SlideShare une entreprise Scribd logo

TBG Security Mgl93 H 201 CMR17.00 Compliance Service

G
gorsline
1  sur  57
How M.G.L. c. 93H and 201 CMR 17.00 Will Impact Your Business
Enhance awareness of new Mass “Data Security Breach Laws and Regulations” Legal perspectives Practical Tools Technical Issues surrounding compliance Provide up to the minute updates on 201 CMR 17.00 2 Session Objectives
Identity Theft Global View 3
$60 billion was lost and 35.6 million consumer records were exposed in 2008 due to data breaches and identity theft, a 47% increase over 2007, according to the Identity Theft Resource Center. The U.S. Department of Justice reports that identity theft has surpassed the illegal drug trade as the number one crime in the nation. 4 Identity Theft & Data Breach
Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s (ITRC) 2008 breach report includes 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached data was unprotected by either encryption or even passwords. 5 Data Breaches 2008 – Global View
6 Identity Theft
Care to share? 7 Has Anyone Been A Victim Of Identity Theft?
The Laws M.G.L. c 93H M.G.L c 93I 8
M.G.L. c 93H Security Breaches M.G.L. c 93I Disposition & destruction of records Effective 2/3/08 9 The Laws
M.G.L. 93H Security Breach 10
Personal Information is defined as a Massachusetts resident's first and last name, or first initial and last name, along with one or more of the following: Social Security Number, driver's license number or state-issued identification card number, financial account number, or credit or debit card number. Therefore, Personal Information will frequently be included in financial records, employee and possibly candidate HR files, benefits files and certain consumer-related files. 11 What Is Personal Information?
By statute a breach of security means: Unauthorized acquisition of unencrypted data, or encrypted electronic data along with confidential process or key, that may compromise the security, confidentiality, or integrity of personal information by a person or entity that creates a material risk of identity theft. What triggers a “notice requirement”? When an entity knows or has reason to know that personal information was acquired or used by an unauthorized person or for an unauthorized purpose. 12 What Is A Security Breach M.G.L. c 93H
Notice must be provided to: Resident or residents affected Attorney General & Director of Consumer Affairs If so instructed, consumer reporting agencies and/or identified state agencies 13 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
Notice to the resident shall include: Consumer’s right to obtain police report How to request a security freeze from consumer reporting agencies Necessary information to provide when requesting security freeze Any fees required to be paid to the consumer reporting agencies 14 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
Notice to the Attorney General & Director of Consumer Affairs shall include: Nature of breach or unauthorized acquisition Number of residents affected Any steps taken by entity relating to the incident 15 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
Method of notice: Notify by regular or electronic mail Substitute notice if electronic notice cost exceeds $250,000 Substitute notice is website, newspaper publication, or electronic mail blast Time of notice: As soon as practicable without delay No language about terms of days (although you cannot delay to benefit the company) 16 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
Additional provisions: Firms that use personal information for benefit of another firm, must inform corporate clients Corporate clients who “own” the data must inform residents MA firms who suffer a breach affecting residents of other states must comply with that states’ law Firms outside MA who suffer a breach of MA residents must comply with MA notice laws 17 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
M.G.L. 93I Disposal Of Personal Information 18
Minimum standards for proper disposal of records containing personal information are: Paper documents must be redacted, burned, pulverized or shredded Electronic media are to be destroyed or erased 19 How To Dispose Of Records M.G.L. c 93I
The Regulation 201 CMR 17.00 20
In the twelve months following the enactment of M.G.L. 93H, the OCABR received reports of over 300 incidents that have compromised or threatened to compromise the personal information of over 600,000 Massachusetts residents. Sixty percent of the cases involved criminal and/or unauthorized acts, with a high frequency of laptops or hard-drives being stolen. The remainder of the breaches resulted from employee error or poor internal handling of sensitive information. Approximately 75% of the reported incidents involved data that was not encrypted or password-protected. 21 Background – OCABR Findings
In October of 2008, The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued 2008 a comprehensive set of final regulations establishing standards for how ALL businesses protect and store Massachusetts personal information about a resident of Massachusetts whether or not that business is based in Massachusetts or not. The original regulations were set to take effect on January 1, 2009; however the deadline was extended to January 1, 2010 and on August 17th was extended to March 1, 2010. 22 201 CMR 17.00 Summary
Complying with 201 CMR 17.00 Who must comply and penalties for not doing so…. 23
Every person that owns or licenses personal information about a resident of the Commonwealth of Massachusetts. OCABR defines “Owns or Licenses” to be: receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. Federally regulated financial and other entities are not exempt from MA law. 24 Who Must Comply With 201?
