- 1. Simplifying Law Firm Information Security Compliance- An
Executive BriefingPrepared by: David Cunningham, Managing Director
Meg Block, Managing Director March 2010 Excerpt with a Focus on
Encryption
2. Table of Contents
- Summary of Relevant Regulatory Information
- Focus on Encryption Expectations
3. Relevant Information Security Regulations
- HI-TECH makes Health Information Portability and Accountability
Act (HIPAA) relevant to law firms as business associates of covered
health care entities
- International Traffic in Arms Regulations (ITAR) 2009
- Massachusetts Standard for the Protection of Personal
Information of Residents of the Commonwealth
-
- 201 CMR 17.00implements the provisions ofMassachusetts General
Law 93H
-
- akaMassachusetts Data Privacy Law
- US EU Safe Harbor Framework
- International Standards Organization (ISO) 27001-2005
4. Regulatory Summary March 1, 2010 $5,000 per incident plus
costs of investigation, litigation and legal fees, plus potential
civil penalties Personal information about a resident of the
Commonwealth of Massachusetts State of Massachusetts Massachusetts
Data Privacy Law February 17, 2010 $100 - $50,000 per incident;
$1.5M max per year. Protected Health Information aka PHI Health and
Human Services HIPAA /HI-TECH Voluntary(replaces Data Transfer
Agreements) Up to $12,000 per day for violations Personal
information transferred to or from 27 Members States of the
European Union US Dept of Commerce / Federal Trade Commission Safe
Harbor 60 days in advance of any intended sale or transfer to a
foreign person of ownership or control Per violation, civil fines
up to $500K; criminal penalties up to $1M and 10 years imprisonment
Export of technical data and classified defense articles, as
defined by the US Munitions List US Department of State ITAR None
at this time Currently not applicable to law firms due to ABA
objections, but the FTC is appealing Personal identifying
information (PII is PHI plus credit card, tax ID, insurance claim,
background checks, etc.) Federal Trade Commission Red Flags Rule
Regulation Governing Body Information Addressed Penalties Law Firm
Compliance Date ISO 27001 International Standards Organization
(ISO) Determined by company and its auditor via Statements of
Applicability None Voluntary 5. Regulatory Compliance Actions
None
- Designation of people to maintain
- Disciplinary actions for violations
- Maintain security system/program
Written Information Security Plan; security policies Identify MA
personal info; identify and assess internal and external threats
Massachusetts Data Privacy Law None
- Administrative, Physical and Technical safeguards
- Business Associate Agreements
- Breach notification procedures
Information Security Policy; DR plan Identify PHI; review
information system activity HIPAA /HI-TECH Self-Registration with
the US Department of Commerce, plus annual reaffirmations
- User awareness, notice, and choice (opt-in or opt-out)
- Compliance verification mechanisms, including annual
reaffirmations
- Dispute resolution service
Privacy Policy and Privacy Statement Identify PISafe Harbor
Registration with the Directorate of Defense Trade Controls
None Indentify data and systems relevant to US Munitions List
ITAR Regulation Assessment Plans and Policies Procedures Needed
Registration or Audit ISO 27001 Review policies, objectives, and
procedures relevant to info security Information Security
Management System
- Do (Implement and operate the ISMS)
- Check (Monitor and review the ISMS)
- Act (Maintain and improve the ISMS)
Audit by ISO auditor every two years 6. Massachusetts Data
Privacy Law
- Indicative of an emerging legislative trend
-
- Similar law in Nevada (but applicable only when doing business
in Nevada)
-
- New Jersey, Washington, and Michigan are working on privacy
legislation
-
- Assumed to be eventually trumped by a federal regulation
7. Massachusetts Data Privacy Law
- Excerpt on access control and encryption
-
- establishment and maintenance of a security system covering its
computers, including any wireless system, that, at a minimum, and
to the extent technically feasible, shall have the following
elements:
-
-
- (2) Secure access control measures that:
-
-
-
- (a) restrict access to records and files containing personal
information to those who need such information to perform their job
duties; and
-
-
- (3) Encryption of all transmitted records and files containing
personal information that will travel across public networks, and
encryption of all data containing personal information to be
transmitted wirelessly.
-
-
- (5) Encryption of all personal information stored on laptops or
other portable devices;
8. Massachusetts Data Privacy Law
-
- All of the computer security provisions apply to a business if
they are technically feasible.
-
-
- Technically feasible means that if there is a reasonable means
through technology to accomplish a required result, then that
reasonable means must be used.
-
-
- A risk-based approach is one that directs a business to
establish a written security program that takes into account the
particular business' size, scope of business, amount of resources,
nature and quantity of data collected or stored, and the need for
security.
