Standards for The Protection of Personal Information of Residents of the Commonwealth

Here is an overview of 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth. This is a new Massachusetts Information Security law that goes into effect January 1, 2009.

Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:

(a) Designating one or more employees to design, implement and coordinate the maintenance of the comprehensive information security program;

(b) Identifying and assessing internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information in each relevant area of the person’s operation, and evaluating and improving, where necessary, the effectiveness of the current safeguards for minimizing such risks, including but not limited to:

    (i) ongoing employee (including temporary and contract employee) training;

    (ii) monitoring employee compliance with policies and procedures;

    (iii) upgrading information systems, including network, system and software design, as well as information processing, storage, and transmission, as necessary;

    (iv) storage of records and data in locked facilities, storage areas or containers; and

    (v) improving, as necessary, means for detecting, preventing and responding to security, including but not limited to security systems, failures.

(c) Developing security policies for employees who telecommute that take into account whether and how such employees should be allowed to keep, access and transport data containing personal information.

(d) Imposing disciplinary measures for violations of the comprehensive information security program rules.

(e) Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.

(f) Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information, including

    (i) selecting and retaining service providers that are capable of maintaining safeguards for personal information; and

    (ii) contractually requiring service providers to maintain such safeguards.  Prior to permitting third-party service providers access to personal information, the person permitting such access shall obtain from the third-party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations.

(g) Collecting the minimum amount of personal information necessary to accomplish the legitimate purpose for which it was collected; retaining such information for the minimum time necessary to accomplish such purpose; and permitting access to the smallest number of persons who are reasonably required to know such information in order to accomplish such purpose.

(h) Inventorying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to identify those records containing personal information.

(i) Regularly monitoring and auditing employee access to personal information in order to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information.

(j) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

(k) Documenting responsive actions taken in connection with any incident involving a breach of security or the potential therefor, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

Businesses shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:

(1) Secure user authentication protocols including:

 (i) control of user IDs and other identifiers;

 (ii) a secure method of assigning and selecting passwords consisting of at least seven letters and numbers;

 (iii) control of data security passwords to ensure that such passwords are kept at a location separate from that of the data to which such passwords permit access;

 (iv) restricting access to active users and active user accounts only; and

 (v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:

 (i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and

 (ii) assign a unique identification plus a password, which is not vendor supplied, to each person with computer access;

(3) Encryption of all transmitted records and files containing personal information, including those in wireless environments, that will travel across public networks. 

(4) Periodic monitoring of networks and systems, for unauthorized use of or access to personal information, and recording the audit trails for users, events, dates, times and success or failure of login;

(5) Periodic review of audit trails restricted to those with job-related need to view audit trails;

(6) For files containing personal information on a system that is connected to the Internet, there must be firewall protection with up-to-date patches, including operating system security patches.  A firewall must, at a minimum, protect devices containing personal information from access by or connections from unauthorized users.

(7) The most current version of system security agent software which must include antispyware and antivirus software, including up-to-date  patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and which includes security software that is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

(9) Restricted physical access to computerized records containing personal information, including a written procedure that sets forth the manner in which physical access to personal information is restricted. When notified of any unauthorized entry into a secure area by either an employee or any other unauthorized person, the integrity of the computerized records must be reviewed.

(a) Designating an employee to be in charge of the information security program
(b) Identifying and assessing internal and external risks
(c) Developing security policies for employees who telecommute
(d) Imposing disciplinary measures for violations
(e) Preventing terminated employees from accessing data
 (f) Taking reasonable steps to verify that service providers are compliant
(g) Collecting the minimum amount of personal information necessary to accomplish the job
(h) Inventorying all paper and electronic data to identify personal information.
(i) Regularly monitoring and auditing employee access to personal information
(j) Reviewing the scope of the security measures at least annually
(k) Documenting responsive actions with any incident involving a security breach

Local IT support for MA businesses:

TeamLogic IT
100-F Tower Office Park
Woburn, MA 01801
Office:  781-791-3016
Fax: 781-791-3017
Woburn@teamlogicit.com

The Perfect Storm: State Breach Laws & The Economy

When the economy is down, there is a trend to see more lawsuits. Some are to right wrongs, but a frightening number are frivolous lawsuits that are filed with the intent to make money from an incident.

Non-compliance with a law or industry requirement sets the stage for a negligence lawsuit. In the realm of Information Security compliance, you are “guilty until proven innocent” by the very nature of having to prove you did everything correctly.

I recently wrote about a new Massachusetts law (201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth). If you are unfamilar with it, here is an interesting flier about the new legislation. With this new law and a weakening economy, they together create a “perfect storm” for frivolous lawsuits against businesses. The best protection is clearly taking preventative steps to both become compliant and to maintain compliance.