45 states, District of Columbia, Puerto Rico and the US Virgin Islands have similar legislation but Mass is most rigid 25 Is Massachusetts the Only State with such a law
A civil penalty of $5,000 may be levied for each violation of M.G.L. 93H 201 CMR 17.00. In addition, under the portion of M.G.L. 93I concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal. Failure to comply with Chapter 93H or 93I may subject the offender to a suit by the Attorney General under Chapter 93A, the consumer protection law. Violations may mean triple damages, as well as attorneys’ fees and legal costs. Penalties for Non-Compliance
There are many additional business impacts, including: Costs associated with legal actions: Legal battles with issuing banks Lawsuits from states and the FTC Class-action lawsuits from consumers Brand impact resulting in loss of consumer and stockholder confidence Impact to customer relationships, possibly resulting in a loss of business Increased oversight internally and from external entities Costs of a public relations 27 Consequences of Compromise
In addition to the penalties levied by the state you must also consider the actual costs of a data breach. The following items should be considered in calculating costs. Costs
Companies experiencing a data breach spent an average of $14 million on recovery costs, including unbudgeted spending for outside legal counsel, mail notification letters, calls to individual customers, increased call center support and discounted product offers. Even more significantly, businesses that experience a data breach lose an average of 2.6% of their total customer base. Costs
In 2007 lost business was 54 percent of data breach costs. A poll of more than 2,000 North American and European consumers conducted by Opinion Research Corporation found that 59% of consumers would either strongly consider or definitely take their business elsewhere if their personal information was compromised. The real punishment is brand diminishment Costs to Brand Integrity
Media coverage of security breaches is also affecting brand integrity. According to Factiva, media coverage of companies that suffered a security breach accounted for more than half the stories written about those companies. Brand Diminishment
Most significantly, an Emory University study recently confirmed that security breach events directly affect stock performance. When such events are reported, companies lose an average of 0.63% to 2.1% value in stock price – equivalent to a loss in market capitalization of $860 million to $1.65 billion per incident!(7) Brand Diminishment
Most business owners are unaware of how Information Security lapses can negate their coverage entirely.  This gap in coverage has the ability to put your company out of business.  Failure to follow or document due care and due diligence is evidence of negligent behavior.  Will my Business Insurance cover this?
Your ability to show documentation that your business is doing what is required will mean the difference between having insurance cover the costs or a data breach and going bankrupt from having to pay out of pocket costs. Will my Business Insurance cover this?
According to Joel Winston of the FTC, the commission is currently filing cases against companies that do not utilize reasonable measures to secure privacy data. The FTC is employing numerous strategies to get the message to the business community about the importance of protecting consumers from privacy information and identity theft. 35 FTC and Privacy Protection
201 CMR 17.00 The Regulation 36
The Massachusetts regulation imposes a duty to protect personal information and provides administrative standards as well as computer security requirements. Administratively, each entity holding personal information is required to enact a Comprehensive Information Security Program (CISP) compliant with the regulations. 37 201 CMR 17.00
The minimum requirements for an information security program are broken down into two main categories: requirements applicable to personal information generally and requirements applicable to personal information in electronic form. 38 201 CMR 17.00 - Overview
All comprehensive information security programs must include the following: Designated employee. Identify risks. Off-premises access practice. Disciplinary measures. Terminated employee policy. Third-party service providers policy. Limited access. Physical access. Review of information security program. Addressing data incidents. 39 Requirements Applicable To Personal Information Generally
All information security programs must include the following, as it relates to electronic personal information: User authentication protocols. Authentication must involve: the control of user IDs, use of passwords, control of password data, restricting access to active users on active accounts. blocking access after multiple incorrect login attempts. Secure access control measures. Encryption of transmitted records. Monitoring of systems. Laptop encryption. Security patches and firewall protection. Anti-virus software. Education and training. 40 Requirements Applicable To Personal Information In Electronic Form
Develop a security program, designate an employee to manage it, and discipline employee violators; Assess internal and external security risks and the effectiveness of current safeguards, upgrading as necessary; Train employees regarding security; Institute security policies for employees that meet certain specified standards; Prevent terminated employees from gaining access to personal information;   41 Comprehensive Information Security Program Requirements (CISP)
