How to Help a Small Business Comply with the 2010 Massachusetts Privacy Law

Background

In 2007, Chapter 93H was added to the General Laws of the Commonwealth of Massachusetts. The law establishes rules for preventing and reporting data security breaches, and it applies to "any person that owns or licenses personal information about a resident" of Massachusetts. (By regulation, the rules also apply to any person that “receives, stores, maintains, processes, or otherwise has access to such personal information.”) That means it applies to virtually all businesses and nonprofit corporations in the Commonwealth.

The law directs the Office of Consumer Affairs and Business Regulation to promulgate specific regulations relative to Chapter 93H. These regulations are contained in 201 CMR 17.00, which go into effect on January 1, 2010. Once effective, the regulations will be enforced by the Attorney General.

The law and regulations cover both written and electronic information. From a small business’s perspective, the key passages of 201 CMR 17.00 are as follows:

Personal information [is defined as] a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

1. Social Security number;
2. driver’s license number or state-issued identification card number; or
3. financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that "Personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

[All businesses] shall develop, implement, and maintain a comprehensive [written] information security program (CWISP, or WISP) that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to:

1. the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program;
2. the amount of resources available to such person;
3. the amount of stored data; and
4. the need for security and confidentiality of both consumer and employee information.

The safeguards … must be consistent with the safeguards [required by similar state or federal regulations that may be applicable].

[E]very WISP shall include, but shall not be limited to:

1. Designating one or more employees to maintain the WISP;
2. Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
   1. ongoing employee (including temporary and contract employee) training;
   2. employee compliance with policies and procedures; and
   3. means for detecting and preventing security system failures.
3. Developing security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.
4. Imposing disciplinary measures for violations of the WISP rules.
5. Preventing terminated employees from accessing records containing personal information.
6. Oversee[ing] service providers by
   1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information …;
   2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider [before March 1, 2010] … satisfies the provisions … even if the contract does not include a [specific requirement regarding information safeguards].
7. Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers.
8. Regular monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.
9. Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
10. Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

Every [business] shall include in its written WISP the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:

1. Secure user authentication protocols including:
   1. control of user IDs and other identifiers;
   2. a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
   3. control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
   4. restricting access to active users and active user accounts only; and
   5. blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
2. Secure access control measures that:
   1. restrict access to records and files containing personal information to those who need such information to perform their job duties; and
   2. assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;
5. Encryption of all personal information stored on laptops or other portable devices;
6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.

The IT Consultant’s Responsibility

An IT consultant cannot be solely responsible for determining whether or not a small business is in compliance with the regulations. Ultimately, that decision is up to the Attorney General and the judicial process. Therefore, all businesses should seek legal counsel when evaluating whether or not they are compliant. Nevertheless, because of the regulations’ focus on specific technical requirements and procedures, IT consultants can (and should) offer advice on how their clients can best prepare for and follow the new rules.

The Compliance Review Process

IT consultants should provide the following services to their clients:

1. Education. Ensure that the chief executive is aware of the regulations and obtain his or her approval to implement a compliance plan. It is probably a good idea to identify who will act as the business’s Information Security Manager at this point and to involve the ISM in every subsequent step of the process. It is NOT recommended that the IT consultant serve as the ISM.
2. Inventory. Identify all instances of personal information that are being used by the business in paper or electronic form. (At this stage, do not worry about whether the personal information is “received, stored, maintained, processed, or otherwise accessed” by the business.) This process should involve discussions with people responsible for multiple aspects of the business, including but not necessarily limited to:
   • Human resources / benefits
   • Payroll
   • Sales (for nonprofit organizations, this may translate to Membership)
   • Accounting
   • Operations (to see if employees’ driver’s licenses are kept on file)
   • Client or Customer Service

   The consultant may find it worthwhile to conduct a survey of all employees, providing the definition of personal information and asking whether they have come in contact with such information. It is especially critical to identify any personal information that may be stored outside the business’s office, such as on laptop computers, as there are special encryption requirements for this information. It is also critical to identify any business processes that cause personal information to be sent across wireless networks or the Internet.
   At this point, generate a list of all contractors that may use personal information on your behalf. The contracts you have with them will need to be reviewed for compliance as well.

