Monthly Archives: November 2013

legal requirements, Security

IT IS Law: Personal Information Security

Leave a comment

Personal information in the form of Social Security Numbers, credit cards; account information – personal data that, when allowed to escape, lead to painful, costly exposure for all concerned. One response to this global problem has been legal action – laws.

This blog post is a reminder that there is probably a law pertaining to the protection of personal information that applies to your company. What is done to comply should be part of your formal, documented management system – if you really want to do things right. Why not? You have a structure in place for exactly this purpose – to comply with customer requirements; legislators can be considered customers.

As I reside in New England, I’m familiar with what is known as 201 CMR 17:00; a personal information regulation specific to the State of Massachusetts that sets a standard for the protection of personal information.

The introduction of the Massachusetts personal information security law is old news – the mandatory date of compliance was at the beginning of 2010. Unfortunately, many smaller companies still struggle with this requirement.

While that legislation is limited to one state, other states have enacted related laws. Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have legislation requiring notification of security breaches involving personal information, for example.

On top of that, there are Federal Laws – and International Laws amounting to the same impact and more. There has to be: worldwide in 2012, German and US companies suffered the highest total cost with the US at $5.4 million and Germany at $4.8 million. Brazil and India fared the best, with $1.3 million and $1.1 million (according to the Ponemon Institute’s 2013 Cost of Data Breach Study). Total *reported* worldwide amounts to approximately $30 million dollars. 2013 should amount to even higher results, in light of at least two high-profile incidents this year, so far.

The point of this post is not to detail each of these requirements but to encourage companies to explore the specific Personal Information Security regulations within their country and within their state – to explore these and incorporate any required procedural actions into their formal management system; this means controlled policies, procedures and work instructions (with revision levels, review and approval, etc.).

While an ISO auditor won’t likely have specific knowledge of these laws, they can certainly ask you what laws apply to you, and possibly how you are assured that you’ve covered all of them.

Incorporating the Law into your Management System

In the case of Massachusetts’ 201 CMR 17:00 there is a requirement to have a documented information security program. This would be a written plan detailing the measures adopted to safeguard personal information.

Within the realm of ISO; ISO 9001, 14001, etc. – there is a clause requiring compliance with statutory and regulatory requirements. For the state of Massachusetts this would include 201 CMR 17:00 and since this requires a documented program – an auditor should expect to find evidence of compliance. It would be beyond the scope of a surveillance or registration audit to expect a full audit against 201 CMR 17:00, since it is auditing against the particular ISO Standard, but evidence of internal consideration and compliance would almost certainly be sought.

Additionally, beyond Massachusetts, any company that deals with personal information; credit card numbers, social security numbers – etc. is also required to publicly reveal the existence and extent of any security breaches. The particulars of how this would be accomplished would be a good opportunity to create a controlled document, or several.

What should the documented program cover?

According to 201 CMR 17.00, which is as good model to work from as any, the Written Information Security Program – also known as a WISP, should cover the following, at a minimum:

  • Designation of the individuals who will oversee and maintain the WISP;
  • Analysis of the reasonably foreseeable risks to the security, confidentiality and integrity of records, in any form, that contain personal information, of the effectiveness of any current safeguards for limiting those risks, and of the need to develop improved safeguards;
  • Policies and procedures relating to employee training on the importance of the WISP, its specific requirements, the consequences of failure to comply with those requirements, and prevention of access by former employees;
  • For paper records, provisions for secure storage of materials containing personal information, including restrictions on physical access to such records and, for electronic records, control measures that restrict access and include secure user authentication protocols;
  • Encryption of personal information that is stored on computers, laptops or other portable devices or is transmitted across public networks or transmitted wirelessly;
  • Provisions to ensure that any electronic records system that is connected to the internet includes firewall protection and operating system security patches, that security software includes malware protections and virus definitions, and that all these programs are reasonably current …
  • Oversight of third-party service providers who have access to personal information, including a process to select and retain service providers that are able to maintain appropriate security measures consistent with 201 CMR 17.00;
  • Regular monitoring to ensure that the WISP operates effectively to protect both paper and electronic records, to detect any unauthorized use of or access to personal information, and to identify any areas where upgraded safeguards are needed;
  • Review of the WISP’s scope at least annually, and whenever there is a material change in business practices that may reasonably implicate the protection of personal information; and
  • Documentation of responses to any breach of security and of any actions taken thereafter to change practices relating to the protection of personal information.

If you’re a company in Massachusetts then you should know this list already, or someone in your organization should – take a moment to verify that all is well.

If you do business in a different state, this list should get you started, if you haven’t already, while you seek out what laws apply to your location.

Good luck with managing your own information security risks; expect more posts on the subject here.

Thanks for visiting,

Sal

Exemplar Global, Improvement, RABQSA

Sunday Summary – 3 Nov., ’13

Leave a comment

And a fine Sunday it is. Last week was a one-audit week on the west coast; a reCertification audit. They did some excellent work! Always a pleasure to go there as they are good, smart folks who have really embraced the ISO 9001 model and adapted it well to a biomedical field.

Here’s the recap of last week’s posts:

  • Monday – The RABQSA is changing its name to “Exemplar Global” so we explored the implications and considerations for that move.
  • Then there was a “How To’sday” about something called the Hawthorne effect. Essentially how change for change’s sake can increase short-term productivity – if the change actually improves the process – so much the better.
  • And Friday we took a breather and posted a slideshow of [more] bird images from the trip out to Oakland, California. Why not, right?

Here’s another one, just for kicks – a surfer dude near SFO:

DSC09797

Next week will bring me to two local audits, will be nice to be home for a full week for a change.

I do hope your weekend was a relaxing one –  we’ll talk soon!

Thanks –Sal

Photography, Sony NEX-5N

Foto Friday 7 – for the Birds.

1 Comment

Made a [too] short trip out west for an audit in Oakland, California. There’s Merritt Lake near the client and I had a chance to walk around it after a day of auditing – it’s some kind of bird-magnet. And the next day, managed some time to stop into the San Francisco Zoo on the way back to the airport.

So here’s a few pictures of winged creatures, though they can’t all fly (in the air)… I think they came out reasonably well! Enjoy.

Hover to pause…

 

Audiobooks at audible.com!

And I hope you won’t mind, but I’m going to use the opportunity whilst we watch the slides transition, to share with you a service I’ve used since 2004 – Audible.com. With all the driving I do, it is a Godsend.

I sought this sponsor out as soon as I could, click the ad to take advantage of this special offer and you’ll be doing both yourself, and the site, a big favor. Thank you very much.