If you would like to learn more about how to protect your business, please feel free to e-mail me at tcornelius@iSecurityPolicy.com and I will be more than happy to help answer any questions you may have. You can always go to www.iSecurityPolicy.com to read in greater detail about other Federal and state Information Security laws and what those mean to you and your business.

Don’t get caught in the storm—plan ahead and be safe!

Following Oregon's Lead - Massachusetts 201 CMR 17.00

Starting in 2009, the Commonwealth of Massachusetts will have a strong, new law to protect its residents. It is very similar to the Oregon Identity Theft Protection Act (OIPTA), but it actually has a few improvements. Like the OITPA, what the law really means can be somewhat puzzling for business owners. The new law (201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth) requires businesses to ensure the protection of Personally Identifiable Information (PII) on all Massachusetts residents.

This affects the entire range of businesses from sole proprietors to large corporations. Additionally, since non-profits also deal with PII, these entities must follow the same compliance requirements as businesses. This new law requires all Massachusetts businesses and organizations to develop and implement acomprehensive information security program. The law is similar to that of other states. The goal is to have businesses secure their operations so that it makes it harder for identity theft and hacking incidents to occur.

On a positive note for businesses, by enacting the steps to become compliant with Information Security laws, an organization can reap long-term savings from the beneficial effects of a good security program. These savings include less virus outbreaks, decreased downtime from data loss or corruption, a better educated workforce, and decreased reactive computer and network support costs.
What is your plan to make your business compliant?

Fool’s Gold at the Olympics – A Hacker’s Decathlon

It is not just the athletes who will be sweating in Beijing this summer. It is a hacker’s paradise – a target rich environment where people will have their guard down. While it is a noble thought that the Olympics are a time for adversaries to set aside their differences and enjoy the spirit of athletic competition, it is unfortunately quite naïve.

National security agencies are warning businesses and government officials that laptops, smart phones, and USB devices taken to the Beijing Olympics are likely to be penetrated by Chinese agents aiming to steal secrets or plant malicious software in order to infiltrate U.S. computer networks. Equipment left unsupervised for just minutes in a hotel room or even during a security screening can be hacked, data mined and bugged. China's government also controls all Internet Service Providers (ISPs) and wireless networks, so computers and PDAs will both be monitored and open for compromised by remote means.

China is currently the source of the most advanced cyber attacks, targeting foreign governments, as well as their own dissidents. While it is undisputed that every modern government employs offensive and defensive cyber warfare expert, few other countries share China’s disregard for human rights. Additionally, with the growing offensive military capabilities China possesses, the paramilitary connections between hackers and the Chinese government are quite disturbing.

While the Chinese government maintains plausible deniability, China uses the Internet as a weapon against its dissenting citizens and other outspoken critics. In early May, U.S. Senator Sam Brownback alleged that the Chinese government had asked major hotel chains to censor their Internet traffic during the 2008 Olympic Games. This is not something normal in the spirit of openness and progressive thinking, in line with the Olympics.

The most disturbing ramifications from the 2008 Olympic Games will be the Trojan Horses and root kits installed on visitors’ computers by Chinese agents and hackers. Blissfully ignorant, these tourists will return to the United States and other countries to infect their networks with their payload.

Why is this disturbing? The historical trend of Chinese hackers has not been top secrets, but to probe networks in “proof of concept” attacks against foreign governments, military networks, utilities, and civilian networks. For the United States, an example is with the NIPRNet (Non-classified Internet Protocol Router Network). The NIPRNet will crucial in the rapid deployment of U.S. and allied forces should China attack Taiwan. By crippling even an unclassified communications network, China would gain crucial hours and minutes in a lightning attack designed to force Taiwanese surrender. While it is impossible to predict the course of human history, the Chinese government has developed a trained and capable cyber warfare force capable of a first-strike attack.

The best defense is to have a healthy sense of paranoia when traveling to foreign countries, or when using public Internet connections. Any publicly accessible computer, such as a business kiosk at a hotel or an Internet café, should always be viewed as an infected machine. There is a good chance they computers do have keystroke loggers installed and will capture everything typed during your session, which will compromise your account logon credentials and more. If you must use a public computer, never access any account that can later be used to affect a data breach on another account. You may want to create a temporary, free webmail account that is specifically used for your travel purposes

Portland Area Businesses Still Need Windows XP

Over the past few months, we have made a concerted effort to get more involved in the local business community. We really want to become known as the “go to” company for IT support for local businesses. We take pride in the services we offer and we really enjoy what we do. One thing we try and do is keep our customers and other local businesses informed of technology issues that affect them

Of significant interest to most businesses this month is June marks the “official” end of Windows XP. All new computers purchased after July 1, 2008, will ship with Windows Vista. Interestingly, there is a caveat where businesses can “upgrade” from Windows Vista Business to Windows XP Professional. Windows Vista Business and Windows Vista Ultimate have what Microsoft calls “Downgrade Rights.” Downgrade Rights means that anyone with a Windows Vista Business or Windows Vista Ultimate operating system can downgrade to Windows XP Professional provided they have the media for Windows XP Professional. Windows Vista Home Basic and Windows Vista Home Premium do not have this option, as they are not capable of downgrading to Windows XP. TeamLogic IT can assist your business in making sure you can continue to purchase computers with Windows XP, so keep us in mind when it is time to upgrade.