Ensure that service providers are capable of protecting personal information. Limit the amount of personal information collected, how long it is kept, and restrict access on a need-to-know basis; Identify records containing personal information, or treat all records as if they did; Regularly monitor employee access to personal information; Review security measures annually, take corrective action when necessary and document action taken in response to security breaches; and Restrict physical access to records containing personal information. 42 Comprehensive Information Security Program Requirements (CISP)
Establish user authentication protocols that include control of user IDs and a secure method of assigning passwords (including prohibiting use of vendor-supplied default passwords) or other unique identifiers such as token devices; Make sure password location does not compromise the security of the data it protects, restrict access to active users only and block access after multiple unsuccessful attempts;   Restrict access to personal information on a need-to-know basis;  Periodic system monitoring for signs of unauthorized use or access;  Reasonably up-to-date malware protection and virus definitions. 43 Additional Elements for Electronic Records
M.G.L. c. 93H 201 CMR 17.00 The Details 44
Every comprehensive information security program shall include, but shall not be limited to: Designating one or more employees to maintain the comprehensive information security program; Identifying and assessing reasonably foreseeable internal and external risks to the security. Developing security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records. Imposing disciplinary measures for violations of the comprehensive information security program rules. Preventing terminated employees from accessing records containing personal information. Taking all reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information. 45 M.G.L. c. 93H 201 CMR 17.00 Details
Limiting the amount of personal information collected. Reasonable restrictions upon physical access to records containing personal information,. Regular monitoring to ensure that the comprehensive information security program is operating. Reviewing the scope of the security measures at least annually. Documenting responsive actions taken in connection with any incident involving a breach of security. 46 M.G.L. c. 93H 201 CMR 17.00 Details
Computer System Security Requirements: Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements: Secure user authentication protocols including: control of user IDs and other identifiers; a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; restricting access to active users and active user accounts only; and blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system; 47 M.G.L. c. 93H 201 CMR 17.00 Details
Secure access control measures that: restrict access to records and files containing personal information to those who need such information to perform their job duties; and assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls; Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. Reasonable monitoring of systems, for unauthorized use of or access to personal information. Encryption of all personal information stored on laptops or other portable devices. 48 M.G.L. c. 93H 201 CMR 17.00 Details
For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.  Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. Education and training of employees on the proper use of the computer security system and the importance of personal information security. 49 M.G.L. c. 93H 201 CMR 17.00 Details
Under the new deadline structure: The general compliance deadline for 201 CMR 17.00 has been extended to March 1, 2010. 50 Compliance Deadline
It is not yet clear how the state will approach enforcement initially, although in similar circumstances (including the passage of Chapter 93H itself), government officials have expressed a willingness to become increasingly stringent about enforcement with the passage of time. Businesses that miss the deadline or otherwise fall short of the standard set by the regulations will run a considerable and steadily increasing risk. 51 201 CMR 17.00: Enforcement
TBG Approach Next Steps To Securing Your Business 52
TBG Security consultants have years of experience helping customers comply with State and Federal business and privacy regulations. We are able to assist your organization with all aspects of compliance with these and other information security-related business regulations. 53 Your Partner For Success
Performing an audit to determine your current level of compliance with these new business regulations Creating a Comprehensive Information Security Policy Advising you on specific steps needed to achieve compliance  Deploying and supporting security infrastructure to automatically encrypt email messages. Perform initial setup and training on software to encrypt your laptops and other mobile devices Update and support your primary security infrastructure, including firewalls, VPN access, anti-phishing, and tools to protect against malicious code Identify and recommend remediation for vulnerabilities present in your systems. 54 TBG Security Will Help By..
55 TBG Methodology TBG Security Methodology Assessment Maintenance & Ongoing Compliance Monitoring Implementation Design 3 1 2 4
Clients 56
Kevin Gorsline VP Business Development O: 877.223.6651 X 707 C: 781.820.9032 E: kgorsline@tbgsec.com TBG Security 31 Hayward Rd Franklin, MA 02038 www.tbgsec.com Contact Info 57

