SlideShare ist ein Scribd-Unternehmen logo

KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law

Knowledge Management Associates, LLC
Knowledge Management Associates, LLC

KMA Insights Webinar Series - 29 July 2009 presentation on MA Privacy readiness and SharePoint compliance portal

Business
1 von 66
Webinar Series July 29, 2009 Preparing for the Strictest Privacy Law in the Nation: MA Privacy Law 201 CMR 17 Presented by:
About the Speakers Doug Cornelius Bob Boonstra Sean Megley
Agenda Overview of the Law: MA Privacy Law 201 CMR 17 Implications and Best Practices 10 Questions to Determine if You will be Compliant by 1/1/2010 A First Look at a SharePoint-based Compliance Management Solution Questions & Answers
Overview of the Law:MA Privacy Law 201 CMR 17
Law Overview Doug Cornelius, Chief Compliance Officer Publisher of Compliance Building
Disclaimer I am a lawyer, but I am not your lawyer. This overview is for information purposes. Please seek your own attorney for advice. These are my views and not necessarily the views of my employer.
Background
Background
Background The breaches affected over 600,000 Massachusetts residents.
Image source: http://www.massachusetts-map.org/detailed.htm The breaches affected over 600,000 Massachusetts residents.
The breaches affected over 600,000 Massachusetts residents.
The breaches affected over 600,000 Massachusetts residents.
Federal Regulation Gramm-Leach-Bliley HIPPA
Massachusetts Data Privacy Law Massachusetts General Laws Chapter 93H Statute on security breaches shall provide notice, as soon as practicable and without unreasonable delay
Massachusetts Data Privacy Law 201 CMR 17.00 Regulations from 93H to safeguard the personal information of the residents of the Commonwealth
Personal Information Massachusetts resident's first name and last name, or first initial and last name in combination with: Social Security number; driver's license number or state-issued identification card number; or financial account number, or credit or debit card number (with or without any required security code, access code, personal identification number or password)
Duty to Protect Written Information Security Program Computer System Security Requirements
Information Security Program Written
Information Security Program Reasonably consistent with industry standards
Information Security Program Designee
Information Security Program Identify and assess internal and external risks: Employee training Employee compliance Detect security failures
Information Security Program Taking it outside
Information Security Program Discipline
Information Security Program Terminating access for terminated employees
Information Security Program Third Party compliance
Information Security Program Limiting the amount of personal information
Information Security Program Identify storage locations
Information Security Program Restrict physical access
Information Security Program Monitor Review Document
Computer System Security
Computer System Security Secure user authentication protocols
Computer System Security Secure access control measures
Computer System Security Encryption
Computer System Security Monitor
Computer System Security Virus Protection Firewall Malware
Computer System Security Training
Resources Massachusetts General Laws Chapter 93H http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm 201 CMR 17.00 http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf Compliance Building Posts http://www.compliancebuilding.com/tag/mass-data-privacy-law/
Implications & Best Practices
Implications & Best Practices Brief Indevus Pharmaceuticals background 201 CMR 17, Rounds 1, 2, and 3 Assessment approach Assessment results Final observations
Indevus Pharmaceuticals Background Focused on development and marketing of drugs in urology and endocrinology 260 staff, including 115 person sales force (Jan 2009) 2 locations: Lexington, MA, and Cranbury NJ Indevusacquired in Mar 2009, and the Lexington location is being closed by Dec 31, 2009
201 CMR 17 at Indevus Assessment effort launched Oct, 2008 Re-planned after 14 Nov deadline postponement to 1 May 09 Coordination with acquiring company Re-replanned after Feb 09 postponement to 2010
