need to protect their Also, if you have any employees, you need to protect their Social Security numbersSocial Security numbers

Regulations cover all Personal Information, whether paper, Regulations cover all Personal Information, whether paper, hard copy or electronically stored.hard copy or electronically stored.

Requires covered businesses and person to develop, Requires covered businesses and person to develop, implement, maintain a comprehensive Written Information implement, maintain a comprehensive Written Information Security Program (“WISP”).Security Program (“WISP”).

WISP shall contain administrative, technical and physical WISP shall contain administrative, technical and physical safeguards to ensure the security and confidentiality of safeguards to ensure the security and confidentiality of Personal Information.Personal Information.

Targeted to be reasonably consistent with industry practices Targeted to be reasonably consistent with industry practices and consistent with federal regulationsand consistent with federal regulations

Page 9: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 9

Written Information Security Written Information Security Program (WISP)Program (WISP)

Basic required elements for WISP:Basic required elements for WISP: Designating one or more employees to maintain Designating one or more employees to maintain

program;program; Identify risks and Personal Information intake;Identify risks and Personal Information intake; Improve safeguards;Improve safeguards; Limiting access and restricting use and transport;Limiting access and restricting use and transport; Encryption / Computer system security requirements;Encryption / Computer system security requirements; Train employees and require compliance;Train employees and require compliance; Detecting and preventing failures and documenting Detecting and preventing failures and documenting

response actions;response actions; Third party certification of those contracted to maintain Third party certification of those contracted to maintain

or having access to Personal Information;or having access to Personal Information; At least annual review.At least annual review.

Page 10: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 10

Disposal of Personal InformationDisposal of Personal Information

Mass. Gen. Laws c. 93I requires Mass. Gen. Laws c. 93I requires minimum minimum standards for disposalstandards for disposal of Personal Information of Personal Information so that it may not be practicably read or so that it may not be practicably read or reconstructed:reconstructed: Paper / Hard copies – Redacted, burned, pulverized or Paper / Hard copies – Redacted, burned, pulverized or

shredded;shredded; Electronic / Non-paper – Destroyed or erasedElectronic / Non-paper – Destroyed or erased

Requires care in properly shredding Personal Requires care in properly shredding Personal Information, i.e., obtaining written certification Information, i.e., obtaining written certification from third party services.from third party services.

Requires care in destroying, erasing and Requires care in destroying, erasing and disposing of hard drives, laptops, computers, cell disposing of hard drives, laptops, computers, cell phones, and PDAs.phones, and PDAs.

Page 11: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 11

Enforcement of 201 CMR 17.00Enforcement of 201 CMR 17.00 Enforced by the Massachusetts Attorney General.Enforced by the Massachusetts Attorney General. Attorney General may bring action under Mass. Attorney General may bring action under Mass.

Gen. Laws c. 93A, §4:Gen. Laws c. 93A, §4: Injunctive relief;Injunctive relief; Civil penalties not more than $5,000 for each violationCivil penalties not more than $5,000 for each violation Costs of investigation, litigation, including attorney’s Costs of investigation, litigation, including attorney’s

fees.fees. Civil liability for any breach / increased duty of Civil liability for any breach / increased duty of

care.care. Mass. Gen. Laws c. 93I (Destruction) – Mass. Gen. Laws c. 93I (Destruction) –

Fines of up to $100 per data subject affected;Fines of up to $100 per data subject affected; Not more than $50,000 for each instance of improper Not more than $50,000 for each instance of improper

disposal.disposal.

Page 12: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 12

Possible Implications and Why be Possible Implications and Why be Concerned?Concerned?

ApplicabilityApplicability – if your organization obtains personal identity information from – if your organization obtains personal identity information from MA residents, you MA residents, you MUSTMUST comply comply

Personal Identity InformationPersonal Identity Information – credit card, driver license, or SS numbers – credit card, driver license, or SS numbers Possible FinesPossible Fines – $5,000 per occurrence, and/or per person effected or – $5,000 per occurrence, and/or per person effected or

compromisedcompromised Past ProblemsPast Problems – TJX, Hannaford, {others; reference recent articles} – TJX, Hannaford, {others; reference recent articles} FacilityFacility – is your office or facility secure, all the time? Are you at risk for more – is your office or facility secure, all the time? Are you at risk for more

than personal identity theft?than personal identity theft? Unauthorized or Unknown AccessUnauthorized or Unknown Access – Who can get their hands on PI info? – Who can get their hands on PI info?

