Security breaches threaten not only your infrastructure and data integrity, but also your standing in the business community and your organization’s very survival. The protection of personally identifiable information (PII) has become a necessity in many areas, mandated via local, regional or national law.
PII refers to information which can be used to identify an individual and typically includes a combination of first name or initial, last name and an additional identifier such as Social Security number, passport number, biometric record, or bank account information. Information that is publicly available such as work or home phone and address do not generally constitute PII.
A number of states (in the USA) have enacted legislation designed to protect PII and therefore reduce the likelihood of identity theft. The most recent and possibly the toughest in the nation is Massachusetts regulation 201 CMR 17, or “Standards for the Protection of Personal Information of Residents of the Commonwealth.” This regulation defines a number of measures which any business, regardless of its location, must put into place if that business stores or transmits PII of a Massachusetts resident.
The steps outlined in 201 CMR 17 make sense whether or not you conduct business with Massachusetts’ residents, and can only help to protect your organization. (The sole exception is if your organization is subject to even more stringent standards, such as those of the Department of Defense.)
The regulation lists the following items that businesses must put into place. This is only a partial list.
- Organizations must identify all areas in which PII is stored or transmitted.
- Any PII that is transmitted electronically (email, FTP, IM, etc.) must be encrypted. The regulation defines encryption as a transformation of the data that requires a key to render back to its original form. Basic password-locking of a document does NOT meet this requirement.
- Any PII that is stored/transported on portable media such as laptops, USB or flash drives or even smartphones must be encrypted.
- All organizations must conduct periodic training of employees that have access to PII.
- All organizations must draft a written information security policy (WISP) that clearly documents the organization’s security policies and processes regarding protection of PII. In addition, one individual at the organization must be identified as the point of contact for all issues relating to the regulation.
- Any PII that is stored on paper must be protected when not actively used and must be subject to archival and/or disposal processes.
- Organizations must implement up-to-date protection for its network, including firewall and antivirus software.
The exercise of bringing an organization into compliance typically involves an interview process by those responsible for the security of the organization, but is often better served by bringing in an unbiased security professional familiar with the intricacies of the law. Following the interview process, the security professional will then produce the WISP and recommend steps to remediate deficiencies. And once all is said and done, it’s critical that management buy into the changes and not request exclusions for itself, and also that everyone understands that security protection is dynamic. It’s not possible to make changes and then relax; new protection mechanisms, policies and procedures should be made on a regular basis and whenever there is a significant change to business process.
The full text of Massachusetts regulation 201 CMR 17 can be found at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.
About the Author:
He is a Certified Information Systems Security Professional (CISSP), a Microsoft MVP in Enterprise Security as well as a Microsoft Certified Systems Engineer (MCSE) and a Certified SonicWall Security Administrator. He also earned a Ph.D. in physics from Boston College to help him calculate how long it would take to launch his frozen computer across the local highway.
Brad is a frequent contributor to various online TechTips sites and gives user group/conference presentations on topics ranging from spam and security solutions to Internet development techniques. He also published numerous articles in international physics journals in his earlier, scientific career.
Brad is the founder and president of the National Information Security Group, the former chair of the Boston Area Exchange Server User Group, a member of the FBI’s Infragard Boston Members Alliance, and a member of the Microsoft IT Advisory Council.