Tuesday, October 9, 2007

Response to our posting yesterday on the change of the law in Connecticut

Here's a response we just received to our posting on the new law in Connecticut (see posting dated 08Oct07):

Hi Marc,
thanks for the update on the new bill. I printed it off and will review to make sure we are covered. I believe we are doing most of the suggestions already. Your blog is great.
SC

That's EXACTLY the type of response that makes us feel this blog is worthwhile-helping one client at a time...

Please tell others about this law. It affects all of us in one way or another and other states are adding the law to their books.

If anyone has a question about best practices, please contact us for a no-obligation phone consultation.

Monday, October 8, 2007

The law in Connecticut has changed

Public service announcement to my Connecticut clients:
Connecticut Substitute Bill 1089 was enacted as of 01Oct07. It places the onus on each merchant, organization, or company to:
  • disclose any breach of personal financial data originating from your location to the authorities without unreasonable delay
  • that party shall be liable to a bank whose customers’ personal financial data was compromised, for any costs, to protect their financial interests, including :
    –Cancelling credit or debit cards or accounts,
    –Closing any account or blocking any transactions,
    –Opening or reopening any accounts,
    –Refunding any account,
    –Any assistance to customers.

(highlighting added for emphasis)

HOW DO YOU KEEP THIS FROM HAPPENING TO YOU?

By adopting the credit card payment industry's PCI DSS compliance(Payment Card Industry Data Security Standard), you can make strides towards protecting yourself from this liability:

1. Install and maintain a firewall configuration on any computer to protect cardholder data-these are easy to get and free.

2. Do not use vendor-supplied defaults for system passwords and other security passwords-change them and make them as difficult as possible to guess or steal.

3. Protect stored cardholder data: lock up any receipts or paperwork that contains full credit card numbers and names, addresses, etc. When no longer needed, shred it!


4. Encrypt transmission of cardholder data across open, public networks-do not email this data under any circumstances.


5. Use and regularly update anti-virus software-this is obvious.


6. Develop and maintain secure systems and applications-document the security methods and stick to them.


7.Restrict access to cardholder data by business need-to-know: do not trust employees, in-house volunteers or temp workers with access to this information!


8.Assign a unique ID to each person with computer access-each employee should get an ID and password so you can track the access to this data if you had to.


9.Restrict physical access to cardholder data-lock it up or shred it


10.Track and monitor all access to network resources and cardholder data-again, be careful and question anything that looks suspicious. If you had a breach of security, the sooner you act on it, the better!


11.Regularly test security systems and processes-this helps protect you. Set a schedule to do this NOW so you do not forget.


12.Maintain a policy that addresses information security-write it down, have your employees read and agree to it.


While these steps will not completely protect you (nothing will), heightened awareness of the need to maintain security of personal financial data and documenting the precautions you have taken will avert the serious financial penalties you might otherwise face.


If you have any questions, please let us know.