So far we’ve talked extensively about what laws are out there and the consequences of not following the laws. This leads us to the question of how do you know that you’re doing the right thing and taking the necessary steps towards compliant?

A quick note before we continue, we at Systems Support are not lawyers, nor do we claim to be. Please consult your attorney for any legal advice that you need.

I thought it would be helpful to go over what steps one should take to be compliant with 201 CMR 17. For businesses’ in Massachusetts, this is the most broadly applicable and luckily for us, the Office of Consumer Affairs and Business Regulation in Massachusetts created a checklist (available here) to help make sure a business is taking the right proactive steps. The checklist has 30 questions to answer ranging from procedures on how to handle personal information to IT security. We will focus on the big picture rather than debating if one encryption method is better than another for meeting requirements.

The biggest part for compliance is keeping a record. For each of the items, you should be able to prove that you have taken the proactive measure. Chances are you are already take most of these measures from shutting off network access for recently terminated employees and keeping information on a need to know basis. However, to prove it, you must have it in writing! That’s where things like a Written Information Security Plan and signed employee training come into play. State the measure you need to take, perform the action, and record that you did it. If a breach happens, you have the documentation to prove you’ve taken steps all along to protect personal information. It is not just enough that you take the steps, you have to record them!

The first step is understanding where personal information is stored. To protect something, you have to know where it is! Are the records of customer/employee names kept in pdfs or a database on your server? Are files created locally on laptops when you go to client sites to onboard someone? Do you enter the information into a cloud database? The other part to think about is whether the data is at rest or in transit. At rest means it is stored somewhere in a file. In transit means the data is moving from one place to another. Thinking about these factors helps satisfy identifying where the personal information is. If it’s difficult to nail down where the information is stored and controlling the information such that it is only stored in specific locations, the alternative is to treat all records as if they contain personal information. The blanket approach is burdensome by having to install security measure for more machines, however it helps prevent a lack of control. The security boundary covers your entire company instead of a few specific machines.

The second step is to think about the human factors surrounding personal information. Is your staff regularly trained on how to protect personal information? Is your staff regularly tested to show they won’t open a phishing email? Have you thought about the internal and external risks for someone stealing personal information? When it comes to employees maintaining compliance, a strong human resource plan is necessary. To make sure that your security policies and practices don’t interfere with any other requirements you must meet, I strongly recommend speaking to a business attorney and a HR attorney to make sure termination policies, third party contracts, and the amount of information you collect about your clients are all up to snuff.

Third is the control of your electronic information. The access to information should be set up in a way that you can tell who accessed what information when. The toughest part of that is making sure the “who” part. It’s easy to tell who picked up a paper file when you have a security camera and can see someone’s face. It’s not as easy in the electronic world as usernames may not be unique or everyone may share an easy to guess password and it’s impossible to tell who did it. That’s why it’s important to have a unique username or identifier for anyone who accesses personal information. Beyond a unique identifier, the password or authentication method must be difficult to guess or replicate. Take honest steps to make the password hard to guess. Don’t leave it on a sticky note on your monitor or under your keyboard. Don’t stash it in the notebook that’s always on your desk. The best bet is to leave it in a locked filing cabinet. Treat your password like your Social Security Number. In that same line of thinking, don’t make it easy to guess. 123456, or your company name plus your street address. If you think someone could guess your password in under a million guesses, someone is going to crack it. The good news is passwords are starting to go away and biometric methods like using one’s face to sign in or a token with a changing number combination will become more common as time goes on. There’s a cool demo of a method called Trusona here, the personal authentication technology for the FBI. While passwords and unique IDs help prevent unauthorized access to data, if someone physically steals a laptop or a USB drive with the data on it, it is reasonable to assume that after a certain amount of time they can get to the information. However, if you encrypt it, it’s not technically feasible to crack into the information. The 201 CMR 17 checklist asks about to the extent technically feasible encrypting all PI stored on laptops or other portable devices. If you choose to assume that all devices in your business contain PI, it is a safe bet to encrypt anything mobile you might have. Also keep a record that you encrypted the device. It’s impossible to prove if someone steals a laptop and there’s no record that it’s hard drive was encrypted.

It’s great to have all the controls in place between secure authentication and trained employees, but how do you actually tell if someone isn’t right? Is it normal for someone to look at an application at 3am on a Tuesday? This is where monitoring comes in. Now, you don’t have to have a crazy up to the second update system, however there should be audit logs that someone can review regularly to show that no one is accessing records they aren’t supposed to be or are exhibiting any weird behavior like a massive download late at night when they’re on vacation. Office 365 offers a fantastic audit log method for any files within OneDrive and SharePoint, and Dropbox has an audit log as well as to who added or removed a document. As we mentioned earlier, there should be a record that one can point to and show what happened.

Overall, most of the data security steps are common sense. Make sure employees are aware of what’s required of them. Remind them often. Make passwords hard to guess. Have everyone use a unique ID. The hardest part is getting all these practices in place especially if the security has been relaxed in the past for a long time. And remember, make sure to record that you’ve taken the steps.