-
-
- Both the statute and the regulations specify that security
programs should take into account the size and scope of your
business, the resources that you have available to you, the amount
of data you store, and the need for confidentiality. This will be
judged on a case by case basis.
9. Massachusetts Data Privacy Law * Answers are excerpts from
the Commonwealth of MassachusettsFAQ Regarding 201 CMR 17.00 You
must encrypt backup tapes on a prospective basis. However, if you
are going to transport a backup tape from current storage, and it
is technically feasible to encrypt (i.e. the tape allows it) then
you must do so prior to the transfer. If it is not technically
feasible, then you should consider the sensitivity of the
information, the amount of personal information and the distance to
be traveled and take appropriate steps to secure and safeguard the
personal information. Backup Tapes Yes, but only those portable
devices that contain personal information of customers or employees
and only where technically feasible. The "technical feasibility"
language of the regulation is intended to recognize that at this
period in the development of encryption technology, there is
little, if any, generally accepted encryption technology for most
portable devices, such as cell phones, blackberries, net books,
iPhones and similar devices. While it may not be possible to
encrypt such portable devices, personal information should not be
placed at risk in the use of such devices. There is, however,
technology available to encrypt laptops. Portable Devices You are
responsible for the selection and retention of a third-party
service provider who is capable of properly safeguarding personal
information. Third Parties If it is not technically feasible to do
so, then no. However, you should implement best practices by not
sending unencrypted personal information in an email. There are
alternative methods to communicate personal information other
through email, such as establishing a secure website that requires
safeguards such as a username and password to conduct transactions
involving personal information. E-Mail with Personal Information
Asset Encryption Expectations* 10. Massachusetts Data Privacy
Law
-
- Do communications with clients already covered by the
attorney-client privilege immunize me from complying with 201 CMR
17.00?
-
-
- No.If you own or license personal information, you must comply
with 201 CMR 17.00 regardless of privileged or confidential
communications.
-
- Do I have to do an inventory of all my paper and electronic
records?
-
-
- No, you do not have to inventory your records. However, you
should perform a risk assessment and identify which of your records
contain personal information so that you can handle and protect
that information.
-
- Does 201 CMR 17.00 set a maximum period of time in which I can
hold onto/retain documents containing personal information?
-
-
- No. That is a business decision you must make. However, as a
good business practice, you should limit the amount of personal
information collected to that reasonably necessary to accomplish
the legitimate purpose for which it is collected and limit the time
such information is retained to that reasonably necessary to
accomplish such purpose. You should also limit access to those
persons who are reasonably required to know such information.
11. ITAR
-
- Register with the Directorate of Defense Trade Controls
-
- The USPTOs patent web portal now requires certification of
compliance before users may log into the system.
-
- disclosure or transfer to a foreign national,even if within
U.S. borders .
-
- proprietary company information is not considered to be in the
public domain.
12. Safe Harbor
- The FTC and DoT have both stated in letters to the European
Commission that they can take enforcement action against
organizations that state they are in compliance with the Safe
Harbor, but then fail to live up to their statements.
- Of large firms, only Shearman & Sterling is current
registered
13. ISO 27001 Family of Standards
- ISO certification is most relevant for government clients, but
is a helpful overlay for all regulatory requirements
-
- ISO/IEC 27000 Information security management systems Overview
and vocabulary
-
- ISO/IEC 27001 Information security management systems
Requirements
-
- ISO/IEC 27002 Code of practice for information security
management (previously ISO/IEC 17799:2005)
-
- ISO/IEC 27003 Information security management system
implementation guidance
-
- ISO/IEC 27004 Information security management Measurement
-
- ISO/IEC 27005 Information security risk management
-
- ISO/IEC 27006 Requirements for bodies providing audit and
certification of IS management systems
-
- ISO/IEC 27007 Guidelines for information security management
systems auditing
-
- ISO/IEC 27011 Info security management guidelines for telecom
organizations based on ISO/IEC 27002
-
- ISO/IEC 27008 - a guideline for Information Security Management
auditing (focus on security controls)
-
- ISO/IEC 27013 - a guideline on the integrated implementation of
ISO/IEC 20000-1 and ISO/IEC 27001
-
- ISO/IEC 27014 - an information security governance
framework
-
- ISO/IEC 27015 - information security management guidelines for
the finance and insurance sectors
-
- ISO/IEC 27031 - a guideline for ICT readiness for business
continuity
-
- ISO/IEC 27032 - a guideline for cybersecurity (essentially,
'being a good neighbor' on the Internet)
-
- ISO/IEC 27033 - IT network security, a multi-part standard
based on ISO/IEC 18028:2006
-
- ISO/IEC 27034 - a guideline for application security
14. Questions
- What relevant information security experience, contacts, or
interest do you have?
- What tools and capabilities can you bring to the table to
increase the efficiency of the assessments?