I was semi-impressed yesterday when I visited a global retail chain, signed up for a new credit card and they handed me back the application form for me to destroy.  Retail stores that manage payment card information must abide by strict rules governed by PCI — the Payment Card Industry standard developed to protect card information.

The form that I filled out had Personal Information (PI) and not payment card information, so therefore would not fall under the PCI purview.

I asked the retail clerk processing my information what would happened if I left the form behind – in an attempt to better understand the security process.  The retail clerk told me that they place remaining forms in the bin behind her and that a disposition company destroys everything in the bin.  They receive a certificate from the said company once the data is destroyed for proof.

Good start.  The company could have taken this protection process a step further by having a more secure bin with a cover and a lock instead of using a standard looking waste paper basket.  Still, one giant leap for better InfoSec Data Protection.

201 CMR is here to stay, at least until H.R. 2221 gets passed

How is your company doing so far with meeting the Massachusetts regulation for the protection for PI?  If you are outside the Commonwealth and do not store Mass. residence PI, are you doing anything to protect your state’s residents PI?

jay.martin@cppit.com – ITIL, CISM, ISMAS – www.cppit.com

I mentioned in my blog in late November that the cost to Health Net over loss of an unencrypted hard drive containing 450,000 patient records (revised down from 1.5m) would be much greater than the cost of securely controlling and protecting their information assets. Health Net will begin the process of emptying their wallets in an effort to build a defense against the lawsuit levied against them by Attorney General Richard Blumenthal.

The breach occurred in May of 2009 and was not reported until November. As discussed, Connecticut’s breach notification law are fairly strict and I would assume holding off reporting such an incident for 5+ months is over the top which could cause Blumenthal to make Health Net an example for all to see. To add fuel to the fire, the American Recovery and Reinvestment Act of 2009 (also known as the HITECH act) also imposes notification mandates that were apparently neglected. See my November blog post under security entitled “Health Net Breach — A Failure of People, Process & Technology” for more details.

jay.martin@cppit.com

CISM, ISMAS

www.cppit.com

The national Data Accountability and Trust Act, H.R. 2221 passed within the House of Representatives earlier this month (Dec. 8th, 2009).  The Bill — as with 201 CMR 17.00, the Massachusetts Protection for Personal Information — seeks to protect consumer personal information and requires notification to individuals in the event of a breach, albeit from a national level.  The bill is set to go before the Senate next and then the President.

H.R. 2221 would require “for profit” organizations to develop the necessary security policies and safeguards to protect U.S. Residence personal information within 1 year of passing.

More to come later…

jay.martin@cppit.com

CISM, ISMAS

www.cppit.com

Important update.  The amended or revised 201 CMR 17.00 has softened the requirement for third-parties you do business with and that have access to personal data.  The original regulation slated for a May 1, 2009 compliance date stated that businesses would require “certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations”.

The revised regulation scheduled for January 2010 now states that businesses should ensure that third-parties are taking all reasonable security measures — at least as stringent as those provided in the 201 CMR 17.00 regulation — in protecting personal information.

Ensure?  How are you going to “ensure” that your third-parties are protecting themselves? 

Here’s what I recommend, and I suggest you follow my advice.  Send each of your third-parties (whether they do business in the Commonwealth or not) the 201 CMR 17.00 Audit Compliance Checklist that I provided a link for in my first blog on this very subject (see below).  Take the checklist and add a signature page and have your third-parties sign it.  If they don’t fully comply, have them put together a letter that outlines their security improvement plan with dates and have them sign that. 

If your third-party is not willing to go the extra mile, you’ll have not choice but to move on.  The eventual financial risks and public image drubbing may be too high.  Are you willing to chance it?

Let me know your thoughts.

201 CMR 17.00 — Massachusetts’ New Privacy Law Sets Strict Standards for the Protection of Personal Information