Employees, contractors, suppliers, customersEmployees, contractors, suppliers, customers How do you know the info is safe?How do you know the info is safe?

Other RegulationsOther Regulations – do you have to comply with HIPPA, Sarbanes-Oxley, etc.? – do you have to comply with HIPPA, Sarbanes-Oxley, etc.? 201 CMR 17.00 actual requires more and different compliance than other 201 CMR 17.00 actual requires more and different compliance than other regulations.regulations.

Professional Malpractice RisksProfessional Malpractice Risks – if you are an attorney, CPA, doctor, or any – if you are an attorney, CPA, doctor, or any other professional, did you know that you are at risk for a malpractice lawsuit if other professional, did you know that you are at risk for a malpractice lawsuit if you do not advise your client of personal identity theft compliance you do not advise your client of personal identity theft compliance requirements?requirements?

Potential {Probable} Cause for Law SuitsPotential {Probable} Cause for Law Suits – violations will be viewed by – violations will be viewed by litigation attorneys as a basis for bringing litigation attorneys as a basis for bringing ADDITIONALADDITIONAL liability law suits liability law suits against violators.against violators.

Page 13: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 13

How to Comply with 201 CMR 17.00How to Comply with 201 CMR 17.00

Assess your current situationAssess your current situation Create a detailed WISPCreate a detailed WISP Establish detailed information security Establish detailed information security

processes and proceduresprocesses and procedures Notify key parties of any security breachNotify key parties of any security breach Other Good Business PracticesOther Good Business Practices Computer and Electronic Security AspectsComputer and Electronic Security Aspects

We will go into more detail on each bullet point

Page 14: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 14

Dave’s Top 10Dave’s Top 10

10 - Your login screen says ‘Win XP’10 - Your login screen says ‘Win XP’9 - I will sleep better9 - I will sleep better8 - My inbox is full of SPAM and I can’t find anything8 - My inbox is full of SPAM and I can’t find anything7 - My passwords include: ‘password’, ’null’ (no password) 7 - My passwords include: ‘password’, ’null’ (no password)

‘sa’, ‘admin’, ‘asdf1234’, ‘root’, or my name‘sa’, ‘admin’, ‘asdf1234’, ‘root’, or my name6 - My computer and the internet takes forever! #@$%&’ or, 6 - My computer and the internet takes forever! #@$%&’ or,

‘My computer takes forever to boot up!‘My computer takes forever to boot up!5 - A customer asked me about this new law the other day, 5 - A customer asked me about this new law the other day,

and if we were compliant?and if we were compliant?4 - My insurance company was asking about this new data law4 - My insurance company was asking about this new data law3 - My credit card processors mentioned something about an 3 - My credit card processors mentioned something about an

$880,000 fine for TJX stores$880,000 fine for TJX stores2 - My lawyer mentioned something about not only fines, but 2 - My lawyer mentioned something about not only fines, but

other legal suits and more costsother legal suits and more costs1 - It’s not only the law and I don’t want to be fined or 1 - It’s not only the law and I don’t want to be fined or

sued; but it is just good business!sued; but it is just good business!

Page 15: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 15

Assess Information SecurityAssess Information Security Overall approachOverall approach

Identify gaps between your operations and the Identify gaps between your operations and the regulationregulation

Identify areas for potential risksIdentify areas for potential risks Paper and electronicPaper and electronic List specific action items for corrective measuresList specific action items for corrective measures

Facilities and equipment, etc.Facilities and equipment, etc. Are your facilities locked and secured?Are your facilities locked and secured? Are any computers allowed to leave the premises?Are any computers allowed to leave the premises? Are your network connections completely secure?Are your network connections completely secure?

How is personal identity info handled today?How is personal identity info handled today? Paper and electronicPaper and electronic Who has access vs. a need to know or handle?Who has access vs. a need to know or handle?

