Your Timeline for Compliance with MGL 93H 201CMR17.00

October 2009

Designate an Information Security Officer - You will need to designate at least 1 person at your place of business who will maintain the comprehensive information security program. Finding that person now will help get the rest of the items in line for when they need to be done. You can get a compliance checklist at: 201 CMR 17.00 Compliance Checklist

November
Start Assessing Your Information:

Identify the paper, electronic and other type records, including storage media, laptops and portable devices that contain personal information.**
Check all anti-virus and security patches on all computer systems and servers -- make sure they are up to date.**
a. Check that you have reasonably up-to-date versions of
system security agent software (including malware
protection)**
Identify what "personal information" moves around your business and out of your office including:**
a. healthcare/insurance information
b. benefits/401K information
c. Accounting/Tax information
d. Employment and Credit Applications
e. Checks and credit card information
Identify persons who need to see the "personal information" and those who do not.
Identify where encryption for personal information is needed.**
Identify what third-party service providers your business may use that have access to personal information.
Identify reasonably foreseeable internal and external risks to paper and electronic records containing personal information.**
Identify any systems that are connected to the internet and make sure the firewall protection for files containing personal information are up-to-date.**

December 2009

Purchase any hardware or software upgrades that are needed**
Get control of user IDS and other identifiers**
Come up with a reasonably secure method of assigning/selecting passwords for users**
Start developing your WISP (Written Information Security Program)
Make sure that your WISP is applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts

Make sure that you include:

Administrative, technical and physical safeguards for Personal information protection
Any identified and reasonably foreseeable internal and external risks to paper and electronic records
Regular and ongoing employee training, and procedures for monitoring employee compliance
Disciplinary measures for violators
Policies and procedures for when and how records containing personal information should be kept, accessed or transported off your business premises
Processes for blocking terminated employees physical and electronic access to personal information, including deactivating their passwords and user names
Steps taken to verify third party service providers access
The length of time that you are storing records containing personal information.
Specifically the manner in which physical access to personal information records is to be restricted
Whether you are storing your records and data in locked facilities, storage areas or containers and the security measures taken to keep these areas secure
Actions and documenting that is taken in connection with any breach of security

January 2010

Install all hardware and software upgrades**
Test policies that have been written
Start Training Employees on new policies
Finalize WISP
December

Finish Training Employees
Send out WISP Policy to all Employees and get signatures from all that they understand and will comply

February 2010 and beyond

Continue monitoring your systems and procedures**
Continue providing training to new and existing employees
Update policies as required
Assure all computers and servers remain up-to-date with patches and anti-virus software**

** NSK Inc. can help you with any of these tasks, just let us know.

Preventing Computer Viruses

Far too many company and household computers become infected with viruses annually, and the affects of these infections can be devastating to the user. Since there are so many ways a virus can enter your computer’s system, it’s important that you know how to block off those entrances. Here are several ways to decrease the chances of your computer becoming infected:

-Don’t solely rely on anti-virus software, although you should have it installed. Be sure to update often to detect and protect your computer from the most recently created viruses.
(It also doesn't hurt to install a spyware, malware, and adware removal application)
-Read the headlines. Stay on top of the news to educate yourself about new viruses.
-Try not to open an e-mail attachment until you are sure it is safe. Make sure you know the person or why it may be sent to you.
-Once again, surf the web for news about viruses so you know common subject lines and file extensions relative to those viruses.
-Disable automatic attachment viewing in your e-mail settings.
-Set your Word and Excel settings so that Macros are disabled when a file is opened up for viewing.
- Use search engines that are well-known for generating results relevant to search terms. A site is probably safe if a lot of people have linked to it, but keep in mind that this isn’t always the case. This way, your chances of being directed to a site that hosts a virus is less likely.
-Make sure you set your security settings to ‘high’ in your web browser.
-Try to avoid downloading free applications from unverifiable websites.
-Configure your settings so that you can always view file extensions.
The following are examples of file extensions to be suspicious of when they show up in e-mail:

ADE, ADP, BAS, BAT, CHM, CMD, COM, CPL, CRT, DLL, EXE, HLP, HTA, INF, INS, ISP, JS, JSE, LNK, MDB, MDE, MSC, MSI, MSP, MST, OCX, PCD, PIF, POT, REG, SCR, SCT, SHB, SHS, SYS, URL, VB, VBE, VBS, WSC, WSF, WSH

It is easy to tell yourself you will regularly take these measures to maintain your computer security and implement virus protection, but it is also quite easy to forget. This is often how viruses end up finding their way into your computer.

Written by Melissa Cocks

Massachusetts Consumer Protection Law

ARE YOU IN COMPLIANCE?

Does your company store and/or maintain personal information about a resident of Massachusetts? Do you have client databases, direct deposit records, payroll files, 401K information, employee records files or a QuickBooks company database? If so you need to be aware of this new regulation.

The new Massachusetts General Law (M.G.L.) Chapter 93H requires that companies that own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts establish minimum standards in safeguarding the personal information contained in both paper and electronic records. This new law’s further purpose is to:

Ensure security and confidentiality of information consistent with industry standards;
Protect against anticipated threats or hazards to the security or integrity of information;
Protect against unauthorized access to or use of such information


NSK Inc., along with Burns & Levinson are hosting a Free Seminar at the Omni Parker House Hotel, 50 School St., Boston, MA on February 24th, 2009, explaining:

The law and how it relates to you and your company.
The implications of the law
How to assess your information technology environment and make it comply with the new regulations.

There will be three (3) 1 hour sessions during the day. For more information and to sign up please call us at 617-303-0480 X 224 and we will sign you up.

New Data Security Law - Massachusetts – Personal Information Compliance Assessment

75 Kneeland Street, Suite 201, Boston, MA 02211

Tel: 617.303.0480
Fax: 617.303.0481

http://www.nskinc.com/

Are you aware of the new Massachusetts General Law (M.G.L.) Chapter 93H?

(201 CMR 17.00: M.G.L. c. 93H)

201 CMR 17.00: Standards for the Protection of Personal information of Residents of the Commonwealth.

This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the
Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in
connection with the safeguarding of personal information contained in both paper and electronic records. Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information

NSK Inc. Is!

We have a new program that will handle your company's Personal Information that is covered under the electronic records of this new law.

The New Program is Called:

M-PICA (Massachusetts - Personal Information Compliance Assessment)

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:

Secure user authentication protocols including:

1. Control of user IDs and other identifiers;

2. A reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

3. Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

4. Restricting access to active users and active user accounts only;

5. Blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

Secure access control measures that:

1. Restrict access to records and files containing personal information to those who need such information to perform their job duties;

2. Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

3. To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly.

4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;

5. Encryption of all personal information stored on laptops or other portable devices;

6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.


17.05: Effective Date
These regulations shall take effect on May 1, 2009.