Assessment Approach Does the new law even apply? What personal information do we have, who has it, and where is it HR, Finance Others? What do we need to have in place? Policies “Comprehensive, written information security program”, security policies regarding personal information, annual review Risk assessment Practices Designated information security employee Identify record locations Restrict physical access to personal information Verify 3rd party compliance Technology Access control Encryption Firewall protection, malware protection Monitoring Monitoring and enforcement Enforcement and disciplinary mechanisms
Assessment Results Where do we stand? Policies Security policy: Exists, but needs augmentation Risk assessment: Needed to be accomplished for personal information Practices Designated information security employee: Already in place Identify record locations: Needed to be accomplished for personal information Restrict physical access to personal information: Already in place Verify 3rd party compliance: Reasonable covered by SAS 70, verification needed Technology Access control: Already in place Encryption: Need to be accomplished for laptops with personal data Firewall protection, malware protection: Already in place Monitoring: Already in place Monitoring and enforcement Enforcement and disciplinary mechanisms: Needed to be accomplished for PI
Final Observations Take advantage of synergies with sound IT management practices and other compliance activities Use both process and technology Don’t overreact: “… compliance … shall be evaluated taking into account … size, scope, and type of business …. resources available …. amount of stored data ….” Remember to stay current with evolving systems architecture, business practices, regulatory changes
Sneak Peak of SharePoint Based Compliance Management Solution
10 Key Questions Do you have policies that apply? Policy - Write a high level policy that indicates your company intends to comply with the spirit and letter of the law, completely. Do your business leaders understand the new law? Exposure - Give your business leaders and executives a crash course on the ramifications of the law in terms of business risk. A couple of hours should be enough to cover the basics. Are you communicating the changes? Communication - Inform the company staff that the law is coming and request their help in meeting the compliance obligations. Have you classified your data and systems? Data classification - Create a classification scheme for all the likely PI types of information: Public, Company Private, Company Protected, etc. Where is the PI? Discovery - Use a search engine on suspected harbors of PI to find out where the PI resides in your data structures. Survey employees to identify PI in the workplace.
10 Key Questions (continued) Do your job descriptions consider PI? Need to know - Review job descriptions and note if a position requires PI access. Technical security policies can then be adjusted using role based security tools, such as Active Directory groups. How do you use PI? Lifecycle - Look at your business processes to understand the lifecycle of PI in your enterprise. Who is administering and enforcing your policies? Administration - Assign a senior person to be responsible for compliance and have them assign business line or location deputies for enforcement. Make sure they have the proper authority. Do you allow PI on laptops? Technical -Encryption options should be considered, but a policy that prohibits PI from being stored on a vulnerable laptop is a much easier solution. Got Security? Physical - Data centers, network closets and front doors need to be properly secured. This recommendation is just common sense even if you have no PI.
Privacy Law Objectives
Objectives Facilitated by SharePoint
Key Compliance Indicators
Questions and Answers Doug Cornelius Bob Boonstra Sean Megley Overview of law Practitioner’s view Solution Overview
In Closing… How to get (and share) a copy of today’s slides Continue the compliance conversation with KMA – pilot the portal! Next KMA Insights Webinar – watch for invitation: SharePoint and Enterprise Social Computing Wednesday, August 26, 12:30 pm Feedback/survey Thank you!!! http://www.kma-llc.net

