I was semi-impressed yesterday when I visited a global retail chain, signed up for a new credit card and they handed me back the application form for me to destroy.  Retail stores that manage payment card information must abide by strict rules governed by PCI — the Payment Card Industry standard developed to protect card information.

The form that I filled out had Personal Information (PI) and not payment card information, so therefore would not fall under the PCI purview.

I asked the retail clerk processing my information what would happened if I left the form behind – in an attempt to better understand the security process.  The retail clerk told me that they place remaining forms in the bin behind her and that a disposition company destroys everything in the bin.  They receive a certificate from the said company once the data is destroyed for proof.

Good start.  The company could have taken this protection process a step further by having a more secure bin with a cover and a lock instead of using a standard looking waste paper basket.  Still, one giant leap for better InfoSec Data Protection.

201 CMR is here to stay, at least until H.R. 2221 gets passed

How is your company doing so far with meeting the Massachusetts regulation for the protection for PI?  If you are outside the Commonwealth and do not store Mass. residence PI, are you doing anything to protect your state’s residents PI?

jay.martin@cppit.com – ITIL, CISM, ISMAS – www.cppit.com

The national Data Accountability and Trust Act, H.R. 2221 passed within the House of Representatives earlier this month (Dec. 8th, 2009).  The Bill — as with 201 CMR 17.00, the Massachusetts Protection for Personal Information — seeks to protect consumer personal information and requires notification to individuals in the event of a breach, albeit from a national level.  The bill is set to go before the Senate next and then the President.

H.R. 2221 would require “for profit” organizations to develop the necessary security policies and safeguards to protect U.S. Residence personal information within 1 year of passing.

More to come later…

jay.martin@cppit.com

CISM, ISMAS

www.cppit.com

The recent Health Net data breach of 1.5 million patient records due to a lost hard drive included unencrypted personal information such as names/addresses, medical records, Social Security numbers and other financial information.  A breach of this magnitude is shocking and what is more astounding is that the breach apparently occurred in May 2009 and was not reported to the Connecticut Attorney General’s office until this month (November, 2009).  The breach may be a gross negligence of HIPAA, FTC “Red Flag” Regulations, Connecticut’s Public Act 08-167, CGS 36a-701(b) and other state regulations/breach laws.  

I am sure that Health Net, like most companies, felt they developed the necessary controls to meet such regulations.  But a breakdown of this magnitude proves a failure of the company to institute “strong enough” information security policies, employee awareness programs and technology across the company to protect against this major corporate risk.   That is why we have been advising our clients to develop a risk-based information protection plan that estimates their potential loss against the cost of securely controlling and protecting their information assets.  The monetary penalties and consequences to Health Net for this breach will far outweigh the “should-have” preventative costs of deploying the right controls for this threat.  If the lost hard drive were encrypted, I wouldn’t even be writing this blog.

In his statement, Attorney General Richard Blumenthal stated that “I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted.”

This is not an option:  *Information security programs that include people, process, technology and partners must be vigorously managed and improved upon over time.*     Comments are welcome.

jay.martin@cppit.com

www.cppit.com

Important update.  The amended or revised 201 CMR 17.00 has softened the requirement for third-parties you do business with and that have access to personal data.  The original regulation slated for a May 1, 2009 compliance date stated that businesses would require “certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations”.

The revised regulation scheduled for January 2010 now states that businesses should ensure that third-parties are taking all reasonable security measures — at least as stringent as those provided in the 201 CMR 17.00 regulation — in protecting personal information.

Ensure?  How are you going to “ensure” that your third-parties are protecting themselves? 

Here’s what I recommend, and I suggest you follow my advice.  Send each of your third-parties (whether they do business in the Commonwealth or not) the 201 CMR 17.00 Audit Compliance Checklist that I provided a link for in my first blog on this very subject (see below).  Take the checklist and add a signature page and have your third-parties sign it.  If they don’t fully comply, have them put together a letter that outlines their security improvement plan with dates and have them sign that. 

If your third-party is not willing to go the extra mile, you’ll have not choice but to move on.  The eventual financial risks and public image drubbing may be too high.  Are you willing to chance it?

Let me know your thoughts.

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) this week pushed back the compliance date for its Standards for the Protection for Personal Information from May 1, 2009 to January 1, 2010.  This is the second delay to the Mass. legislation which was initially scheduled for January 2009. 

The revision was filed on Thursday, February 12th, 2009 and OCABR Undersecretary Daniel C. Crane stated, “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”

As I stated in my blog last week, this regulation sets strict guidelines for businesses and other holders of Massachusetts residence’s personal information.  The policy states that personal information (a combination of a residence’s name and a social security number, driver’s license number, credit card number or financial institution account number) must be encrypted when stored or transmitted electronically over a public network.  Protection for paper documents is also included.

I recommend that you do not wait until the last minute. 

As I suggested, developing and fine tuning your Information Security Policy, educating your staff, planning your budget and making any necessary purchases and deploying them should start ASAP.

201 CMR 17.00 — Massachusetts’ New Privacy Law Sets Strict Standards for the Protection of Personal Information