3. Scope Assessment. After identifying the extent to which personal information is used at the business, discuss with the chief executive whether personal information is a relatively small and contained piece of the business’s information or whether personal information permeates the entire business. For example, an automobile insurance agency, a certified public accountant, or a temporary employment services agency might decide that personal information is so pervasive in the organization that all information should be handled as if it is subject to the regulations, whether or not each bit of information actually is covered.
4. WISP drafting. A draft can be prepared by either the business’s ISM or the IT consultant. Although it is possible to start the draft from scratch, most businesses will probably want to start with a template that they can adapt for their specific needs. A free template is available from the Office of Consumer Affairs and Business Regulation. It is also possible to buy plan-creation tools. For example, a Boston-area consultant is offering workshops and templates at www.201cmr17.com. Businesses would be well advised to seek reviews of these products before investing significant amounts in them. To find other commercial templates, do an Internet search for terms such as 201 CMR 17 sample policy. During the drafting of the WISP, it may become evident that some existing procedures are not compliant with the regulations. These areas should be clearly flagged in the WISP with notes such as “IS THIS OK?” or “NEED TO FIX THIS”
5. WISP review and revision. The first draft of the WISP should be reviewed by whoever did not write it (i.e., either the ISM or the IT consultant). The reviewer should seek clarification of any section of the WISP that seems confusing, incorrect, or incomplete. As in the previous step, any potential non-compliance should be flagged.
6. Checklist review. Go through the 201 CMR 17 compliance checklist to identify additional potential areas of non-compliance.
7. System changes. Using comments from the draft WISP and the 201 CMR 17 compliance checklist, identify and implement the necessary organizational changes. This will be likely be the most technically challenging stage in the process.
8. WISP completion. Once the WISP is final, obtain a sign-off from the chief executive.
9. Implement and train. Because employee training is a necessary component of the WISP, implementing the WISP will not be complete after step 7 above. The training should be led by the ISM, with assistance from the IT consultant as necessary.
10. Schedule review. The WISP should be reviewed annually. Ensure that this review is placed on the company calendar for the following year.

I’m not recommending Google Public DNS as your permanent, default DNS servers … not yet, anyway. But I like having another option that I don’t have to write down.

The most common problem people encounter, from what I can tell reading various blogs and forums, is that the special boot CD does not contain the correct drivers for the PC’s network card. Without the drivers, the network card won’t work, and without a working network card, the PC can’t talk to the Windows Home Server.  If that happens, you’re supposed to put the drivers on a USB hard drive and scan the hard drive for the drivers during the restore process. The drivers you need are supposed to be found in the “Windows Home Server Drivers for Restore” folder that is part of each computer’s backup on the Windows Home Server. Yeah, right.

I recently had occasion to restore a Dell Optiplex 755 running Windows XP (32-bit). The network card was an Intel 825xx-series Gigabit ethernet card. The boot CD did not include the necessary drivers. I retrieved the “Windows Home Server Drivers for Restore” folder, copied it to a USB drive, and scanned the drive for the drivers at the appropriate point in the process. No network drivers were found. I solved the problem by downloading the correct driver package from support.dell.com, extracting the files from the downloaded .exe file to a folder called “drivers” on the USB drive, and then scanning the drive again. Fortunately, the restore program is smart enough to look through the entire USB drive, and not just the “Windows Home Server Drivers for Restore” folder. This time the correct drivers were located and loaded, the Windows Home Server was detected on the network, and the restore process proceeded successfully.

