Slide 1: Personal Identity Security* “Y2K plus 10”
Are You Ready for January 1, 2010?
The new MA regulation: 201 CMR 17.00
Boston Business Alliance
AUGUST 4, 2009 – Woburn, MA
Presented by the:
* First in a series of Informational Breakfast Events with topics of timely and valuable information for small business owners and organization leaders
Boston Business Alliance
Slide 2: Sponsors
Facilities/Location Sponsor:
Sunbelt Business Sales & Acquisitions Contact: Mariola Andoni Phone: 781-932-7355 www.sunbeltne.com
Refreshment Sponsor:
Analytix Solutions Contact: Jason Lefter Phone: 781-503-9000 www.analytixsolutions.com
Website Sponsor:
Techevolution Contact: Corey Tapper Phone: 781-595-2040 www.techevolution.com
August 4, 2009
Boston Business Alliance
2
Slide 3: Agenda
Overview and Implications
Attorney Dennis Ford Eagan Dennis Ford Eagan and Ray Arpin
MA Regulation 201 CMR 17.00
How you can comply – what to do guidelines
Ray Arpin and Matt Pettine
Questions & Answers and Call to Action
Boston Business Alliance 3
August 4, 2009
Slide 4: Steven Stanganelli – Moderator
Moderator and Speakers
Steve Stanganelli is a five-star rated, board-certified financial planning professional with over 20 years of experience coaching individuals and businesses on ways to improve and protect their personal or business bottom line. His practice encompasses investment management as well as asset protection strategies for business owners and professionals. He is a published author, been quoted extensively at www.BankRate.com, and has appeared on TV as a subject matter expert guest on “Your Money ABCs.” He is a member of the Financial Planning Association, CFP Board of Standards, and serves the Merrimack Valley Estate Planning Council.
Dennis Ford Eagan
Dennis Ford Eagan, attorney with Finneran & Nicholson, P.C., a business law firm located in Newburyport. Attorney Eagan focuses his practice on advising and counseling business clients regarding employment matters and compliance with state and federal laws and regulations. Attorney Eagan also advises business clients in protecting their intellectual property interests. He a member of the Massachusetts Bar Association and the Newburyport Bar Association and has co-chaired presentations before the bar associations, including a recent presentation on the Massachusetts Identity Theft and Data Security Regulations, 201 CMR 17.00.
Ray Arpin
Ray Arpin has 30 years of experience working with small companies and start-ups, to Fortune 10, Global 2000, state and federal organizations, in a wide variety of industries and segments. His specialty is business process improvement to increase sales and reduces costs, professional services, and regulatory compliance. Most recently, he is focused on helping companies and individuals quickly apply business best practices, and specifically to become compliant with personal identity security regulations and MA 201 CMR 17.00.
Matt Pettine
Matt has over 20 years of experience in business and best practices in the application of technology. He holds no less than 5 certification in these areas. He fully understands business and how the different functions interrelate, along with the uses technology to compete in today’s business world. He has worked in security and regulatory compliance in MA 201 CMR 17.00, Sarbanes-Oxley, and with other regulations. He is a member of the Information Systems Audit and Control Association.
August 4, 2009 Boston Business Alliance 4
Slide 5: Personal Identity Protection How it started…
On August 2, 2007, Governor Deval Patrick approved the Massachusetts Act Relative to Security Freezes and Notification of Data Breaches. One of the most comprehensive Personal Identity Theft Prevention statutes in the country. Three components to the Act:
Establishing a right to a request security freeze by consumers on their consumer report (Mass. Gen. Laws c. 93, §§ 58 – 62A); Requiring notification of security breaches to regulators and affected residents (Mass. Gen. Laws c. 93H); Establishing procedures for destruction and disposal of personal identity information (Mass. Gen. Laws c. 93I).
August 4, 2009
Boston Business Alliance
5
Slide 6: Mass. General Law c. 93H Personal Identity Information
Under Mass. Gen. Law c. 93H, § 1, the Legislature defined Personal Information as:
“A resident’s first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident:
Social Security Number; Driver’s License or State-issued Identification Card Number; Financial Account Number, or Credit or Debit Card Number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account;
Provided, however, that “Personal Information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
August 4, 2009
Boston Business Alliance
6
Slide 7: OCABR – 201 CMR 17.00 Purpose
Pursuant to C. 93H, the Department of Consumer Affairs and Business Regulation (OCABR) issued regulations 201 C.M.R. 17.00, regulating persons and businesses maintaining Personal Information. Purpose of the regulations:
Compliance required by January 1, 2010 (previously extended by the OCABR from original compliance date of January 1, 2009)
Boston Business Alliance
Insure security and confidential customer information in a manner fully consistent with industry standards; Protect against anticipated threats or hazards to security or integrity of such information; Protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.