Newly updated www.iSecurityPolicy.com

It is a pleasure to announce the update of iSecurityPolicy.com with upgraded features and a cleaner interface. If you or anyone you know is in need of professionally written Information Security policies, procedures, standards, and guidelines then iSecurityPolicy.com is the best source to visit.

PCI DSS Compliance - The Truth Hurts!

The more merchant service providers I talk with, the more amazed I am about how most sales reps have no knowledge of the Payment Card Industry Data Security Standard (PCI DSS). This is such a shame, since it is a huge disservice to the clients they serve. That may sound harsh, but they make a living as the "expert" the merchants turn to for their credit card needs, while the "expert" does not understand the fundamental principles of the PCI DSS and how it applies to merchants.

There are many compelling reasons for Small and Medium Businesses (SMBs) to implement Information Security policies. Specifically, the PCI DSS is arguably the most significant liability facing merchants today and most are completely unaware of it. The PCI DSS applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. If you are a merchant, PCI compliance is not a request, nor a suggestion - it is now a requirement, regardless of your size or location.

For a merchant, the liabilities resulting from being non-PCI DSS compliant at the time of an incident include:

• Fines from the PCI
• Being held accountable for the complete amount of fraudulent charges
• Being charged for the costs associated with the breach (e.g. legal fees, card reissue fees, etc)
• Possible cancellation of the merchant services account
• Being found negligent by not meeting a known industry requirement (insurance carriers generally will not cover claims when a company is found negligent, due to the negligence loophole)
• Lawsuits from ID theft victims / disgruntled clients due to the breach (lawsuits will not be covered by insurance, due to the negligence finding, so the client may be forced into bankruptcy)

The 12 requirements of the PCI DSS are:

• Install & maintain a firewall connection to protect cardholder data.
• Do not use vendor-supplied defaults for system passwords and other security parameters.
• Protect stored cardholder data.
• Encrypt transmission of cardholder data across open, public networks.
• Use and regularly update anti-virus software or programs
• Develop & maintain secure systems and applications.
• Restrict access to cardholder data by business need-to-know.
• Assign a unique ID to each person with computer access.
• Restrict physical access to cardholder data.
• Track & monitor all access to network resources & cardholder data.
• Regularly test security systems & processes.
• Maintain a policy that addresses Information Security for employees and contractors.

With the consequences ranging from fines to devastating lawsuits, precautionary measures pale in comparison to the reactive costs associated with cleaning up from non-compliance breaches. As a merchant, if you are non-compliant at the time of an incident, the PCI will hold you liable for 100% of the fraudulent charges, as well as the costs to reissue credit cards to affected cardholders. Additionally, by failing to meet PCI DSS compliance standards that result in identity theft to a client, a reasonably competent attorney can quite easily demonstrate negligence on your behalf. Failing to meet compliance requirements can be used against you in a lawsuit, since industry standards, such as the PCI DSS, are the benchmarks used to demonstrate negligent behavior in a court of law.

The bottom line is the compliance cost associated with the PCI DSS is an unavoidable cost of doing business. In order to decrease the burden associated with this process, we can provide a cost-effective, customized Information Security Policy Manual (ISPM) for merchants. This ISPM covers the PCI DSS and more, so you will be able to implement and document the security of your computer network. Having the ISPM and implementing the steps to securing your network will demonstrate due care and due diligence on your behalf, which is the first step in mitigating your liabilities, as well as becoming PCI DSS compliant.

The benefits of Information Security for small and medium businesses are many:

• Decreased costs - less reactive IT support
• Improved productivity - decreased distractions
• Decreased virus & spyware outbreaks
• More efficient operations
• Better performing network & computers
• Better accountability of assets & resources
• Better educated & trained employees

On a positive note, PCI members, such as Visa, offer safe harbor protection from fines in the event a merchant or service provider experiences a data compromise. To attain safe harbor status, merchants and service providers must:

• Maintain full compliance at all times. This includes adhering to all requirements at the time of a breach or compromise, as demonstrated during a forensic investigation.
• Demonstrate that, before the compromise, the merchant or service provider already met the compliance validation requirements, demonstrating full compliance with the PCI DSS.

If you are merchant service provider and would like to offer an Information Security Policy Manual (ISPM) to your clients, we can establishe an affiliate relationship.Please contact tcornelius@teamlogicit.com for more details or visit www.PCIDSSpolicy.com.