Recommandé

CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
Dmcenter
 
Protecting Consumer Information: Can a Breach be Prevented?
Protecting Consumer Information: Can a Breach be Prevented?Protecting Consumer Information: Can a Breach be Prevented?
Protecting Consumer Information: Can a Breach be Prevented?
- Mark - Fullbright
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
Don Grauel
 
Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4
danc752
 
Case for-secure-email-encryption
Case for-secure-email-encryptionCase for-secure-email-encryption
Case for-secure-email-encryption
NeoCertified
 
Accounting
AccountingAccounting
Accounting
jerryrabin
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
spencerharry
 
databreach whitepaper
databreach whitepaperdatabreach whitepaper
databreach whitepaper
Paige Schaffer
 

Recommandé

CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
Dmcenter
 
Protecting Consumer Information: Can a Breach be Prevented?
Protecting Consumer Information: Can a Breach be Prevented?Protecting Consumer Information: Can a Breach be Prevented?
Protecting Consumer Information: Can a Breach be Prevented?
- Mark - Fullbright
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
Don Grauel
 
Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4
danc752
 
Case for-secure-email-encryption
Case for-secure-email-encryptionCase for-secure-email-encryption
Case for-secure-email-encryption
NeoCertified
 
Accounting
AccountingAccounting
Accounting
jerryrabin
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
spencerharry
 
databreach whitepaper
databreach whitepaperdatabreach whitepaper
databreach whitepaper
Paige Schaffer
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
Zuckerman Law Whistleblower Protection Law Firm
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law
padler01
 
Safeguarding Consumers’ Financial Data 2014
Safeguarding Consumers’ Financial Data 2014Safeguarding Consumers’ Financial Data 2014
Safeguarding Consumers’ Financial Data 2014
- Mark - Fullbright
 
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityPrivacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Clio - Cloud-Based Legal Technology
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach Overview
HealthCare Too, LLC
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Financial Poise
 
IIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private InformationIIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private Information
Jason Hoeppner
 
Acc 675 control audit final project
Acc 675 control audit final projectAcc 675 control audit final project
Acc 675 control audit final project
Kelly Giambra
 
Cyber Threats and Insurance
Cyber Threats and InsuranceCyber Threats and Insurance
Cyber Threats and Insurance
Eric Dean
 
201 CMR 17.00
201 CMR 17.00201 CMR 17.00
201 CMR 17.00
bob carroll
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach Litigation
Bradley Arant Boult Cummings LLP
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident Simulation
Bradley Arant Boult Cummings LLP
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report
- Mark - Fullbright
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
audrey miguel
 
Cybersecurity & data privacy whistleblower incentives and protections
Cybersecurity & data privacy whistleblower incentives and protectionsCybersecurity & data privacy whistleblower incentives and protections
Cybersecurity & data privacy whistleblower incentives and protections
Zuckerman Law Whistleblower Protection Law Firm
 
Key Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends ReportKey Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends Report
Clio - Cloud-Based Legal Technology
 
I D Theft Employee Presentation2
I D Theft Employee Presentation2I D Theft Employee Presentation2
I D Theft Employee Presentation2
Heather Smith
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
The Capital Network
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law Center
Jonathan Ezor
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
Lifeline Data Centers
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
CBIZ, Inc.
 