Empfohlen

Catelas Security Webinar 12 14 10
Catelas Security Webinar 12 14 10Catelas Security Webinar 12 14 10
Catelas Security Webinar 12 14 10Rob Levey
 
The Legal Aspects of Cyberspace
The Legal Aspects of CyberspaceThe Legal Aspects of Cyberspace
The Legal Aspects of Cyberspacetimmcguinness
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderSymantec
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor PrivacyRaymond Cunningham
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 

Empfohlen

Catelas Security Webinar 12 14 10
Catelas Security Webinar 12 14 10Catelas Security Webinar 12 14 10
Catelas Security Webinar 12 14 10Rob Levey
 
The Legal Aspects of Cyberspace
The Legal Aspects of CyberspaceThe Legal Aspects of Cyberspace
The Legal Aspects of Cyberspacetimmcguinness
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderSymantec
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor PrivacyRaymond Cunningham
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
BEA Presentation
BEA PresentationBEA Presentation
BEA PresentationGlenn E. Davis
 
Come cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeoCome cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeoGiulio Coraggio
 
William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William Tanenbaum
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
 
Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)Exove
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Insider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsInsider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsButlerRubin
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security ProgramRaymond Cunningham
 
Data breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationData breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationBradley Arant Boult Cummings LLP
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT worksMorris Dorfer
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänsterTranscendent Group
 
The ugly, the bad and the good of cloud computing for government institutions
The ugly, the bad and the good of cloud computing for government institutionsThe ugly, the bad and the good of cloud computing for government institutions
The ugly, the bad and the good of cloud computing for government institutionsDan Michaluk
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110guestd7fc9c
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
Protecting Corporate Information in the Cloud
Protecting Corporate Information in the CloudProtecting Corporate Information in the Cloud
Protecting Corporate Information in the CloudSymantec
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
It Policies
It PoliciesIt Policies
It PoliciesJames Sutter
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdfMd. Sajjat Hossain
 
The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)stevemeltzer
 

Weitere ähnliche Inhalte

Was ist angesagt?

