Category Archives: Mass Data Privacy 201CMR17.00

Tech Tuesday Special: Windows XP End Of Support

It’s time for Tech Tuesday, where we answer reader questions!

TechTuesdays from Charland Technology

We’ve been asked a lot lately…What does the “End of Windows XP” mean?

The End Is Near with Grumpy Cat

As Microsoft announced some time ago, support for Windows XP stops on April 8, 2014. By all means hit the link for the official Microsoft countdown clock.

What’s the official Microsoft stance?

Simply, that Microsoft will not be working on any more Windows XP security updates after April 8. And if Microsoft isn’t fixing XP problems, no one else will be either.

But what does that mean?

For some people, it’s not a big deal. The sun will rise, the computer will start, and the world will go on.

If you use your computer in business it’s not so simple.

A major part of any security standard includes running a supported, up-to-date operating system.

PCI-DSS, HIPAA, Sarbanes-Oxley, and Mass 201 CMR 17.00 all mandate that your computer systems must be running supported operating systems with reasonably current security updates.

If you can’t update the operating system you can’t be in compliance.

The safest advice at this time:

  • If your business stores health care or patient information on your computers;
  • If your business processes credit cards using computers;
  • If your business is a publicly-traded entity that’s subject to SEC or other government oversight;
  • If you process or store account information concerning Massachusetts residents;

Then you are obligated to be compliant.

It’s early March…a bit late to get into a large-scale shift, but there’s still time for most smaller businesses to act. And starting to do something, even if you miss the “deadline” by a few weeks, is better than doing nothing.

What to do?

There are several approaches:

  • You can buy new computers that run a supported system like Windows 7 or Windows 8.
  • If your computers are relatively new (2010 or later) they may be able to upgrade to Windows 7 (or 8).
  • If you have a large number of older computers, we can install a Windows MultiPoint Server or Windows Terminal Server, and reload your desktop computers as “thin clients” that only are able to initiate a connection to your server.
  • You may be able to devise policies that restrict credit card entry, etc to certain computers.

It’s time to think about this, and act soon.

 

Windows XP sunset

Windows XP sunset

5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 5/5. This is a BIG company problem.

Welcome to my continuing series about the Massachusetts data protection laws 201 CMR 17.00. At this time the rules take effect on March 1, 2010. In discussions with my clients I have heard many of the same questions (or mis-statements) many times.

If you’re just joining us, please take a few minutes and look over the first four entries in the series.

5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 1/5. Not Me!
5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 2/5. Not Me, really!
5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 3/5. It’s a tech thing!
5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 4/5. I’m OK!

Another good stop is Charland Technology’s Mass Data Protection Laws landing page.

I may be partly responsible for this one, because in my standard presentation about data security (and these regulations) I point out some BIG data breaches, like TJX, Heartland, and BJ’s.

“This is a response to some huge problems that big companies have had. Nothing like this could ever happen here. In fact, no one even knows that we save copies of drivers’ licenses,” one of my clients told me. He continued, “we only have a few hundred of them at most.”

There’s a great web site full of stories where people said, “Nothing like this could ever happen here.” It’s Data Loss DB, maintained by the Open Security Foundation.

Take a look at their site. What you’ll see today:

“About 145 employees at the Kansas City Art Institute have been notified of potential identity theft in connection with the disappearance of a computer from the campus. An Apple computer that contained Social Security numbers, dates of birth and other personal information about the school’s professors and staff employees was stolen from the human resource office last Thursday night.” Kansas City Star, February 9, 2010

“Sea Ray Boats inc. – email accidentally sends out personal details of names, addresses, and Social Security numbers of 341 employees. 4 New Hampshire residents affected.” From the DataLossDB.org web site

Hanceville, Alabama Dairy Queen credit card terminal hacked: “At that location, somebody has apparently tapped into the Internet server and hacked into the debit card system, and they’re printing out the customers’ debit card numbers and using them all over California and Georgia,” Estimated 1,000-2,000 card details stolen. See the story in the Cullman, Alabama Times.

“Diners who frequent a popular Downtown restaurant should review their charge-card statements because hackers broke into its computer system to loot debit- and credit-card numbers, police said today. Between 30 and 50 people have reported fraudulent charges on their accounts, and Columbus detectives said that anyone who used a charge card at Tip Top Kitchen and Cocktails in July or August is at risk.” Columbus (OH) Dispatch, November 25, 2009

“Thirty former clients at the East Chicago, Ind., H&R Block have filed reports with police after their personal information was stolen. The victims discovered the thefts when trying to file taxes this year or after receiving tax return checks with incorrect amounts.” WLS-TV, East Chicago, Indiana, February 16, 2010

This is not “just a big company problem.”