August 4, 2009
7
Slide 8: Business and Individuals
201 C.M.R. 17.00 requires all persons and businesses that own, license, store or maintain Personal Information of any Massachusetts resident.
Regulations cover all Personal Information, whether paper, hard copy or electronically stored. Requires covered businesses and person to develop, implement, maintain a comprehensive Written Information Security Program (“WISP”). WISP shall contain administrative, technical and physical safeguards to ensure the security and confidentiality of Personal Information. Targeted to be reasonably consistent with industry practices and consistent with federal regulations
As a result, these regulations cover all employers, professional service providers, and most all businesses that that accept credit or debit cards Also, if you have any employees, you need to protect their Social Security numbers
August 4, 2009
Boston Business Alliance
8
Slide 9: Written Information Security Program (WISP)
Basic required elements for WISP:
Designating one or more employees to maintain program; Identify risks and Personal Information intake; Improve safeguards; Limiting access and restricting use and transport; Encryption / Computer system security requirements; Train employees and require compliance; Detecting and preventing failures and documenting response actions; Third party certification of those contracted to maintain or having access to Personal Information; At least annual review.
August 4, 2009
Boston Business Alliance
9
Slide 10: Disposal of Personal Information
Mass. Gen. Laws c. 93I requires minimum standards for disposal of Personal Information so that it may not be practicably read or reconstructed:
Paper / Hard copies – Redacted, burned, pulverized or shredded; Electronic / Non-paper – Destroyed or erased
Requires care in properly shredding Personal Information, i.e., obtaining written certification from third party services. Requires care in destroying, erasing and disposing of hard drives, laptops, computers, cell phones, and PDAs.
August 4, 2009
Boston Business Alliance
10
Slide 11: Enforcement of 201 CMR 17.00
Enforced by the Massachusetts Attorney General. Attorney General may bring action under Mass. Gen. Laws c. 93A, §4:
Injunctive relief; Civil penalties not more than $5,000 for each violation Costs of investigation, litigation, including attorney’s fees.
Civil liability for any breach / increased duty of care. Mass. Gen. Laws c. 93I (Destruction) –
Fines of up to $100 per data subject affected; Not more than $50,000 for each instance of improper disposal.
August 4, 2009
Boston Business Alliance
11
Slide 12:
Possible Implications and Why be Concerned? Applicability – if your organization obtains personal identity information from MA
residents, you MUST comply Personal Identity Information – credit card, driver license, or SS numbers Possible Fines – $5,000 per occurrence, and/or per person effected or compromised Past Problems – TJX, Hannaford, {others; reference recent articles} Facility – is your office or facility secure, all the time? Are you at risk for more than personal identity theft? Unauthorized or Unknown Access – Who can get their hands on PI info?
Employees, contractors, suppliers, customers How do you know the info is safe?
Other Regulations – do you have to comply with HIPPA, Sarbanes-Oxley, etc.? 201 CMR 17.00 actual requires more and different compliance than other regulations. Professional Malpractice Risks – if you are an attorney, CPA, doctor, or any other professional, did you know that you are at risk for a malpractice lawsuit if you do not advise your client of personal identity theft compliance requirements? Potential {Probable} Cause for Law Suits – violations will be viewed by litigation attorneys as a basis for bringing ADDITIONAL liability law suits against violators.
Boston Business Alliance 12
August 4, 2009
Slide 13: How to Comply with 201 CMR 17.00
We will go into more detail on each bullet point
Assess your current situation Create a detailed WISP Establish detailed information security processes and procedures Notify key parties of any security breach Other Good Business Practices Computer and Electronic Security Aspects
August 4, 2009
Boston Business Alliance
13
Slide 14: Dave’s Top 10
10 - Your login screen says ‘Win XP’ 9 - I will sleep better 8 - My inbox is full of SPAM and I can’t find anything 7 - My passwords include: ‘password’, ’null’ (no password) ‘sa’, ‘admin’, ‘asdf1234’, ‘root’, or my name 6 - My computer and the internet takes forever! #@$%&’ or, ‘My computer takes forever to boot up! 5 - A customer asked me about this new law the other day, and if we were compliant? 4 - My insurance company was asking about this new data law 3 - My credit card processors mentioned something about an $880,000 fine for TJX stores 2 - My lawyer mentioned something about not only fines, but other legal suits and more costs 1 - It’s not only the law and I don’t want to be fined or sued; but it is just good business!