Contenu connexe

Tendances

Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityPrivacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Clio - Cloud-Based Legal Technology
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Financial Poise
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach Litigation
Bradley Arant Boult Cummings LLP
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident Simulation
Bradley Arant Boult Cummings LLP
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report
- Mark - Fullbright
 
Key Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends ReportKey Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends Report
Clio - Cloud-Based Legal Technology
 

Tendances (20)

Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law
 
Safeguarding Consumers’ Financial Data 2014
Safeguarding Consumers’ Financial Data 2014Safeguarding Consumers’ Financial Data 2014
Safeguarding Consumers’ Financial Data 2014
 
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityPrivacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach Overview
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
 
IIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private InformationIIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private Information
 
Acc 675 control audit final project
Acc 675 control audit final projectAcc 675 control audit final project
Acc 675 control audit final project
 
Cyber Threats and Insurance
Cyber Threats and InsuranceCyber Threats and Insurance
Cyber Threats and Insurance
 
201 CMR 17.00
201 CMR 17.00201 CMR 17.00
201 CMR 17.00
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach Litigation
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident Simulation
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
 
Cybersecurity & data privacy whistleblower incentives and protections
Cybersecurity & data privacy whistleblower incentives and protectionsCybersecurity & data privacy whistleblower incentives and protections
Cybersecurity & data privacy whistleblower incentives and protections
 
Key Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends ReportKey Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends Report
 
I D Theft Employee Presentation2
I D Theft Employee Presentation2I D Theft Employee Presentation2
I D Theft Employee Presentation2
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law Center
 

Similaire à TBG Security Mgl93 H 201 CMR17.00 Compliance Service

Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
Paul Ferrillo
 
Data Breaches
Data BreachesData Breaches
Data Breaches
sstose
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Financial Poise
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Financial Poise
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
Cyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive DiscussionCyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive Discussion
Joe Nathans
 

Similaire à TBG Security Mgl93 H 201 CMR17.00 Compliance Service (20)

Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Employer 0409
Employer 0409Employer 0409
Employer 0409
 
National Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy AgendaNational Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy Agenda
 
Identity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for BusinessIdentity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for Business
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
 
Legal issues of domain names & trademarks
Legal issues of domain names & trademarksLegal issues of domain names & trademarks
Legal issues of domain names & trademarks
 
Data Breaches
Data BreachesData Breaches
Data Breaches
 
Consumer financial protections
Consumer financial protectionsConsumer financial protections
Consumer financial protections
 
IDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By WrfIDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By Wrf
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation Industry
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Cyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive DiscussionCyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive Discussion
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 