See audit/assessment spreadsheet

Page 16: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 16

Create a Detailed WISPCreate a Detailed WISP

General headings and categoriesGeneral headings and categories Specific detail ofSpecific detail of

Processes and procedures to follow to:Processes and procedures to follow to: Protect Personal Identity (PI)Protect Personal Identity (PI) Take in the case of a breach (loss of PI)Take in the case of a breach (loss of PI)

Prepare supporting documents and Prepare supporting documents and templatestemplates

Additional guidelines are available from the Additional guidelines are available from the Mass.gov website – see Mass.gov website – see www.BostonBusinessAlliance.com for linkswww.BostonBusinessAlliance.com for links

Written Information Security Program (WISP)

Example start of a WISPExample start of a WISP

Page 17: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 17

Establish Process & ProceduresEstablish Process & Procedures

Establish and then test all processes and Establish and then test all processes and procedures to make sure they workprocedures to make sure they work Add details as neededAdd details as needed These documents will be part of an auditThese documents will be part of an audit

Bridge any gaps in your assessmentBridge any gaps in your assessment Implement electronic security and protectionImplement electronic security and protection Train all employees, including annual re-Train all employees, including annual re-

trainingtraining Annual audits and reviews are required by Annual audits and reviews are required by

the regulationthe regulation

Page 18: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 18

Required NotificationsRequired Notifications

In the case of ANY potential security breach, In the case of ANY potential security breach, you are required to notifyyou are required to notify MA OCABRMA OCABR MA AG office {link to sample letter MA AG office {link to sample letter and handoutsand handouts}} Each MA resident that you have any personal Each MA resident that you have any personal

identity information {link to sample letter identity information {link to sample letter and and handoutshandouts}}

Other entitiesOther entities Credit card processing companiesCredit card processing companies EmployeesEmployees ……

Page 19: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 19

Other Good Business PracticesOther Good Business Practices

Put a compliance statement on your Put a compliance statement on your websitewebsite Make sure that you do comply!Make sure that you do comply!

Notify any of your partners, vendors, Notify any of your partners, vendors, or suppliers that they MUST comply if or suppliers that they MUST comply if they access any of your PI they access any of your PI information for MA residentsinformation for MA residents Ask them for a statement of complianceAsk them for a statement of compliance

Example of MA IT Contractor CertificationExample of MA IT Contractor Certification

Page 20: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 20

Computer System SecurityComputer System Security

Regulation includes specific Regulation includes specific requirements related to computer requirements related to computer system securitysystem security

Authentication Authentication – – EncryptionEncryption

Access ControlsAccess Controls – – Firewalls and Firewalls and relatedrelated

Data TransmissionData Transmission – – Viruses & MalwareViruses & Malware

Monitoring Monitoring –– Training Training

Page 21: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 21

AuthenticationAuthentication

Control of User AccountsControl of User Accounts ““Control of IDs”Control of IDs”

““Reasonably secure passwords” Reasonably secure passwords”

Control of password security Control of password security

Restrict access to active usersRestrict access to active users

Block access after multiple attemptsBlock access after multiple attempts

Page 22: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 22

Access ControlsAccess Controls

Restrict access to those who “need to Restrict access to those who “need to know” to perform their jobsknow” to perform their jobs

File system security / permissionsFile system security / permissions

Third-party tools availableThird-party tools available

Assign IDs and passwordsAssign IDs and passwords

Unique (not shared)Unique (not shared)

““Not vendor supplied defaults”Not vendor supplied defaults” Immediately remove access if they leave or Immediately remove access if they leave or

are terminatedare terminated

Page 23: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 23

Data TransmissionData Transmission

Encryption of transmitted dataEncryption of transmitted data

““Where technically feasible”Where technically feasible”

Web Sites (SSL / https)Web Sites (SSL / https)

Email (PGP / 3Email (PGP / 3rdrd party services) party services)

Remote Access Solutions Remote Access Solutions

Online Service Providers Online Service Providers

Wireless (“All Data”)Wireless (“All Data”)

Page 24: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 24

MonitoringMonitoring

““Reasonable monitoring of systems for Reasonable monitoring of systems for unauthorized use of or access to unauthorized use of or access to personal information”personal information”