August 4, 2009 Boston Business Alliance 14
Slide 15: Assess Information Security
Overall approach
Identify gaps between your operations and the regulation Identify areas for potential risks Paper and electronic List specific action items for corrective measures Are your facilities locked and secured? Are any computers allowed to leave the premises? Are your network connections completely secure? Paper and electronic Who has access vs. a need to know or handle?
See audit/assessment spreadsheet
Facilities and equipment, etc.
How is personal identity info handled today?
August 4, 2009
Boston Business Alliance
15
Slide 16: Create a Detailed WISP
Written Information Security Program (WISP)
General headings and categories
Specific detail of
Processes and procedures to follow to:
Protect Personal Identity (PI) Take in the case of a breach (loss of PI)
Prepare supporting documents and templates Additional guidelines are available from the Mass.gov website – see www.BostonBusinessAlliance.com for links
Example start of a WISP
August 4, 2009
Boston Business Alliance
16
Slide 17: Establish Process & Procedures
Establish and then test all processes and procedures to make sure they work
Add details as needed These documents will be part of an audit
Bridge any gaps in your assessment Implement electronic security and protection Train all employees, including annual re-training Annual audits and reviews are required by the regulation
Boston Business Alliance 17
August 4, 2009
Slide 18: Required Notifications
In the case of ANY potential security breach, you are required to notify
MA OCABR MA AG office {link to sample letter and handouts} Each MA resident that you have any personal identity information {link to sample letter and handouts} Credit card processing companies Employees …
Boston Business Alliance 18
Other entities
August 4, 2009
Slide 19: Other Good Business Practices
Put a compliance statement on your website
Make sure that you do comply!
Notify any of your partners, vendors, or suppliers that they MUST comply if they access any of your PI information for MA residents
Ask them for a statement of compliance
Example of MA IT Contractor Certification
August 4, 2009
Boston Business Alliance
19
Slide 20: Computer System Security
Regulation includes specific requirements related to computer system security
Authentication Access Controls
– Encryption – Firewalls and related
Data Transmission – Viruses & Malware Monitoring – Training
Boston Business Alliance 20
August 4, 2009
Slide 21: Authentication
Control of User Accounts
“Control of IDs” “Reasonably secure passwords” Control of password security Restrict access to active users Block access after multiple attempts
August 4, 2009
Boston Business Alliance
21
Slide 22: Access Controls
Restrict access to those who “need to know” to perform their jobs
File system security / permissions Third-party tools available
Assign IDs and passwords
Unique (not shared) “Not vendor supplied defaults”
Immediately remove access if they leave or are terminated
Boston Business Alliance 22
August 4, 2009
Slide 23: Data Transmission
Encryption of transmitted data
“Where technically feasible”
Web Sites (SSL / https) Email (PGP / 3rd party services) Remote Access Solutions Online Service Providers Wireless (“All Data”)
August 4, 2009
Boston Business Alliance
23
Slide 24: Monitoring
“Reasonable monitoring of systems for unauthorized use of or access to personal information”
Intrusion Detection Application Logs Server Firewalls Network Security Logs File System Auditing
August 4, 2009
Boston Business Alliance
24
Slide 25: Encryption
Laptops
Encryption vs. Passwords File-based vs. Entire Laptop Operating System vs. Third Party Solutions
“Other Devices”
Portable Hard Drives (USB devices) Backup Media CDs, DVDs, Blackberries, PDAs
Boston Business Alliance 25
August 4, 2009
Slide 26: Firewalls and Operating Systems
Firewall Protection
“Reasonably up-to-date” Vendor supported and routinely updated
Operating System Security Patches
Automatic update features Servers & workstations User considerations
August 4, 2009
Boston Business Alliance
26
Slide 27: Viruses and Malware
“Reasonably up-to-date versions” “Must include malware protection” Supported by vendor
Up-to-date patches and definitions “Set to receive the most current security updates on a regular basis”
August 4, 2009
Boston Business Alliance
27
Slide 28: Education and Training
“Education and training of employees on the proper use of the computer security system and the importance of personal information security.”