This is not “just a government problem.”

This is not “just a healthcare problem.”

This is not “just a computer problem.”

As I say in my data security presentations, leaders in business, healthcare, and government need to take steps to ensure our clients’ and patients’ data security. Our clients and employees need to feel confident that they can provide important documents and that we will protect them adequately.

The deadline is now a few days away. Look on our Data Protection page for more details to get your own compliance strategy together…or contact us for help!

Managed Porn!

Okay, the title is a bit gratuitous. I have two points, though:

The Mass Data Protection and Personal Information Privacy Regulations have implications in some…interesting places.

If you’ve never been to an adult web site, you may have never heard of US Code Title 18 Chapter 110 Section 2257: Record Keeping Requirements for Sexually Explicit Materials. This bit of law specifies that any producer of such content (pictures, movies, etc) must verify (and keep copies of) legal ID. What’s the most common legal ID?

You got it…a Driver’s License. Which under Mass 201 CMR 17.00 is “personal information” requiring protection.

So…in addition to the challenges of inherent in their own businesses, adult content producers must collect and maintain copies (which must be produced on demand for an unspecified length of time) of drivers’ licenses (which must be handled and stored according to the Office of Consumer Affairs regulations).

Thought 2

Employers of all sizes must take steps to promote productive, non-abusive work environments. Even harassment cases that appear to “end well” can be very costly.

One fairly easy and “painless” way to prevent employee access to Internet pornography is through network-based or computer-based filters. Our vendor partners keep tabs on millions of web sites and quickly comb out sites that are inappropriate, deliver malware and viruses, or falsified bank “phishing” sites.

The end result? You get the level of protection you need, and your staff has the flexibility they want.

We can

  • set different access rules for different employees or computers
  • configure more “open” access during scheduled lunch break or after-hours
  • allow your staff to request un-blocks quickly and easily
  • provide you with reports of your employees’ internet usage
  • alert you to attempts to get around the blocks
  • find infected systems faster by watching their outgoing traffic

We find that simply notifying your staff that their computers are business assets and subject to monitoring shows productivity gains. And when you take control of Facebook, Myspace, Youtube, and employment search sites you can re-gain hours of productive time per week with a minimum of pain.

Our more advanced solutions can help prevent personal or business information from “leaking” via e-mail, file transfer sites, or instant messaging.

Ask us about our different solutions for different situations!

To return to the original point, though…

…yes, we can manage your porn!

5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 4/5. I’m OK.

Welcome to my continuing series about the Massachusetts data protection laws 201 CMR 17.00. At this time the rules take effect on March 1, 2010. In discussions with my clients I have heard many of the same questions (or mis-statements) many times.

If you’re just joining us, please take a few minutes and look over the first three entries in the series.

5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 1/5. Not Me!
5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 2/5. Not Me, really!
5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 3/5. It’s a tech thing!

Another good stop is Charland Technology’s Mass Data Protection Laws landing page.

To summarize, YES the law will apply to your business. For real, yes. We do not expect any further “push-back” of the enforcement date. And while technical safeguards are important to the protection of electronic records (i.e. stuff on your computer), there are many training, paper-records, and disciplinary matters that also need attention.

Today’s misconception:

I’m okay because my <accountant, tech guy, lawyer, uncle, brother-in-law, spiritual advisor> said so.

Answer: Maybe, maybe not. As a business owner or other person-in-charge you need to ensure this yourself, because you’re the one on the hook if there are problems.

How do I know if I’m compliant?

If you as a business have not taken steps to be compliant, then you are not.

There are three key steps to compliance:

  • You must name an Information Security Manager.
  • You must draft a Written Information Security Program.
  • You must implement and provide for ongoing maintenance, auditing, and follow-up of your WISP

Got all three? Sounds like you’re good.

Missing something? There’s still time.