Come cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeoCome cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeoGiulio Coraggio
 
William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William Tanenbaum
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
 
Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)Exove
 
Insider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsInsider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsButlerRubin
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security ProgramRaymond Cunningham
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänsterTranscendent Group
 
The ugly, the bad and the good of cloud computing for government institutions
The ugly, the bad and the good of cloud computing for government institutionsThe ugly, the bad and the good of cloud computing for government institutions
The ugly, the bad and the good of cloud computing for government institutionsDan Michaluk
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110guestd7fc9c
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
Protecting Corporate Information in the Cloud
Protecting Corporate Information in the CloudProtecting Corporate Information in the Cloud
Protecting Corporate Information in the CloudSymantec
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 

Was ist angesagt? (20)

BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 
Come cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeoCome cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeo
 
William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...
 
Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
Insider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsInsider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and Contractors
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security Program
 
Data breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationData breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundation
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänster
 
The ugly, the bad and the good of cloud computing for government institutions
The ugly, the bad and the good of cloud computing for government institutionsThe ugly, the bad and the good of cloud computing for government institutions
The ugly, the bad and the good of cloud computing for government institutions
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
Protecting Corporate Information in the Cloud
Protecting Corporate Information in the CloudProtecting Corporate Information in the Cloud
Protecting Corporate Information in the Cloud
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
It Policies
It PoliciesIt Policies
It Policies
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability Presentation
 

Ähnlich wie KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law

The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
f6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdff6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdfSurendhar57
 
ISSA Data Retention Policy Development
ISSA Data Retention Policy DevelopmentISSA Data Retention Policy Development
ISSA Data Retention Policy DevelopmentBill Lisse
 
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your InformationAIIM International
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
IS4799 Final Project (1)
IS4799 Final Project (1)IS4799 Final Project (1)
IS4799 Final Project (1)Mark Milburn
 
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay CompliantLaw Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay CompliantClio - Cloud-Based Legal Technology
 
Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfEnov8
 
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital AgeManaging Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital AgePerficient, Inc.
 
CCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptCCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptSamir Jha
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
 

Ähnlich wie KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law (20)

Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
 
The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
f6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdff6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdf
 
ISSA Data Retention Policy Development
ISSA Data Retention Policy DevelopmentISSA Data Retention Policy Development
ISSA Data Retention Policy Development
 
California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)
 
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
 
IS4799 Final Project (1)
IS4799 Final Project (1)IS4799 Final Project (1)
IS4799 Final Project (1)
 
Data Protection: Process Information
Data Protection: Process InformationData Protection: Process Information
Data Protection: Process Information
 
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay CompliantLaw Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay Compliant
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
 
Ai in compliance
Ai in compliance Ai in compliance
Ai in compliance
 
Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdf
 
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital AgeManaging Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
 
CCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptCCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.ppt
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
 

Mehr von Knowledge Management Associates, LLC

FCSPUG - SharePoint Business Intelligence and Data Visualization - See Beyond...
FCSPUG - SharePoint Business Intelligence and Data Visualization - See Beyond...FCSPUG - SharePoint Business Intelligence and Data Visualization - See Beyond...
FCSPUG - SharePoint Business Intelligence and Data Visualization - See Beyond...Knowledge Management Associates, LLC
 

Mehr von Knowledge Management Associates, LLC (20)

Sentri's SharePoint 2013 Extranets Webinar
Sentri's SharePoint 2013 Extranets WebinarSentri's SharePoint 2013 Extranets Webinar
Sentri's SharePoint 2013 Extranets Webinar
 
A Guide to Scalable SharePoint Governance
A Guide to Scalable SharePoint GovernanceA Guide to Scalable SharePoint Governance
A Guide to Scalable SharePoint Governance
 
Extranets webinar 2011_12_14
Extranets webinar 2011_12_14Extranets webinar 2011_12_14
Extranets webinar 2011_12_14
 
