Is your company in compliance with state law? 

In the past 10 years, over 10,000 new regulations have been placed on the books by local, state, and federal agencies pertaining to the handling, storage, and disposal of confidential client, patient, and employee documents and information. For example, the state of Massachusetts has recently enacted one of these privacy laws and is requiring anyone who has business in that state to comply by March 2010.  The regulation will set standards for protecting and storing personal information about any residents in paper or electronic form. Basically, ANY company that holds social security numbers (your employees’ Social Security numbers, for example), credit cards, or financial statements needs to comply with these regulations or the fines for not doing so can be hefty.

In 2007, the Oregon legislature passed the Oregon Consumer Identity Theft Protection Act, which gave consumers more tools to protect themselves against identity theft. Like Massachusetts, Oregon businesses and government agencies now have a clear direction and expectations to ensure the safety of the personal identifying information they maintain. Personal information is defined as a name in used in any combination with a Social Security number, Oregon driver’s license number, financial information (credit or debit card numbers), or security passwords that would allow someone access to a financial account.

A security plan is required by the State of Oregon for all businesses...
A security plan includes administrative, technical, and physical safeguards. Administrative safeguards identify what personal information you keep and how to keep it safe, training employees in security program practices and procedures, and ensuring that contracted service providers are capable of supplying and maintaining systems that protect sensitive information.

Technical safeguards include assessing security risks in your computer network, which include detecting, preventing, and responding to cyber attacks, as well as having a backup system in place so you can quickly recover your files in the event of a disaster or system failure.

Physical safeguards include protecting against unauthorized access to or use of personal identifying information, and
disposing of information that is no longer needed by way of shredding, burning or erasing electronic data that is unreadable or cannot be reconstructed.

Here are some suggestions to help your business meet some of the requirements. Begin by identifying the computers or servers where personal information is stored along with all connections to the computers where you store sensitive information. These include the internet, computers at your branch offices, computers used by service providers to support your network, and wireless devices like inventory scanners cell phones, laptop computers and PDA’s.

Do not store sensitive consumer data on any computer with an Internet connection unless it’s essential for conducting business. Encrypt the information you send to third parties over the internet and consider encrypting sensitive information that is stored on your computer network or portable storage devices. 

Scan computers on your network regularly to identify and profile the operating system and open network services. If you find services that you do not need, disable them to stop hackers and prevent potential security problems. Assess the vulnerability of each connection to commonly known or reasonably foreseeable attacks. Maintain central log files of security-related information to monitor activity on your network, the log will provide information that can identify the computers that can be compromised. Monitor incoming traffic for signs that someone is trying to hack in. Keep an eye out for activity from new users, multiple log-in attempts from unknown users or computers, and higher-than-average traffic at unusual times of the day. Monitor outgoing traffic for signs of a data breach. Watch for unexpectedly large amounts of data being transmitted from your system to an unknown user. If large amounts of information are being transmitted from your network, investigate to make sure the transmission is authorized. Before you outsource any of your business functions, such as payroll, web hosting, and data processing, investigate the company’s data security practices and compare their standards to yours and if possible, visit their facilities.

Portland Managed Services can help you meet these requirements. The first step would be for us to conduct system security review. A security review will alert you to any unauthorized users, open ports, viruses, spyware, and more. There is no charge or obligation for this review but we need time to work them into our schedule so the earlier you call to schedule a time, the better. Give us a call at 503-241-2499. ∆