1. 201 CMR 17.00
• slideshare.net/becarreno
• When: 3/1/10
• Who: “entity” that stores PI of residents of
the Commonwealth
• Similar to PCI DSS
• Motivation: avoid another TJ Maxx
2. Personal Information PI
• First name (or initial) + last name +
• SSN or
• Driver’s license number or
• Account number: credit card, bank
account, policy number?, ...
• Any format: paper, electronic, audio, video ...
4. Technical Requirements
• User authentication, passwords for:
software, computer, laptop, flash drive, ...
• Access control
• Firewalls, antivirus, keep software updated
• Wireless networks must be encrypted
• VPN for remote access
5. Technical Requirements
• Email must be encrypted
• Portable devices must be encrypted:
• Laptop hard drive (password not enough)
• iPhone, Blackberry, PDA’s
• Portable (backup) hard drives
• Flash drives
6. Technical Requirements
• Fax, telephone, first class mail are complaint
• If not “technically feasible” don’t do it,
example: use FedEx instead of email
• No need to encrypt if no PI
7. Recommendations
• Easiest ➫ no PI
• Example of WISP
• Compliance checklist
• VPN, WPA, firewalls, updates, antivirus, ...