New hire orientation Specific routine organizational efforts What to do if they experience any potential security risk or problem
Boston Business Alliance 28
August 4, 2009
Slide 29: Estimated Cost of Compliance
30000 25000 20000 15000 10000 5000 0 OCABR Real world Worst Case One time Recurring Total
Based on OCABR estimates for: 10 person business with 3 laptops and 1 network server, serving 7 desktops
August 4, 2009 Boston Business Alliance
Options: 1 Potential High Cost 2 Possible Outsource 3 OCABR Estimates* 4 Do it yourself?? 5 Yourself & Expert
29
Slide 30: Back Up Cost Information*
1 Server, 3 laptops, 7 desktops OCABR Real World Cost Worst Case One Time Recurring One Time Recurring` One Time Recurring $3,750 $1,000 $7,500 $1,000 Hardware (New PC's) Software Professional Service (WISP,audit,apply patches, instal s/w) Training "Systems Complaince" "Data Audit and Compliance" Total $3,000 $1,000 $4,000
$500
$3,000 $250
$750
$3,000
$750 $500
$6,000 $10,000
$8,000
$9,000 $17,000
$11,500
$15,000 $26,500
* OCABR assumption is the ‘business’ would already have retained such a consultant to monitor and maintain the current installation and software in connection with protecting the company’s own, and customer, information.
August 4, 2009 Boston Business Alliance 30
Slide 31: Opportunities for savings
Hire professionals
Make sure they cover the entire regulation Appropriately scope and estimate effort Negotiate responsibilities and resources
Or you know the regulation well to be selective
Other options:
Research and learn all the requirements and nuances Use the ‘legalzoom’ approach Use free and open source software Leverage your current investment A sound business decision to combine various options with some outside help
Boston Business Alliance 31
August 4, 2009
Slide 32: Free Limited Assessment
Arpin Consulting will provide a free, limited, one-hour 201 CMR 17.00 compliance assessment for any attendees Focus:
Deliverables:
Specific processes and procedures required to ensure compliance High level electronic information security (PCs, network, etc.)
You decide what you will do with the report
An assessment of potential risks or problems that may interfere with compliance An assessment of electronic information, specifically, high level, network and computer security A Preliminary Report that will point out potential problems, suggested corrective actions, and any urgent items to meet the January 1, 2010 deadline Do it yourself; assign it to someone; hire someone; or a mix Security Compliance Audit information - handouts Contact to schedule your free assessment: Ray Arpin, 617-435-1159, email: Ray@RayArpin.com Bob Carroll, 617-314-9813, email: Bob@Bob-Carroll.com
August 4, 2009
Boston Business Alliance
32
Slide 33: Questions & Call to Action
Moderator: Steven Stanganelli
If necessary, the moderator or speakers will suggest taking the question “off line” (after the Q&A) for a more detailed answers
Speakers, BBA Members, and Security Consultants/Vendors will be available after the meeting for a limited time
Boston Business Alliance 33
August 4, 2009
Slide 34: Sponsors
Facilities/Location Sponsor:
Sunbelt Business Sales & Acquisitions Contact: Mariola Andoni Phone: 781-932-7355 www.sunbeltne.com
Refreshment Sponsor:
Analytix Solutions Contact: Jason Lefter Phone: 781-503-9000 www.analytixsolutions.com
Website Sponsor:
Techevolution Contact: Corey Tapper Phone: 781-595-2040 www.techevolution.com
August 4, 2009
Boston Business Alliance
34
Slide 35: Closing and Adjourn
Reminder about Boston Business Alliance
Visit website for suggesting Hot Topics for these type of meetings Invite other small business owners and peers who might benefit Register for future meetings Ask us to put your name on our email list to be notified of future meetings and events Please complete and leave on the table going out so that we can continuously improve
Evaluation form
August 4, 2009
Boston Business Alliance
35
Slide 36: Contact Information
Boston Business Alliance
Attorney Dennis Ford Eagan
www.BostonBusinessAlliance.com See website for additional Contact and Member information Finneran & Nicholson, PC -- www.finnerannicholson.com 978-462-1514 – Email: dennis@finnic.com Arpin Consulting – www.rayarpin.com 617-435-1159 – Email: ray@rayarpin.com MFA - Moody, Famiglietti & Andronico, LLP – www.mfa-cpa.com 978-557-5300 – Email: mpettine@mfacornerstone.com
Ray Arpin
Matt Pettine
See our website and handouts for other contacts, along with information on 201 CMR, the BBA, and our sponsors
www.BostonBusinessAlliance.com
Feel free to pick up any of the handouts on the table.
August 4, 2009 Boston Business Alliance 36