NESPUG - 5 ways SP can benefit the PMO
NESPUG - 5 ways SP can benefit the PMONESPUG - 5 ways SP can benefit the PMO
NESPUG - 5 ways SP can benefit the PMO
 
SharePoint Conference Recap - Extranets & FAST
SharePoint Conference Recap - Extranets & FASTSharePoint Conference Recap - Extranets & FAST
SharePoint Conference Recap - Extranets & FAST
 
SharePoint Conference Recap - BI
SharePoint Conference Recap - BISharePoint Conference Recap - BI
SharePoint Conference Recap - BI
 
SharePoint Conference Recap - Social
SharePoint Conference Recap - SocialSharePoint Conference Recap - Social
SharePoint Conference Recap - Social
 
SharePoint Conference Recap - Business Process Automation Session
SharePoint Conference Recap - Business Process Automation SessionSharePoint Conference Recap - Business Process Automation Session
SharePoint Conference Recap - Business Process Automation Session
 
SharePoint Conference Recap - Adoption Session
SharePoint Conference Recap - Adoption SessionSharePoint Conference Recap - Adoption Session
SharePoint Conference Recap - Adoption Session
 
SharePoint Conference Recap - Project Server
SharePoint Conference Recap - Project Server SharePoint Conference Recap - Project Server
SharePoint Conference Recap - Project Server
 
Princeton SPUG BI-Data Visualization
Princeton SPUG BI-Data VisualizationPrinceton SPUG BI-Data Visualization
Princeton SPUG BI-Data Visualization
 
Metalogix and KMA - Planning your SharePoint Migration
Metalogix and KMA - Planning your SharePoint MigrationMetalogix and KMA - Planning your SharePoint Migration
Metalogix and KMA - Planning your SharePoint Migration
 
Mekko graphics back to back training october 2011 for attendees
Mekko graphics back to back training october 2011 for attendeesMekko graphics back to back training october 2011 for attendees
Mekko graphics back to back training october 2011 for attendees
 
Spsnh 5 ways sp can benefit the pmo
Spsnh 5 ways sp can benefit the pmoSpsnh 5 ways sp can benefit the pmo
Spsnh 5 ways sp can benefit the pmo
 
SharePoint Saturday NH: 5 ways SharePoint can Benefit the PMO
SharePoint Saturday NH: 5 ways SharePoint can Benefit the PMOSharePoint Saturday NH: 5 ways SharePoint can Benefit the PMO
SharePoint Saturday NH: 5 ways SharePoint can Benefit the PMO
 
Sept 2011 kma sharepoint for the mobile user webinar final
Sept 2011 kma sharepoint for the mobile user webinar finalSept 2011 kma sharepoint for the mobile user webinar final
Sept 2011 kma sharepoint for the mobile user webinar final
 
August 2011 The Business Value of Office 365 for SharePoint users
August 2011 The Business Value of Office 365 for SharePoint usersAugust 2011 The Business Value of Office 365 for SharePoint users
August 2011 The Business Value of Office 365 for SharePoint users
 
FCSPUG - SharePoint Business Intelligence and Data Visualization - See Beyond...
FCSPUG - SharePoint Business Intelligence and Data Visualization - See Beyond...FCSPUG - SharePoint Business Intelligence and Data Visualization - See Beyond...
FCSPUG - SharePoint Business Intelligence and Data Visualization - See Beyond...
 
A Decade of SharePoint Adoption
A Decade of SharePoint AdoptionA Decade of SharePoint Adoption
A Decade of SharePoint Adoption
 
SPSTCDC - SharePoint 2010 Adoption - Decade
SPSTCDC - SharePoint 2010 Adoption - DecadeSPSTCDC - SharePoint 2010 Adoption - Decade
SPSTCDC - SharePoint 2010 Adoption - Decade
 

Kürzlich hochgeladen

VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxpriyanshujha201
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyEthan lee
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with CultureSeta Wicaksana
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Lviv Startup Club
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Delhi Call girls
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...rajveerescorts2022
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxWorkforce Group
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...lizamodels9
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 

Kürzlich hochgeladen (20)

VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 

KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law

  • 1. Webinar Series July 29, 2009 Preparing for the Strictest Privacy Law in the Nation: MA Privacy Law 201 CMR 17 Presented by:
  • 2. About the Speakers Doug Cornelius Bob Boonstra Sean Megley
  • 3. Agenda Overview of the Law: MA Privacy Law 201 CMR 17 Implications and Best Practices 10 Questions to Determine if You will be Compliant by 1/1/2010 A First Look at a SharePoint-based Compliance Management Solution Questions & Answers
  • 4. Overview of the Law:MA Privacy Law 201 CMR 17
  • 5. Law Overview Doug Cornelius, Chief Compliance Officer Publisher of Compliance Building
  • 6. Disclaimer I am a lawyer, but I am not your lawyer. This overview is for information purposes. Please seek your own attorney for advice. These are my views and not necessarily the views of my employer.
  • 8.
  • 9.
  • 10.
  • 11.
  • 13. Background The breaches affected over 600,000 Massachusetts residents.
  • 14. Image source: http://www.massachusetts-map.org/detailed.htm The breaches affected over 600,000 Massachusetts residents.
  • 15. The breaches affected over 600,000 Massachusetts residents.
  • 16. The breaches affected over 600,000 Massachusetts residents.
  • 18. Massachusetts Data Privacy Law Massachusetts General Laws Chapter 93H Statute on security breaches shall provide notice, as soon as practicable and without unreasonable delay
  • 19. Massachusetts Data Privacy Law 201 CMR 17.00 Regulations from 93H to safeguard the personal information of the residents of the Commonwealth
  • 20. Personal Information Massachusetts resident's first name and last name, or first initial and last name in combination with: Social Security number; driver's license number or state-issued identification card number; or financial account number, or credit or debit card number (with or without any required security code, access code, personal identification number or password)
  • 21. Duty to Protect Written Information Security Program Computer System Security Requirements
  • 23. Information Security Program Reasonably consistent with industry standards
  • 25. Information Security Program Identify and assess internal and external risks: Employee training Employee compliance Detect security failures
  • 26. Information Security Program Taking it outside
  • 28. Information Security Program Terminating access for terminated employees
  • 29. Information Security Program Third Party compliance
  • 30. Information Security Program Limiting the amount of personal information
  • 31. Information Security Program Identify storage locations
  • 32. Information Security Program Restrict physical access
  • 33. Information Security Program Monitor Review Document
  • 35. Computer System Security Secure user authentication protocols
  • 36. Computer System Security Secure access control measures
  • 39. Computer System Security Virus Protection Firewall Malware
  • 41. Resources Massachusetts General Laws Chapter 93H http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm 201 CMR 17.00 http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf Compliance Building Posts http://www.compliancebuilding.com/tag/mass-data-privacy-law/
  • 42. Implications & Best Practices
  • 43. Implications & Best Practices Brief Indevus Pharmaceuticals background 201 CMR 17, Rounds 1, 2, and 3 Assessment approach Assessment results Final observations
  • 44. Indevus Pharmaceuticals Background Focused on development and marketing of drugs in urology and endocrinology 260 staff, including 115 person sales force (Jan 2009) 2 locations: Lexington, MA, and Cranbury NJ Indevusacquired in Mar 2009, and the Lexington location is being closed by Dec 31, 2009
  • 45. 201 CMR 17 at Indevus Assessment effort launched Oct, 2008 Re-planned after 14 Nov deadline postponement to 1 May 09 Coordination with acquiring company Re-replanned after Feb 09 postponement to 2010
  • 46. Assessment Approach Does the new law even apply? What personal information do we have, who has it, and where is it HR, Finance Others? What do we need to have in place? Policies “Comprehensive, written information security program”, security policies regarding personal information, annual review Risk assessment Practices Designated information security employee Identify record locations Restrict physical access to personal information Verify 3rd party compliance Technology Access control Encryption Firewall protection, malware protection Monitoring Monitoring and enforcement Enforcement and disciplinary mechanisms
  • 47. Assessment Results Where do we stand? Policies Security policy: Exists, but needs augmentation Risk assessment: Needed to be accomplished for personal information Practices Designated information security employee: Already in place Identify record locations: Needed to be accomplished for personal information Restrict physical access to personal information: Already in place Verify 3rd party compliance: Reasonable covered by SAS 70, verification needed Technology Access control: Already in place Encryption: Need to be accomplished for laptops with personal data Firewall protection, malware protection: Already in place Monitoring: Already in place Monitoring and enforcement Enforcement and disciplinary mechanisms: Needed to be accomplished for PI
  • 48. Final Observations Take advantage of synergies with sound IT management practices and other compliance activities Use both process and technology Don’t overreact: “… compliance … shall be evaluated taking into account … size, scope, and type of business …. resources available …. amount of stored data ….” Remember to stay current with evolving systems architecture, business practices, regulatory changes
  • 49. Sneak Peak of SharePoint Based Compliance Management Solution
  • 50. 10 Key Questions Do you have policies that apply? Policy - Write a high level policy that indicates your company intends to comply with the spirit and letter of the law, completely. Do your business leaders understand the new law? Exposure - Give your business leaders and executives a crash course on the ramifications of the law in terms of business risk. A couple of hours should be enough to cover the basics. Are you communicating the changes? Communication - Inform the company staff that the law is coming and request their help in meeting the compliance obligations. Have you classified your data and systems? Data classification - Create a classification scheme for all the likely PI types of information: Public, Company Private, Company Protected, etc. Where is the PI? Discovery - Use a search engine on suspected harbors of PI to find out where the PI resides in your data structures. Survey employees to identify PI in the workplace.
  • 51. 10 Key Questions (continued) Do your job descriptions consider PI? Need to know - Review job descriptions and note if a position requires PI access. Technical security policies can then be adjusted using role based security tools, such as Active Directory groups. How do you use PI? Lifecycle - Look at your business processes to understand the lifecycle of PI in your enterprise. Who is administering and enforcing your policies? Administration - Assign a senior person to be responsible for compliance and have them assign business line or location deputies for enforcement. Make sure they have the proper authority. Do you allow PI on laptops? Technical -Encryption options should be considered, but a policy that prohibits PI from being stored on a vulnerable laptop is a much easier solution. Got Security? Physical - Data centers, network closets and front doors need to be properly secured. This recommendation is just common sense even if you have no PI.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.
  • 65. Questions and Answers Doug Cornelius Bob Boonstra Sean Megley Overview of law Practitioner’s view Solution Overview
  • 66. In Closing… How to get (and share) a copy of today’s slides Continue the compliance conversation with KMA – pilot the portal! Next KMA Insights Webinar – watch for invitation: SharePoint and Enterprise Social Computing Wednesday, August 26, 12:30 pm Feedback/survey Thank you!!! http://www.kma-llc.net