TeamLogic IT of Vancouver - Ribbon Cutting

Bob & Cindie Berry, owners of the new TeamLogic IT in Vancouver, WA, held a recent "ribbon cutting" ceremony to mark their official opening and to showcase their state-of-the-industry office and services.

Welcomed guests included Rick Bowler, Marilee Thompson & Dave English from One Pacific Corp; Norm Paulson & Debbi Lessard from Paulson & Lessard; Mike Ward from Pacific Northwest Telco; DeeAnne Scherdnik from First Indy Bank; Tom Cornelius & Mike Weidman from TeamLogic IT of Beaverton; and Vince Plaza & Manu Larson of TeamLogic IT's corporate office.

TeamLogic IT - How IT works

This is a great video demonstrating how SystemWatch, from TeamLogic IT, can save your business time, save your business money, and decrease your liabilities.

Download systemwatch_demo_v2.wmv

SystemWatch is an enterprise-class suite of tools specifically tailored for the small to medium sized business. TeamLogic IT is a Managed Service Provider (MSP), delivering services that until recently were only available to Fortune 500 companies.

The Breach List - Worse Than Being On Santa's Naughty List

Imagine a "perfect" storm so ferocious and daunting that even seasoned sailors smash their vessels upon the rocks while trying to weather the onslaught of the winds, waves, and currents. Now imagine being given safe passage to a harbor that protects you and your ship from the effects of the storm. If you were given the choice to go down with the ship or drink coffee by a cozy fire, which would you choose? For myself, I'll take my coffee with cream and two sugars...

This "safe harbor" analogy is exactly what state legislators build into ID theft and breach notification laws. It is commonly referred to as an "encryption exemption," since it exempts organizations from having to disclose breaches simply because the data being protected by the encryption is not able to be accessed. Most system administrators with an ounce of creativity can crack into a Windows operating system computer. The rule of thumb is if you have physical access to a system, you can compromise it. Encryption, such as AES-128, makes it mathematically improbable to access the data without the encryption key. Note, it is mathematically improbable, not impossible. With enough computing power, encryption can be broken (however long it may take to break the algorithm).

This safe harbor rule keeps those companies that adopt encryption off the "breach list" - the growing list of notorious companies that get vilified in the news for allowing breaches of client data to occur. The breach list is an exception to the rule that any kind of publicity is good publicity. People lose their jobs and permanently harm their careers over data breaches, from IT staff to corporate officers.

In a real world example, if your laptop or USB drive with confidential data on it is stolen or otherwise accessed without authorization - that is a data breach. With breach notification laws in effect, the clock starts and your company would have to determine what data was compromised and then notify every individual involved. This will trigger lawsuits, the significant loss of your client base, and very negative publicity which will take years to erase. However, the encryption exemption lets organizations forgo the notification requirement if the Personally Identifiable Information (PII) was encrypted at the time of the unauthorized disclosure. With whole hard drive or volume encryption, this becomes a non-issue since the data cannot be access without the encryption key and is therefore not considered a data breach. Yes, the laptop or USB may be stolen and in the hands of a hacker, but if enterprise-level encryption software is used, the hackers will not be able to access the data in unencrypted form... unless they also stole the encryption key, but that is a story for another day for keystroke loggers.

For those of us here in Oregon, we are thankful to have the Oregon Identity Theft Protection Act (SB 583). This is a very well written piece of legislation and thankfully, it does contain a safe harbor clause. The law requires that ‘reasonable safeguards‘ be maintained including the implementation of a security program, risk assessment, data monitoring, and data disposal. The law also has requirements for data breach notification specifically focused on PII. If your PII is encrypted, you forgo the notification process.

According to SB 583, PII consists of: "A consumer's first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired:
– Social Security number.
– Driver license number or state identification card number issued by the Department of Transportation.
– Passport number or other United States issued identification number.
– Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer's financial account."

Some people argue encryption is the answer to information breaches, others believe prevention is the answer. I personally believe you cannot have an effective information security plan without both preventative (education & awareness) measures and encryption. Most small and medium businesses have undefined and risky business processes that their own IT staff have no knowledge of and therefore are unable to provide protection. It is rather foolish to believe all employees will do their part. It is simply human nature and it requires constant vigilance, as well as the tools to counter those traits.

Notification is an immensely powerful incentive for organizations of all size to sit up and take notice of their Information Security practices. Along with regulatory pressure, organizations need to routinely audit their business practices and be realistic about identifying and mitigating risks. It is simply another case of if you fail to plan, then you plan to fail. Without encryption for your mobile workforce, do not be surprised to see your company's name on the Breach List.

If you are a Portland-metro area company and want to learn about encryption options, TeamLogic IT will provide a 1-hour free consultative meeting. We can provide you a road map to get you on the proper course to protecting your business properly.