Intrusion Detection Intrusion Detection

Application LogsApplication Logs

Server FirewallsServer Firewalls

Network Security LogsNetwork Security Logs

File System AuditingFile System Auditing

Page 25: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 25

EncryptionEncryption

LaptopsLaptops Encryption vs. PasswordsEncryption vs. Passwords

File-based vs. Entire LaptopFile-based vs. Entire Laptop

Operating System vs. Third Party SolutionsOperating System vs. Third Party Solutions

““Other Devices”Other Devices” Portable Hard Drives (USB devices)Portable Hard Drives (USB devices)

Backup MediaBackup Media

CDs, DVDs, Blackberries, PDAsCDs, DVDs, Blackberries, PDAs

Page 26: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 26

Firewalls and Operating SystemsFirewalls and Operating Systems

Firewall ProtectionFirewall Protection

““Reasonably up-to-date”Reasonably up-to-date”

Vendor supported and routinely updatedVendor supported and routinely updated

Operating System Security PatchesOperating System Security Patches

Automatic update featuresAutomatic update features

Servers & workstationsServers & workstations

User considerationsUser considerations

Page 27: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 27

Viruses and MalwareViruses and Malware

““Reasonably up-to-date versions”Reasonably up-to-date versions”

““Must include malware protection”Must include malware protection”

Supported by vendorSupported by vendor

Up-to-date patches and definitionsUp-to-date patches and definitions

““Set to receive the most current security Set to receive the most current security updates on a regular basis”updates on a regular basis”

Page 28: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 28

Education and TrainingEducation and Training

““Education and training of employees Education and training of employees on the proper use of the computer on the proper use of the computer security system and the importance security system and the importance of personal information security.”of personal information security.”

New hire orientationNew hire orientation

Specific routine organizational effortsSpecific routine organizational efforts What to do if they experience any What to do if they experience any

potential security risk or problempotential security risk or problem

Page 29: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 29

Estimated Cost of ComplianceEstimated Cost of Compliance

Based on OCABR estimates for:10 person business with 3 laptops and1 network server, serving 7 desktops

0

5000

10000

15000

20000

25000

30000

OCABR Realworld

WorstCase

One time

Recurring

Total

Options:Options:

1 Potential High Cost1 Potential High Cost

2 Possible Outsource2 Possible Outsource

3 OCABR Estimates*3 OCABR Estimates*

4 Do it yourself??4 Do it yourself??

5 Yourself & Expert5 Yourself & Expert

Page 30: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 30

Back Up Cost Information*Back Up Cost Information*

* OCABR assumption is the ‘business’ would already have retained such a consultant to monitor and maintain the current installation and software in connection with protecting the company’s own, and customer, information. 

1 Server, 3 laptops, 7 desktopsOne Time Recurring One Time Recurring` One Time Recurring

Hardware (New PC's) $3,750 $7,500Software $1,000 $1,000

Professional Service (WISP,audit,apply patches, instal s/w) $500 $3,000 $750 $3,000 $750Training $250 $500

"Systems Complaince" $3,000"Data Audit and Compliance" $1,000

$4,000 $6,000 $8,000 $9,000 $11,500 $15,000Total $10,000 $17,000 $26,500

Worst CaseReal World CostOCABR

Page 31: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 31

Opportunities for savingsOpportunities for savings Hire professionalsHire professionals

Make sure they cover the entire regulationMake sure they cover the entire regulation Or you know the regulation well to be selectiveOr you know the regulation well to be selective

Appropriately scope and estimate effortAppropriately scope and estimate effort Negotiate responsibilities and resourcesNegotiate responsibilities and resources

Other options:Other options: Research and learn all the requirements and Research and learn all the requirements and

nuancesnuances Use the ‘legalzoom’ approachUse the ‘legalzoom’ approach Use free and open source softwareUse free and open source software Leverage your current investmentLeverage your current investment A sound business decision to combine various A sound business decision to combine various

options with some outside helpoptions with some outside help

Page 32: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 32

Free Limited AssessmentFree Limited Assessment Arpin Consulting will provide a free, limited, one-hour 201 Arpin Consulting will provide a free, limited, one-hour 201

CMR 17.00 compliance assessment for any attendeesCMR 17.00 compliance assessment for any attendees Focus:Focus:

Specific processes and procedures required to ensure Specific processes and procedures required to ensure compliancecompliance

High level electronic information security (PCs, network, etc.)High level electronic information security (PCs, network, etc.) Deliverables:Deliverables:

An assessment of potential risks or problems that may An assessment of potential risks or problems that may interfere with complianceinterfere with compliance

An assessment of electronic information, specifically, high An assessment of electronic information, specifically, high level, network and computer securitylevel, network and computer security

A Preliminary Report that will point out potential problems, A Preliminary Report that will point out potential problems, suggested corrective actions, and any urgent items to meet suggested corrective actions, and any urgent items to meet the January 1, 2010 deadlinethe January 1, 2010 deadline

You decide what you will do with the reportYou decide what you will do with the report Do it yourself; assign it to someone; hire someone; or a mixDo it yourself; assign it to someone; hire someone; or a mix Security Compliance Audit information - handoutsSecurity Compliance Audit information - handouts

Contact to schedule your free assessment: Ray Arpin, 617-435-1159, email: [email protected]

Bob Carroll, 617-314-9813, email: [email protected]

Page 33: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 33

Questions & Call to ActionQuestions & Call to Action

Moderator: Steven StanganelliModerator: Steven Stanganelli If necessary, the moderator or speakers If necessary, the moderator or speakers

will suggest taking the question “off line” will suggest taking the question “off line” (after the Q&A) for a more detailed (after the Q&A) for a more detailed answersanswers

Speakers, BBA Members, and Security Speakers, BBA Members, and Security Consultants/Vendors will be available Consultants/Vendors will be available after the meeting for a limited timeafter the meeting for a limited time

Page 34: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 34

SponsorsSponsors

Website Sponsor:

TechevolutionContact: Corey TapperPhone: 781-595-2040www.techevolution.com

Facilities/Location Sponsor:

Sunbelt Business Sales & AcquisitionsContact: Mariola AndoniPhone: 781-932-7355www.sunbeltne.com

Refreshment Sponsor:

Analytix SolutionsContact: Jason LefterPhone: 781-503-9000www.analytixsolutions.com

Page 35: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 35

Closing and AdjournClosing and Adjourn

Reminder about Boston Business AllianceReminder about Boston Business Alliance Visit website for suggesting Hot Topics for Visit website for suggesting Hot Topics for

these type of meetingsthese type of meetings Invite other small business owners and peers Invite other small business owners and peers

who might benefitwho might benefit Register for future meetingsRegister for future meetings Ask us to put your name on our email list to be Ask us to put your name on our email list to be

notified of future meetings and eventsnotified of future meetings and events Evaluation formEvaluation form

Please complete and leave on the table going Please complete and leave on the table going out so that we can continuously improveout so that we can continuously improve

Page 36: 201 CMR 17.00

August 4, 2009 Boston Business Alliance 36

Contact InformationContact Information Boston Business AllianceBoston Business Alliance

www.BostonBusinessAlliance.comwww.BostonBusinessAlliance.com See website for additional Contact and Member informationSee website for additional Contact and Member information

Attorney Dennis Ford EaganAttorney Dennis Ford Eagan Finneran & Nicholson, PC -- www.finnerannicholson.com Finneran & Nicholson, PC -- www.finnerannicholson.com 978-462-1514 – Email: [email protected] 978-462-1514 – Email: [email protected]

Ray ArpinRay Arpin Arpin Consulting – Arpin Consulting – www.rayarpin.comwww.rayarpin.com 617-435-1159 – Email: 617-435-1159 – Email: [email protected]@rayarpin.com

Matt PettineMatt Pettine MFA - Moody, Famiglietti & Andronico, LLP – MFA - Moody, Famiglietti & Andronico, LLP – www.mfa-cpa.comwww.mfa-cpa.com 978-557-5300 – Email: 978-557-5300 – Email: [email protected]@mfacornerstone.com

See our website and handouts for other contacts, along See our website and handouts for other contacts, along with information on 201 CMR, the BBA, and our sponsorswith information on 201 CMR, the BBA, and our sponsors www.BostonBusinessAlliance.comwww.BostonBusinessAlliance.com

Feel free to pick up any of the handouts on the table.