Unraveling Multimodality with Large Language Models.pdf
Law firm information security overview focus on encryption by dave cunningham and meg block mar 2010
1. Simplifying Law Firm Information Security Compliance - An Executive Briefing Prepared by: David Cunningham, Managing Director Meg Block, Managing Director March 2010 Excerpt with a Focus on Encryption
2.
3.
4. Regulatory Summary March 1, 2010 $5,000 per incident plus costs of investigation, litigation and legal fees, plus potential civil penalties “ Personal information about a resident of the Commonwealth” of Massachusetts State of Massachusetts Massachusetts Data Privacy Law February 17, 2010 $100 - $50,000 per incident; $1.5M max per year. “ Protected Health Information” aka PHI Health and Human Services HIPAA / HI-TECH Voluntary (replaces Data Transfer Agreements) Up to $12,000 per day for violations Personal information transferred to or from 27 Members States of the European Union US Dept of Commerce / Federal Trade Commission Safe Harbor 60 days in advance of any intended sale or transfer to a foreign person of ownership or control Per violation, civil fines up to $500K; criminal penalties up to $1M and 10 years imprisonment “ Export of technical data and classified defense articles”, as defined by the US Munitions List US Department of State ITAR None at this time Currently not applicable to law firms due to ABA objections, but the FTC is appealing Personal identifying information (PII is PHI plus credit card, tax ID, insurance claim, background checks, etc.) Federal Trade Commission Red Flags Rule Regulation Governing Body Information Addressed Penalties Law Firm Compliance Date ISO 27001 International Standards Organization (ISO) Determined by company and its auditor via Statements of Applicability None Voluntary
5.
6.
7.
8.
9. Massachusetts Data Privacy Law * Answers are excerpts from the Commonwealth of Massachusetts’ FAQ Regarding 201 CMR 17.00 “ You must encrypt backup tapes on a prospective basis. However, if you are going to transport a backup tape from current storage, and it is technically feasible to encrypt (i.e. the tape allows it) then you must do so prior to the transfer. If it is not technically feasible, then you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information.” Backup Tapes Yes, “but only those portable devices that contain personal information of customers or employees and only where technically feasible. The "technical feasibility" language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, blackberries, net books, iPhones and similar devices. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops.” Portable Devices “ You are responsible for the selection and retention of a third-party service provider who is capable of properly safeguarding personal information.” Third Parties “ If it is not technically feasible to do so, then no. However, you should implement best practices by not sending unencrypted personal information in an email. There are alternative methods to communicate personal information other through email, such as establishing a secure website that requires safeguards such as a username and password to conduct transactions involving personal information.” E-Mail with Personal Information Asset Encryption Expectations*
10.
11.
12.
13.
14.
Editor's Notes
Technical data means: (1) Information, other than software as defined in §120.10(a)(4), which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation. (2) Classified information relating to defense articles and defense services; (3) Information covered by an invention secrecy order; (4) Software as defined in §121.8(f) of this subchapter directly related to defense articles; (5) This definition does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain as defined in §120.11. It also does not include basic marketing information on function or purpose or general system descriptions of defense articles.
Process Privacy policy and a privacy policy statement that conform to the Safe Harbor principles Define the roles and procedures relevant to the actions necessary to support the privacy policy, including: Ensuring individuals are aware of the Firm’s policy, aware of their own personal information stored by the Firm, able to make corrections, and able to opt-in or opt-out of sharing it (termed Notice and Choice by Safe Harbor). Verifying third-party compliance with the notice and choice requirements (or adherence to Safe Harbor principles) Defining compliance verification mechanisms, including annual reaffirmations (internal or third party) Selecting a relevant dispute resolution service Establishing a mechanism for ongoing internal compliance notifications and reminders