(Note: I mentioned above that I was running a 32-bit operating system because many people seem to get stuck when trying to restore a 64-bit operating system. The restore CD runs in a 32-bit environment and will not use 64-bit drivers if that’s what’s contained in the “Windows Home Server Drivers for Restore” folder. I just wanted to point out that it’s not only 64-bit drivers that can cause a problem in the restore process. Sometimes plain old 32-bit drivers turn out to be a pain, too.)

hi my name is angie and i’m calling from kind of mark hello this is regarding the site name S C H all A T G hi and see great hi and see how the week that does site’s gonna start meet you man so please check into this issue to hear about that if other cruise you may give us a call back on i’ve been forced 1 night 18 81 4 extension number is 255 thank you and i today bye bye

Gotcha. Thanks for calling.

Some things that caught my attention during the install and setup process:

• The upgrade advisor indicated I would have been OK doing an upgrade from XP to Windows 7, but that wasn’t the point of the exercise. Still, it gave good and clear instructions about how to prepare for and what to expect after the upgrade.
• I was able to extend an existing partition and format the resulting larger partition all through a GUI in about 5 seconds, with appropriate warnings along the way. Nice!
• From boot-to-CD to Windows 7 desktop took less than 40 minutes.
• Tablet’s stylus and touch screen were recognized immediately, as was WLAN adapter. Sweet. Handwriting recognition in Windows 7 is excellent.
• Pop-up alert told me I needed antivirus software and took me directly to an Internet page showing multiple brands offering Windows-7-compatible software. I’m starting with the 60-day trial from Trend Micro.
• Remote desktop connection to a Vista Professional desktop: no problem whatsoever (although I did have to sign in as domain\user instead of just user).
• I live-docked the tablet and it froze. Not so nice. Had to hold the power button to get it to turn off. (This didn’t happen the next time I live-docked, and hasn’t happened since.)
• Roboform works fine on Windows 7. With a browser and Roboform, really, what else do you need? (One weird problem: sometimes when I Alt-Tab between IE8 windows, I get a User Access Control prompt and Roboform brings me to the identity settings screen. I can cancel and get out of it, though.)

Bottom line: When computers from Dell are available with Windows 7 preinstalled, that’s what my clients are going to start buying. Whether they’ll bother to upgrade any XP machines to Win7, I’m not sure.

Tethering Moto Q 9H with AT&T – Windows Mobile Forums

The key bits of information, for those of you who know what you’re doing and just need the codes:

• Extra initialization commands (in modem properties): at+cgdcont=1,”IP”,”isp.cingular”
• Dial up number: *99***3#

Having spent lots of time eradicating “Personal Antivirus” from computers that should have been protected from this sort of threat, I wasn’t going to take any chances with any of the buttons (not even Cancel or Close). I used Task Manager to shut down all Internet Explorer windows.

Never, never install software that offers unsolicited advice that your computer is infected. There are plenty of legitimate antivirus / antispyware programs on the market. If you need one, do your homework and go get one of your choosing.

And if you ever see a window appear that looks like the ones above, and if you’re not sure how to get rid of them safely, it’s better to just cut the power to your computer rather than clicking things in an attempt to get away.

I wish this had happened to me on a test system so I could see how well my Trend Micro software and/or Vista’s UAC defended me against Personal Antivirus, but on my production system I just didn’t have the time.

I am a “fan” of Microsoft’s Office Live page on Facebook. Today they posted an update that appeared on my wall:

We all could use a little guidance from a consultant about now. But, for most of us, the cost of hiring a business consultant is far beyond our reach. However, help may be available for small-business owners from an under-utilized resource: college students.

What’s that, Microsoft? You’re saying I can be replaced by college students!?!?!?!

In fairness, the blog that the Facebook entry links to is not terribly inflammatory. It doesn’t suggest that a college student can do what I do. It merely suggests that students can be brought in for short-term, closely defined projects. Businesses of all sizes have been doing this sort of thing for years. I do wish, though, that the lead-in paragraph had been worded a little more carefully.