Personal information in the form of Social Security Numbers, credit cards; account information – personal data that, when allowed to escape, lead to painful, costly exposure for all concerned. One response to this global problem has been legal action – laws.
This blog post is a reminder that there is probably a law pertaining to the protection of personal information that applies to your company. What is done to comply should be part of your formal, documented management system – if you really want to do things right. Why not? You have a structure in place for exactly this purpose – to comply with customer requirements; legislators can be considered customers.
As I reside in New England, I’m familiar with what is known as 201 CMR 17:00; a personal information regulation specific to the State of Massachusetts that sets a standard for the protection of personal information.
The introduction of the Massachusetts personal information security law is old news – the mandatory date of compliance was at the beginning of 2010. Unfortunately, many smaller companies still struggle with this requirement.
While that legislation is limited to one state, other states have enacted related laws. Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have legislation requiring notification of security breaches involving personal information, for example.
On top of that, there are Federal Laws – and International Laws amounting to the same impact and more. There has to be: worldwide in 2012, German and US companies suffered the highest total cost with the US at $5.4 million and Germany at $4.8 million. Brazil and India fared the best, with $1.3 million and $1.1 million (according to the Ponemon Institute’s 2013 Cost of Data Breach Study). Total *reported* worldwide amounts to approximately $30 million dollars. 2013 should amount to even higher results, in light of at least two high-profile incidents this year, so far.
The point of this post is not to detail each of these requirements but to encourage companies to explore the specific Personal Information Security regulations within their country and within their state – to explore these and incorporate any required procedural actions into their formal management system; this means controlled policies, procedures and work instructions (with revision levels, review and approval, etc.).
While an ISO auditor won’t likely have specific knowledge of these laws, they can certainly ask you what laws apply to you, and possibly how you are assured that you’ve covered all of them.
Incorporating the Law into your Management System
In the case of Massachusetts’ 201 CMR 17:00 there is a requirement to have a documented information security program. This would be a written plan detailing the measures adopted to safeguard personal information.
Within the realm of ISO; ISO 9001, 14001, etc. – there is a clause requiring compliance with statutory and regulatory requirements. For the state of Massachusetts this would include 201 CMR 17:00 and since this requires a documented program – an auditor should expect to find evidence of compliance. It would be beyond the scope of a surveillance or registration audit to expect a full audit against 201 CMR 17:00, since it is auditing against the particular ISO Standard, but evidence of internal consideration and compliance would almost certainly be sought.
Additionally, beyond Massachusetts, any company that deals with personal information; credit card numbers, social security numbers – etc. is also required to publicly reveal the existence and extent of any security breaches. The particulars of how this would be accomplished would be a good opportunity to create a controlled document, or several.
What should the documented program cover?
According to 201 CMR 17.00, which is as good model to work from as any, the Written Information Security Program – also known as a WISP, should cover the following, at a minimum:
- Designation of the individuals who will oversee and maintain the WISP;
- Analysis of the reasonably foreseeable risks to the security, confidentiality and integrity of records, in any form, that contain personal information, of the effectiveness of any current safeguards for limiting those risks, and of the need to develop improved safeguards;
- Policies and procedures relating to employee training on the importance of the WISP, its specific requirements, the consequences of failure to comply with those requirements, and prevention of access by former employees;
- For paper records, provisions for secure storage of materials containing personal information, including restrictions on physical access to such records and, for electronic records, control measures that restrict access and include secure user authentication protocols;
- Encryption of personal information that is stored on computers, laptops or other portable devices or is transmitted across public networks or transmitted wirelessly;
- Provisions to ensure that any electronic records system that is connected to the internet includes firewall protection and operating system security patches, that security software includes malware protections and virus definitions, and that all these programs are reasonably current …
- Oversight of third-party service providers who have access to personal information, including a process to select and retain service providers that are able to maintain appropriate security measures consistent with 201 CMR 17.00;
- Regular monitoring to ensure that the WISP operates effectively to protect both paper and electronic records, to detect any unauthorized use of or access to personal information, and to identify any areas where upgraded safeguards are needed;
- Review of the WISP’s scope at least annually, and whenever there is a material change in business practices that may reasonably implicate the protection of personal information; and
- Documentation of responses to any breach of security and of any actions taken thereafter to change practices relating to the protection of personal information.
If you’re a company in Massachusetts then you should know this list already, or someone in your organization should – take a moment to verify that all is well.
If you do business in a different state, this list should get you started, if you haven’t already, while you seek out what laws apply to your location.
Good luck with managing your own information security risks; expect more posts on the subject here.
Thanks for visiting,