TBG Security Mgl93 H 201 CMR17.00 Compliance Service

  • 1. How M.G.L. c. 93H and 201 CMR 17.00 Will Impact Your Business
  • 2. Enhance awareness of new Mass “Data Security Breach Laws and Regulations” Legal perspectives Practical Tools Technical Issues surrounding compliance Provide up to the minute updates on 201 CMR 17.00 2 Session Objectives
  • 4. $60 billion was lost and 35.6 million consumer records were exposed in 2008 due to data breaches and identity theft, a 47% increase over 2007, according to the Identity Theft Resource Center. The U.S. Department of Justice reports that identity theft has surpassed the illegal drug trade as the number one crime in the nation. 4 Identity Theft & Data Breach
  • 5. Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s (ITRC) 2008 breach report includes 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached data was unprotected by either encryption or even passwords. 5 Data Breaches 2008 – Global View
  • 7. Care to share? 7 Has Anyone Been A Victim Of Identity Theft?
  • 8. The Laws M.G.L. c 93H M.G.L c 93I 8
  • 9. M.G.L. c 93H Security Breaches M.G.L. c 93I Disposition & destruction of records Effective 2/3/08 9 The Laws
  • 10. M.G.L. 93H Security Breach 10
  • 11. Personal Information is defined as a Massachusetts resident's first and last name, or first initial and last name, along with one or more of the following: Social Security Number, driver's license number or state-issued identification card number, financial account number, or credit or debit card number. Therefore, Personal Information will frequently be included in financial records, employee and possibly candidate HR files, benefits files and certain consumer-related files. 11 What Is Personal Information?
  • 12. By statute a breach of security means: Unauthorized acquisition of unencrypted data, or encrypted electronic data along with confidential process or key, that may compromise the security, confidentiality, or integrity of personal information by a person or entity that creates a material risk of identity theft. What triggers a “notice requirement”? When an entity knows or has reason to know that personal information was acquired or used by an unauthorized person or for an unauthorized purpose. 12 What Is A Security Breach M.G.L. c 93H
  • 13. Notice must be provided to: Resident or residents affected Attorney General & Director of Consumer Affairs If so instructed, consumer reporting agencies and/or identified state agencies 13 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
  • 14. Notice to the resident shall include: Consumer’s right to obtain police report How to request a security freeze from consumer reporting agencies Necessary information to provide when requesting security freeze Any fees required to be paid to the consumer reporting agencies 14 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
  • 15. Notice to the Attorney General & Director of Consumer Affairs shall include: Nature of breach or unauthorized acquisition Number of residents affected Any steps taken by entity relating to the incident 15 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
  • 16. Method of notice: Notify by regular or electronic mail Substitute notice if electronic notice cost exceeds $250,000 Substitute notice is website, newspaper publication, or electronic mail blast Time of notice: As soon as practicable without delay No language about terms of days (although you cannot delay to benefit the company) 16 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
  • 17. Additional provisions: Firms that use personal information for benefit of another firm, must inform corporate clients Corporate clients who “own” the data must inform residents MA firms who suffer a breach affecting residents of other states must comply with that states’ law Firms outside MA who suffer a breach of MA residents must comply with MA notice laws 17 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
  • 18. M.G.L. 93I Disposal Of Personal Information 18
  • 19. Minimum standards for proper disposal of records containing personal information are: Paper documents must be redacted, burned, pulverized or shredded Electronic media are to be destroyed or erased 19 How To Dispose Of Records M.G.L. c 93I
  • 20. The Regulation 201 CMR 17.00 20
  • 21. In the twelve months following the enactment of M.G.L. 93H, the OCABR received reports of over 300 incidents that have compromised or threatened to compromise the personal information of over 600,000 Massachusetts residents. Sixty percent of the cases involved criminal and/or unauthorized acts, with a high frequency of laptops or hard-drives being stolen. The remainder of the breaches resulted from employee error or poor internal handling of sensitive information. Approximately 75% of the reported incidents involved data that was not encrypted or password-protected. 21 Background – OCABR Findings
  • 22. In October of 2008, The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued 2008 a comprehensive set of final regulations establishing standards for how ALL businesses protect and store Massachusetts personal information about a resident of Massachusetts whether or not that business is based in Massachusetts or not. The original regulations were set to take effect on January 1, 2009; however the deadline was extended to January 1, 2010 and on August 17th was extended to March 1, 2010. 22 201 CMR 17.00 Summary
  • 23. Complying with 201 CMR 17.00 Who must comply and penalties for not doing so…. 23
  • 24. Every person that owns or licenses personal information about a resident of the Commonwealth of Massachusetts. OCABR defines “Owns or Licenses” to be: receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. Federally regulated financial and other entities are not exempt from MA law. 24 Who Must Comply With 201?