Hinweis der Redaktion

  1. Being a lawyer, I need to start off with a disclaimer.I am not your lawyer, so seek your own legal advice and don’t rely on slides from a free webinar.
  2. Lets step in to way back machine to give you some background on why we are talking about a data protection law in Massachusetts.TJX is the holding company for several retailers, so they have lots of financial account information. Back in 2007 the TJX companies were subject to a data breach.
  3. TJX took months to notify their customers that anything had happened. The amount off information that was stolen was staggering. Over 45 million card numbers were compromised.The current theory is that the bad guys sat in the parking lot of TJX and picked up the signal of an unsecure wireless router at TJX headquarters.
  4. This was a disaster for TJX, having to pay millions to the banks affected.The negative public relations with their customers was enormous.
  5. TJX was also subject to numerous civil suits for the loss of information.
  6. TJX also had to pay millions in fines to the state government.The incident got the Massachusetts lawmakers focused on ways to protect the residents of the Commonwealth.
  7. The state studied data breachesDuring a 12 month period There were 368 notifications of such breaches In only 11 of those was the data encrypted. In 77 of data breaches the data was password protected. 220 cases involved criminal/unauthorized acts, with a high frequency of laptops or hard-drives being stolen. Of the remainder, about 40% were the result of employee error or sloppy internal handling of information.
  8. The breaches affected over 600,000 Massachusetts residents. This confirmed to them that any regulatory regime must include measures that not only protect against intentional wrongdoing BUT that also focus on internal protocols to set minimum security standards.
  9. Just to emphasize, the Massachusetts data privacy law is focused on the residence of the person. The law is in place to protect Massachusetts residents. The law is not restricted to businesses located in Massachusetts.
  10. That means it reaches beyond the borders of Massachusetts. If you operate a business and you employ Massachusetts residents, you have personal information on your employees. You are subject to this law.
  11. If you have personal information on your customers and any of your customers are Massachusetts residents, you are subject to this law.That means that the Massachusetts law is the national standard.
  12. What about the federal regulation?What if you are a business that is already subject to Gramm-Leach-Bliley or HIPPA?Those laws do not preempt state regulation in this area. The Massachusetts regulators are taking the position that their law merely clarifies the requirements of these federal laws.
  13. The basis of the Massachusetts Data Privacy Law is Massachusetts General Law Chapter 93H. This law focuses on notifications of a security breach.
  14. The statute also required regulations to safeguard the personal information of the residents of the Commonwealth.Those came out a year ago as 210 CMR 17. They were revised earlier this year to reduce some of the limitations and to extend some of the deadlines for compliance.Lets turn to some of the details of those regulations.
  15. We should start with the definition of personal informationThere needs to be a Massachusetts resident involved. There was some early chatter about segregating Massachusetts information from others. That turned out to be a bigger hassle than it was worthYou need that Massachusetts residents name associated with a social security number, State ID number, or a financial account number.This breaks implementation of the law into two camps Human Resources and customer databasesBob will focus on implementation later. In dealing with the regulations, the implementation is going to be driven by the HR People responsible for employee records or by the IT people responsible for the customer databases.
  16. The law has two overall requirements with the duty to protect personal information.First, If your company owns, licenses, stores or maintains Personal Information about a resident of the Commonwealth you have to develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing personal information And Second, if you electronically store or transmit Personal Information you also need to establish and maintain a security system covering your computers, including any wireless system,
  17. First off you need a written plan. Just in your head is not good enough.
  18. You have to be reasonably consistent with industry standards, with enough administrative, technical, and physical safeguards to ensure the security and confidentiality of personal information.
  19. You need to designate someone to be in charge of the program.They don’t need a particular title, like Privacy Officer.But they do need to be clearly designated.
  20. You need to assess your risks and get employees involved in training, compliance and identification of failures and weaknesses.
  21. Develop a security policy about the transportation of records containing Personal Information outside of your business premises. This is the lost laptop provision. There have been too many news stories about lost laptops containing Personal Information. You need to address the question of whether that personal information needs to be stored locally on the laptop.
  22. The program needs to impose disciplinary measures for violations of the program rules. The program needs teeth.
  23. You need to prevent terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to records. You need to immediately deactivate their passwords and user names.
  24. In the original proposal, third party compliance was very controversial because the law required certification from third parties that handled your personal information records.Now all you have to do is take all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect that personal information in the manner provided for in the law. It is a cascade requirement, that you can’t get away from your obligations by handing the data over to a third party. And of course, the third party is going to be subject to the Massachusetts law also.
  25. You need to limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected.You need to limit the time the information is retained to that reasonably necessary. You need to limit access to people who are reasonably required to know such information.
  26. You need to identify and determine which records contain personal information and where they are stored.
  27. You need to impose reasonable restrictions upon physical access to records containing personal informationAnd you have to store the personal information records and data in locked facilities, storage areas or containers.
  28. Here is the compliance aspect.You have to regularly monitor that the program is operating correctly and upgrade the safeguards as necessary to limit risks. Review the scope of the security measures at least annually or whenever there is a material change in business practices that implicate the security or integrity of personal information records. Document responsive actions taken in connection with any incident involving a breach of security.
  29. Let’s turn to the security requirements if you store or transmit personal information electronically.The regulations include the word “IF” but there are few companies with Personal Information that do not store or transmit at least some of it electronically.
  30. The law requires secure user authentication protocolsYou need a secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devicesYou need to control passwords so that they are kept in a location and format that does not compromise the security of the underlying dataYou need blocking access to user IDs after multiple unsuccessful attempts to gain access
  31. You need to restrict access to records containing personal information to those who need such information to perform their job duties.andassign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access.
  32. To the extent technically feasible, you need to encrypt all transmitted records and files that:contain personal information that will travel across public networksANDall data containing personal information that is transmitted wirelesslyANDall personal information stored on laptops or other portable devices.
  33. You need to monitor your systems, for unauthorized use of or access to personal information;.
  34. The law requires good protection measuresFor files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches. You need reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions.
  35. Lastly, you need education and training of your employees on the proper use of the computer security system and the importance of personal information security.