Creating A Written Information Security Plan (Wisp) Is A Key Component Of Compliance
Pursuant to 201 CMR 17.00, the Massachusetts Privacy Law, your entity must develop, implement, maintain and monitor a comprehensive Written Information Security Program (WISP) to ensure the security and confidentiality of personal information in both physical and electronic format. The actual scope and complexity of a WISP will vary depending on size and scope of business, availability of resources, nature and quantity of data stored, and the need for security and confidentiality of both consumer and employee information.
When drafting a WISP, you must balance the requirement to incorporate the required technical and physical safeguards for the protection of personal information you have obtained with the objective of reasonable and effective administration. I have out together some general guidelines for you to consider.
1. Information Assessment
Identify Records Containing Personal Information of Massachusetts Residents
You will need to identify which records contain personal information in order to properly handle and protect that information.
Assess Current Information Handling Processes. Review your current processes for collecting, retaining and using personal information.
o What personal information is collected?
o In what form (hardcopy and electronic) is personal information being collected?
o What becomes of this collected information?
o What becomes of the completed forms used to initially collect the personal information?
o If the personal information is stored electronically, who has access to it?
o How is this information disposed of after it is no longer needed?
Identify any open issues. If the above analysis identifies any problems with unauthorized access or unauthorized use of personal information, you must institute and document corrective actions to correct the problems and ensure future compliance.
Limit the Nature and Amount of Personal Info Collected. Collect only the information that is necessary for your business purpose.
Retain Info Only as Long as Necessary. Maintain personal information records only as long as needed. This is no longer mandated by the regulations but is good business practice.
Designate a Data Security Coordinator. The Massachusetts Privacy Law explicitly states that one or more of your employees must be designated as an information security coordinator and charged with maintaining your information security plan. The responsibilities of the coordinator(s) should include
o Initial implementation of the plan
o Initial training of employees including temporary and contract employees (annually thereafter) o Regular testing of the plan’s safeguards
o Annual review of the scope of the plan or whenever there is a material change in business practices that may affect the security or integrity of records containing personal information
o Evaluating the ability of third party service providers to comply with 201 CMR 17.00
2. Information Access
Pursuant to the regulations, you need to have reasonable restrictions on physical access to records containing personal information.
Keep It Secure. All hard copy records containing personal information belonging to Massachusetts citizens should be stored in locked facilities, storage areas or containers.
Restrict Access. Access to records containing personal information, whether in hardcopy or electronic format, should be limited to those who require it in order to perform any part of their job function.
Establish Policies For Use and Transportation of Personal Information. Implement policies and procedures for employees who are storing and transporting records containing personal information outside of your business premises.
Protection From External Threats. Use security tools, firewalls and malware protection to protect your operating systems.
Visitor Procedures. This will depend greatly upon the size and nature if your business, but each entity needs to consider how to control access to the areas in which personal information is stored and used.
3. Computer Security Requirements
The computer security requirements of 201 CMR 17.00 do take into account the size and nature or each business effected and as a result allow each company to determine what is technically feasible which is defined as “a reasonable means through technology to accomplish a required result, then that reasonable means must be used.”
Secure User Authentication Protocols. These protocols must include control of user IDs and other identifiers; a reasonably secure method of assigning and selecting passwords; control of password security; restricting access to active users and blocking access after multiple failed attempts.
Secure Access Control Measures. These measures must include restricting access to records and files containing personal information to those who “need to know” to perform their jobs. In addition unique IDs and passwords (not shared nor vendor supplied default passwords.) need to be assigned.
Monitoring for Unauthorized Use or Unauthorized Access. Reasonable monitoring of systems for unauthorized use of or access to personal information is required. There are a variety of methods and tools available in order to effectively monitor and protect against unauthorized activity – intrusion detection tools, application logs, server firewalls, network security logs and file system auditing, to name a few.
Firewall Protection and Operating Systems Patches. For files containing personal information on a system that is connected to the Internet, you must implement and maintain “reasonably up-to-date” firewall protection and operating system security patches.
Viruses and Malware. You must implement and maintain “reasonably up-to-date” versions of system security agent software that includes malware protection and “reasonably up-to-date” patches and virus definitions. Additionally, you must be set up to receive the most current security updates on a regular basis.
4. Encryption
Laptops, portable devices, backup tapes, email and public network and wireless transmissions containing personal information require encryption where it is reasonable and technically feasible.
Encrypt Transmitted Records Containing Personal Info. If it is technically feasible to do so, outgoing emails containing personal information, as well as any personal information traveling across public networks or transmitted wirelessly, should be encrypted. If it is not “technically feasible” to encrypt, then don’t send personal information in this manner.
Encrypt Only Portable Devices Containing Personal Info. Not all portable devices need to be encrypted. Only those portable devices that contain personal information should be encrypted and, again, only if it is “technically feasible”.
Don’t Ignore Your Web Site. Company or third party web portals onto which the personal information of Massachusetts citizens is entered should be verified as being secure.
5. Vendor Management
Evaluate the Capacity of Your Third Party Service Providers. The regulations require you to take reasonable steps to select and retain third party service providers who are capable of maintaining appropriate safeguards to protect personal information. Such security measures should be consistent with those set forth under 201 CMR 17.00 and any applicable federal regulations. Massachusetts defines a service provider as any person that receives, stores maintains, processes, or is otherwise permitted access to personal information through its provision of services directly to a person that is subject to this regulation. Simply put, this includes any vendors who handle personal information of Massachusetts citizens on your behalf (e.g., background check services, payroll services, life and health insurance providers, 401K administrator services, credit card processing firms, etc.)
Third Party Service Providers Must Be Contractually Obligated to Implement and Maintain Appropriate Security Measures. Each vendor you do business with must enter into a written agreement, or it may be incorporated into the contract, that requires them to implement and maintain appropriate measures for protecting personal information.
6. Employee Issues
Train Employees on an Ongoing Basis. Train employees on the proper use of computer security system and the importance of personal information security.
Document Employee Attendance at Training Sessions. As a standard practice all attendees at these training sessions should certify their attendance at the meeting and their familiarity with the company’s requirements for protection of personal information.
Impose Disciplinary Measures for Violations. Establish and enforce disciplinary measures for employees who violate the security program’s rules.
Prevent Terminated Employees from Accessing Personal Information. Implement measures that prevent terminated employees from accessing records containing personal information. It is good practice upon their termination to immediately cancel their physical and electronic access to such records, including deactivating their passwords and user names.
7. Ongoing Monitoring
Regular Monitoring of Information Security Program. The new Massachusetts Privacy Law requires companies to conduct regular reviews of their information security policies for relevancy and operational effectiveness as well as regular reviews of organizational adherence to the established operational protocols. The regulations state that these reviews must be conducted on an annual basis (at a minimum) or whenever there is a material change in business practices that may affect the security or integrity of records containing personal information.
WHAT DO YOU NEED TO DO
While the deadline has already arrived, it is not too late to begin the process. Hamblett & Kerrigan can provide the assistance necessary to write the WISP and to review your employment practices to insure compliance.
Paul D. Creme is an attorney with Hamblett & Kerrigan PA. His practice is focused on business and corporate law. Of particular interest are the areas of software and emerging technologies. You can reach Attorney Creme at [email protected]