  • 25. 45 states, District of Columbia, Puerto Rico and the US Virgin Islands have similar legislation but Mass is most rigid 25 Is Massachusetts the Only State with such a law
  • 26. A civil penalty of $5,000 may be levied for each violation of M.G.L. 93H 201 CMR 17.00. In addition, under the portion of M.G.L. 93I concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal. Failure to comply with Chapter 93H or 93I may subject the offender to a suit by the Attorney General under Chapter 93A, the consumer protection law. Violations may mean triple damages, as well as attorneys’ fees and legal costs. Penalties for Non-Compliance
  • 27. There are many additional business impacts, including: Costs associated with legal actions: Legal battles with issuing banks Lawsuits from states and the FTC Class-action lawsuits from consumers Brand impact resulting in loss of consumer and stockholder confidence Impact to customer relationships, possibly resulting in a loss of business Increased oversight internally and from external entities Costs of a public relations 27 Consequences of Compromise
  • 28. In addition to the penalties levied by the state you must also consider the actual costs of a data breach. The following items should be considered in calculating costs. Costs
  • 29. Companies experiencing a data breach spent an average of $14 million on recovery costs, including unbudgeted spending for outside legal counsel, mail notification letters, calls to individual customers, increased call center support and discounted product offers. Even more significantly, businesses that experience a data breach lose an average of 2.6% of their total customer base. Costs
  • 30. In 2007 lost business was 54 percent of data breach costs. A poll of more than 2,000 North American and European consumers conducted by Opinion Research Corporation found that 59% of consumers would either strongly consider or definitely take their business elsewhere if their personal information was compromised. The real punishment is brand diminishment Costs to Brand Integrity
  • 31. Media coverage of security breaches is also affecting brand integrity. According to Factiva, media coverage of companies that suffered a security breach accounted for more than half the stories written about those companies. Brand Diminishment
  • 32. Most significantly, an Emory University study recently confirmed that security breach events directly affect stock performance. When such events are reported, companies lose an average of 0.63% to 2.1% value in stock price – equivalent to a loss in market capitalization of $860 million to $1.65 billion per incident!(7) Brand Diminishment
  • 33. Most business owners are unaware of how Information Security lapses can negate their coverage entirely.  This gap in coverage has the ability to put your company out of business.  Failure to follow or document due care and due diligence is evidence of negligent behavior.  Will my Business Insurance cover this?
  • 34. Your ability to show documentation that your business is doing what is required will mean the difference between having insurance cover the costs or a data breach and going bankrupt from having to pay out of pocket costs. Will my Business Insurance cover this?
  • 35. According to Joel Winston of the FTC, the commission is currently filing cases against companies that do not utilize reasonable measures to secure privacy data. The FTC is employing numerous strategies to get the message to the business community about the importance of protecting consumers from privacy information and identity theft. 35 FTC and Privacy Protection
  • 36. 201 CMR 17.00 The Regulation 36
  • 37. The Massachusetts regulation imposes a duty to protect personal information and provides administrative standards as well as computer security requirements. Administratively, each entity holding personal information is required to enact a Comprehensive Information Security Program (CISP) compliant with the regulations. 37 201 CMR 17.00
  • 38. The minimum requirements for an information security program are broken down into two main categories: requirements applicable to personal information generally and requirements applicable to personal information in electronic form. 38 201 CMR 17.00 - Overview
  • 39. All comprehensive information security programs must include the following: Designated employee. Identify risks. Off-premises access practice. Disciplinary measures. Terminated employee policy. Third-party service providers policy. Limited access. Physical access. Review of information security program. Addressing data incidents. 39 Requirements Applicable To Personal Information Generally
  • 40. All information security programs must include the following, as it relates to electronic personal information: User authentication protocols. Authentication must involve: the control of user IDs, use of passwords, control of password data, restricting access to active users on active accounts. blocking access after multiple incorrect login attempts. Secure access control measures. Encryption of transmitted records. Monitoring of systems. Laptop encryption. Security patches and firewall protection. Anti-virus software. Education and training. 40 Requirements Applicable To Personal Information In Electronic Form
  • 41. Develop a security program, designate an employee to manage it, and discipline employee violators; Assess internal and external security risks and the effectiveness of current safeguards, upgrading as necessary; Train employees regarding security; Institute security policies for employees that meet certain specified standards; Prevent terminated employees from gaining access to personal information;   41 Comprehensive Information Security Program Requirements (CISP)
