New Data Regulation Law201 CMR 17.00
TJX Video
Minimum RequirementsMinimum Requirements
Secure Access control measures
Secure user authentication protocols
Monitoring for unauthorized access
Encrypt PI that is or would be transmitted wirelessly
Minimum RequirementsMinimum Requirements
Encryption of all PI on portable media◦Laptop◦Smartphones◦PDA’s
Up to date Firewall and Security Patch Protection
Up to date security agent software◦Virus Protection◦Malware
Employee Training
W.I.S.P.W.I.S.P.
Create a policy that encompasses the entire organization – develop a Security Policy to Safeguard PI
Identify existing PI
Advise senior management if current technology places PI at risk
Define rules for protecting PI that covers both paper and electronic records
W.I.S.P.W.I.S.P.
Ensure all Employees that have access to PI records are trained in safeguarding
Ongoing training through workplaces posters and e-mails
Signed polices provide audit trail
IT policies are important too..
Your login credentials are the “keys to the kingdom”
Safeguards for PISafeguards for PI
Store Hardcopies◦Restrict Access◦Monitor Access◦Establish “Location” Policy
Scan Hardcopies◦Store Electronically◦Restrict Access◦Monitor Access◦Shred Hardcopies
Safeguards for PISafeguards for PI
Encrypt all Laptops entire hard disk drive, PDA’s memory, and Smartphone's that hold PI against loss or theft◦PI data is unreadable even if disk drive is moved
to another Laptop
◦Unlocking disk encryption requires proper username and password, or more
Or Encrypt PI files stored on Mobile Devices
Safeguards for PISafeguards for PI
PI data stored on Portable Media (ex. DVD or USB drives) must be encrypted
Recommendation: Use software that encrypts any data stored on Portable Media, or has Port Control to prevent users from copying to Portable Media
All Backup Tapes or External Hard Drives software must be encrypted.
Safeguards for PISafeguards for PI
If PI is sent across a wireless network, it MUST be encrypted
Patch Management must be up to date
Up to date Anti Virus
Companies Firewall is to be up to date
Wireless encrypted with security access
Safeguards for PISafeguards for PI
E-mails containing PI must be encrypted if sent via the internet.
E-mail “Content Filtering” electronically searches the body of the e-mail and attachments for PI
E-mails with PI will be automatically encrypted before traveling over the internet.
Safeguards for PISafeguards for PI
For Third Party Vendors, you should obtain written certification of compliance with MA Privacy Regulations from business partners you share PI data with
◦ IT Companies◦ Payroll Company◦ Benefit Companies
401(k) Life Insurance Insurance
Caution: E-mail communications with these parties frequently involve PI data – ensure those e-mails are encrypted
Safeguards for PISafeguards for PI
Survey employees for other resting spots for PI data (ex: unlocked filing cabinets, portable media, briefcases at homes, etc.◦ USB Flash Drives◦ DVD◦ CD
Safeguards for PI
Terminating Employee’s◦Disable User right away◦Redirect E-mail to another user◦Remove Remote Access◦Don’t allow ex employee near PI
RecapRecap
Thumb drive has info from the state
Massdatalaw.com
Free trail version of Safe House