No idea what I’m talking about? You’re in trouble. Here’s an overview:

Information Security Manager: This should generally be an employee (office manager, owner) of your company rather than a contractor or consultant. The ISM is ultimately responsible for construction, startup, training, and auditing of your…

Written Information Security Program: The WISP is a document that describes WHAT personal information is collected by your organization, WHERE and HOW it is used and stored, WHO may access it HOW and WHEN, WHAT protections are in place against unauthorized access, HOW compliance is monitored and audited, and WHAT to do in the event of a problem. Most WISP documents are based on templates and samples, but it’s important to have this document reviewed by business ownership (C-level and corporate board), legal counsel, HR/personnel management, and IT/technical leads.

Implementation takes many forms and must be considered part of the WISP. Most of the heavy lifting is done during the development of the plan. By the time implementation comes around it’s a matter of executing the plan.

You need to train your people so they know that file cabinets must be kept locked, computer files are saved in the right places, that disciplinary action will result from failure to comply with the plan. Employees need to be told who is responsible for answering questions about the plan…and how to report any problems, failures, or possible exposure of protected information. Contractors and consultants need an addendum in writing that they will be held to the same standards and that all work done must be compliant with the law and the policy.

You need to set up the work environment with the right stuff. Make sure you have keys for the locking file cabinets, encryption configured on portable computers, antivirus and firewalls in place, and working shredders near printers and filing areas.

You must monitor and maintain the Plan. The WISP itself must be reviewed each year, or with any major changes in the business. Monitoring of computers and networks must be implemented. Office alarm systems need to be maintained and tested. Audits and spot-checks of the key parts of the plan must be scheduled, carried out, and documented.

This sounds like a lot. And a medium-sized business to be starting the process in February will find itself with a very busy Information Security Manager. But there is still time, and smaller companies should be able to come up to speed quickly.

But that’s another post for another day.

5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 3/5. It’s a tech thing.

Continuing on with my series to clarify misunderstandings with the upcoming data security law, we come to part 3.

If you haven’t read part 1 and part 2, I encourage you to look them over first.

The common perception of this law is that it is in the “tech” realm, that responsibility for compliance falls to the computer fixer or network technician who can follow a checklist, install a new box, and be magically in compliance.

As with any initiative, handling data protection in this way usually doesn’t end well.

This is a problem that must be solved in the entire organization. The directive to hold ourselves accountable must start at the top and filter down through the organization.

The review of “where information is used and stored” but be done top-to-bottom.

We need HR input to define and clarify the policies, which include monitoring and disciplinary actions. Using templates can be a head start but it should be obvious that you are responsible for the content of your employee handbook. Copying someone’s free, web-based template may contain language that leaves loopholes or will get you sued when you need to enforce it.

We need management to make the goals clear and convince the office staff that it’s very important that the file cabinets are locked and procedures are followed.

And yes, we do need tech people to make sure that the firewalls are in place and configured properly; mobile devices are encrypted; systems have appropriate passwords, monitoring, and protection.

Maybe your tech person will be the first to bring up the subject. Maybe your tech person will lead your compliance initiative.

But remember that this is a business problem, not a tech problem.

5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 2/5. Not Me, really!

The new Massachusetts “Standards for the Protection of Personal Information of Residents of the Commonwealth” is one of the toughest consumer protection laws in the country. While it means some extra work for businesses most will find it manageable and well worth the effort. There is still confusion out there. Some questions (and “statements”) I have heard:

2. This doesn’t apply to me, I don’t keep any important information on the computer.

First, re-read my previous post. It doesn’t matter what size, scope, location, or industry your business is in.

The first part does not ask in what form the data is stored. If you handle credit cards, checks, or social security numbers in any way you are required to comply with the law.

The only entities that do not need to comply:

  • Do not accept checks
  • Do not accept credit cards
  • Do not have employees OR contractors

In order to comply you must have a Written Information Security Program. For a computer-free organization such a plan could consist of

  • A statement that no account information may be stored on any computer at any time.
  • A description of the procedures in place for handling this information on paper (credit card details may be written on scrap paper during telephone calls but must be shredded immediately upon successful charge of the customer’s bank card.)
  • Description of monitoring for compliance, making sure the stated rules are followed.
  • Description of disciplinary action that must be taken if an employee violates the rules.

In general I think it’s a much better path to flip the thinking:

Rather than assuming that computers have NO personal information…we should assume that ALL computers could contain PI and treat them as such.

Such a strategy offers the best protection for the customers, business, and tech support personnel assisting them. It also reduces that chance that a new employee or forward-thinking employee will step over the line and endanger customer data by placing account data onto unsecured systems.

The data security regulations aren’t as cumbersome as they sound. They were largely based on industry “best practice.” But that’s another post for another day.