I was semi-impressed yesterday when I visited a global retail chain, signed up for a new credit card and they handed me back the application form for me to destroy.  Retail stores that manage payment card information must abide by strict rules governed by PCI — the Payment Card Industry standard developed to protect card information.

The form that I filled out had Personal Information (PI) and not payment card information, so therefore would not fall under the PCI purview.

I asked the retail clerk processing my information what would happened if I left the form behind – in an attempt to better understand the security process.  The retail clerk told me that they place remaining forms in the bin behind her and that a disposition company destroys everything in the bin.  They receive a certificate from the said company once the data is destroyed for proof.

Good start.  The company could have taken this protection process a step further by having a more secure bin with a cover and a lock instead of using a standard looking waste paper basket.  Still, one giant leap for better InfoSec Data Protection.

201 CMR is here to stay, at least until H.R. 2221 gets passed

How is your company doing so far with meeting the Massachusetts regulation for the protection for PI?  If you are outside the Commonwealth and do not store Mass. residence PI, are you doing anything to protect your state’s residents PI?

jay.martin@cppit.com – ITIL, CISM, ISMAS – www.cppit.com

Important update.  The amended or revised 201 CMR 17.00 has softened the requirement for third-parties you do business with and that have access to personal data.  The original regulation slated for a May 1, 2009 compliance date stated that businesses would require “certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations”.

The revised regulation scheduled for January 2010 now states that businesses should ensure that third-parties are taking all reasonable security measures — at least as stringent as those provided in the 201 CMR 17.00 regulation — in protecting personal information.

Ensure?  How are you going to “ensure” that your third-parties are protecting themselves? 

Here’s what I recommend, and I suggest you follow my advice.  Send each of your third-parties (whether they do business in the Commonwealth or not) the 201 CMR 17.00 Audit Compliance Checklist that I provided a link for in my first blog on this very subject (see below).  Take the checklist and add a signature page and have your third-parties sign it.  If they don’t fully comply, have them put together a letter that outlines their security improvement plan with dates and have them sign that. 

If your third-party is not willing to go the extra mile, you’ll have not choice but to move on.  The eventual financial risks and public image drubbing may be too high.  Are you willing to chance it?

Let me know your thoughts.

201 CMR 17.00 — Massachusetts’ New Privacy Law Sets Strict Standards for the Protection of Personal Information