  • 42. Ensure that service providers are capable of protecting personal information. Limit the amount of personal information collected, how long it is kept, and restrict access on a need-to-know basis; Identify records containing personal information, or treat all records as if they did; Regularly monitor employee access to personal information; Review security measures annually, take corrective action when necessary and document action taken in response to security breaches; and Restrict physical access to records containing personal information. 42 Comprehensive Information Security Program Requirements (CISP)
  • 43. Establish user authentication protocols that include control of user IDs and a secure method of assigning passwords (including prohibiting use of vendor-supplied default passwords) or other unique identifiers such as token devices; Make sure password location does not compromise the security of the data it protects, restrict access to active users only and block access after multiple unsuccessful attempts;   Restrict access to personal information on a need-to-know basis;  Periodic system monitoring for signs of unauthorized use or access;  Reasonably up-to-date malware protection and virus definitions. 43 Additional Elements for Electronic Records
  • 44. M.G.L. c. 93H 201 CMR 17.00 The Details 44
  • 45. Every comprehensive information security program shall include, but shall not be limited to: Designating one or more employees to maintain the comprehensive information security program; Identifying and assessing reasonably foreseeable internal and external risks to the security. Developing security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records. Imposing disciplinary measures for violations of the comprehensive information security program rules. Preventing terminated employees from accessing records containing personal information. Taking all reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information. 45 M.G.L. c. 93H 201 CMR 17.00 Details
  • 46. Limiting the amount of personal information collected. Reasonable restrictions upon physical access to records containing personal information,. Regular monitoring to ensure that the comprehensive information security program is operating. Reviewing the scope of the security measures at least annually. Documenting responsive actions taken in connection with any incident involving a breach of security. 46 M.G.L. c. 93H 201 CMR 17.00 Details
  • 47. Computer System Security Requirements: Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements: Secure user authentication protocols including: control of user IDs and other identifiers; a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; restricting access to active users and active user accounts only; and blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system; 47 M.G.L. c. 93H 201 CMR 17.00 Details
  • 48. Secure access control measures that: restrict access to records and files containing personal information to those who need such information to perform their job duties; and assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls; Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. Reasonable monitoring of systems, for unauthorized use of or access to personal information. Encryption of all personal information stored on laptops or other portable devices. 48 M.G.L. c. 93H 201 CMR 17.00 Details
  • 49. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.  Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. Education and training of employees on the proper use of the computer security system and the importance of personal information security. 49 M.G.L. c. 93H 201 CMR 17.00 Details
  • 50. Under the new deadline structure: The general compliance deadline for 201 CMR 17.00 has been extended to March 1, 2010. 50 Compliance Deadline
  • 51. It is not yet clear how the state will approach enforcement initially, although in similar circumstances (including the passage of Chapter 93H itself), government officials have expressed a willingness to become increasingly stringent about enforcement with the passage of time. Businesses that miss the deadline or otherwise fall short of the standard set by the regulations will run a considerable and steadily increasing risk. 51 201 CMR 17.00: Enforcement
  • 52. TBG Approach Next Steps To Securing Your Business 52
  • 53. TBG Security consultants have years of experience helping customers comply with State and Federal business and privacy regulations. We are able to assist your organization with all aspects of compliance with these and other information security-related business regulations. 53 Your Partner For Success
  • 54. Performing an audit to determine your current level of compliance with these new business regulations Creating a Comprehensive Information Security Policy Advising you on specific steps needed to achieve compliance  Deploying and supporting security infrastructure to automatically encrypt email messages. Perform initial setup and training on software to encrypt your laptops and other mobile devices Update and support your primary security infrastructure, including firewalls, VPN access, anti-phishing, and tools to protect against malicious code Identify and recommend remediation for vulnerabilities present in your systems. 54 TBG Security Will Help By..
  • 55. 55 TBG Methodology TBG Security Methodology Assessment Maintenance & Ongoing Compliance Monitoring Implementation Design 3 1 2 4
  • 57. Kevin Gorsline VP Business Development O: 877.223.6651 X 707 C: 781.820.9032 E: kgorsline@tbgsec.com TBG Security 31 Hayward Rd Franklin, MA 02038 www.tbgsec.com Contact Info 57