Analysis: Massachusetts Breach Law

  • 679 views
Uploaded on

This is an analysis of the Massachusetts data breach nofification law

This is an analysis of the Massachusetts data breach nofification law

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
679
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. The Massachusetts Breach Law A legal, policy, and technical analysis (c) 2009 Alina J. Johnson
  • 2. Overview  Rationale: the development of information law  Public interests and other stakeholders  Competing frameworks  Information rights  Ownership and Control  Expectations in the digital age  Rights, roles, and responsibilities  Limited government interference  Suggested approaches, amendments, revisions, and reform
  • 3. Rationale  Historical significance: SB 1386 (CA)  The evolution of cybercrime: impact and effects  Current MA legislation: 201 CMR 17.00: M.G.L. c93H  Move towards security – Away from privacy: need for balance
  • 4. Identity theft, Data breach, and Information security Massachusetts Two statutes Chapter 266: Section Chapter 266: Crimes 37E Against Property Section 37E: Use of personal identification of another; identity fraud; penalty; restitution Chapter 82 of the Acts An Act Relative to of 2007 Security Freezes and Notification of Data Breaches Two regulations 201 CMR 16.00 Placing, Lifting and Removal of Security Freezes 201 CMR 17.00 Standards for the Protection of Personal Information of Residents of the Commonwealth Executive order 504 Order Regarding the Security and Confidentiality of Personal Information Computer Incident laws of the commonwealth of Massachusetts
  • 5. Public Interests and Other Stakeholders  National/Federal law  Statutory law  Ordinances, rules, regulations, guidelines, and best practices in both private and public sector organizations  Roles and responsibilities: the role of “YOU” in InfoSec
  • 6. Competing Frameworks  Technical: Security is left to the IT department... until there is a problem  Legal: Compliance and enforcement is confusing as proliferation increases the number of players  Economic: Demand increases for accountability, oversight, and transparency while viable supply options wanes  Social: Networking sites draft their own policies; no uniformity or guidelines to follow
  • 7. Information Rights  Currently, organizations follow the law... but then there is the third-party (affiliate)  The third-party typically plays the role of the “elephant in the room”: no one knows what to expect when an emergency occurs  Legally, there is no expectation of privacy with third-parties
  • 8. Ownership and Control  Information rights of the user should be defined  Information usage should be defined by the user, not the organization  Accountability, oversight, and transparency should be employed throughout  Privacy and security should be weighed carefully so that one does not imbalance the other
  • 9. Expectations • Consumers • Organizations – Any and all – Terms of use, terms agreements (licenses of service, and end or contracts) should user license reflect an awareness agreements should of information rights form a barrier and usage to protect protection against the the consumer at all risk of the third-party times - under any affiliate and all circumstances
  • 10. Rights, Roles, and Responsibilities The three R's should be evenly distributed among the stakeholders with an emphasis on individual rights of the consumer and the right to control the flow of information in offline and online environments
  • 11. Rights, roles, and responsibilities • Consumer: as owner of the information, the right of control must be protected • Organization: as data steward, must be accountable, responsible, and compliant to the law. Holds accountability, responsibility, and obligation to the consumer as it has been entrusted with sensitive information; it must protect itself from harm by explicit written agreements that do no harm to the consumer • Government: as public steward, it must protect the interests of both industry and consumer in the broadest means possible
  • 12. Limited government interference • The government • Voluntarily should not interfere submitted with the rights of information is consumers or especially sensitive companies in so should incur developing special enhanced appropriate best protections practices with respect to information rights and usage
  • 13. Suggestions • Limitations of • Consumers should be information usage granted enhanced should be imposed rights to protect their on terms of use, personally identifiable terms of service, information (PII), as and end user well as voluntarily license agreements submitted information to protect the as there is an consumer expectation of privacy and security in that submission (c) 2009 – Alina J. Johnson
  • 14. Final Thoughts • The “new” ROI: – RESULTS – OUTCOMES – IMPACT
  • 15. Final Thought The status quo is no longer acceptable in the digital age as consumers, organizations, and governments are more informed than ever before - Alina J. Johnson (c) 2009 Alina J. Johnson, MSI