0
The Massachusetts Breach Law




   A legal, policy, and technical analysis
               (c) 2009 Alina J. Johnson
Overview

    Rationale: the development of information law

    Public interests and other stakeholders

    Competing...
Rationale


    Historical significance: SB 1386 (CA)

    The evolution of cybercrime: impact and
    effects

    Cur...
Identity theft, Data breach, and
      Information security
                        Massachusetts
    Two statutes        ...
Public Interests and Other
            Stakeholders

    National/Federal law

    Statutory law

    Ordinances, rules...
Competing Frameworks


    Technical: Security is left to the IT department...
    until there is a problem

    Legal: ...
Information Rights


    Currently, organizations follow the law... but
    then there is the third-party (affiliate)

 ...
Ownership and Control


    Information rights of the user should be
    defined

    Information usage should be define...
Expectations
•   Consumers                    •   Organizations
     –   Any and all                  –   Terms of use, te...
Rights, Roles, and Responsibilities
The three R's should be evenly distributed
among the stakeholders with an emphasis on
...
Rights, roles, and responsibilities
•    Consumer: as owner of the information, the right of
     control must be protecte...
Limited government interference
•   The government         •   Voluntarily
    should not interfere       submitted
    wi...
Suggestions
•   Limitations of     •   Consumers should be
    information usage      granted enhanced
    should be impos...
Final Thoughts
•   The “new” ROI:
     –   RESULTS


     –   OUTCOMES


     –   IMPACT
Final Thought



The status quo is no longer acceptable
    in the digital age as consumers,
  organizations, and governme...
Upcoming SlideShare
Loading in...5
×

Analysis: Massachusetts Breach Law

728

Published on

This is an analysis of the Massachusetts data breach nofification law

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
728
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Analysis: Massachusetts Breach Law"

  1. 1. The Massachusetts Breach Law A legal, policy, and technical analysis (c) 2009 Alina J. Johnson
  2. 2. Overview  Rationale: the development of information law  Public interests and other stakeholders  Competing frameworks  Information rights  Ownership and Control  Expectations in the digital age  Rights, roles, and responsibilities  Limited government interference  Suggested approaches, amendments, revisions, and reform
  3. 3. Rationale  Historical significance: SB 1386 (CA)  The evolution of cybercrime: impact and effects  Current MA legislation: 201 CMR 17.00: M.G.L. c93H  Move towards security – Away from privacy: need for balance
  4. 4. Identity theft, Data breach, and Information security Massachusetts Two statutes Chapter 266: Section Chapter 266: Crimes 37E Against Property Section 37E: Use of personal identification of another; identity fraud; penalty; restitution Chapter 82 of the Acts An Act Relative to of 2007 Security Freezes and Notification of Data Breaches Two regulations 201 CMR 16.00 Placing, Lifting and Removal of Security Freezes 201 CMR 17.00 Standards for the Protection of Personal Information of Residents of the Commonwealth Executive order 504 Order Regarding the Security and Confidentiality of Personal Information Computer Incident laws of the commonwealth of Massachusetts
  5. 5. Public Interests and Other Stakeholders  National/Federal law  Statutory law  Ordinances, rules, regulations, guidelines, and best practices in both private and public sector organizations  Roles and responsibilities: the role of “YOU” in InfoSec
  6. 6. Competing Frameworks  Technical: Security is left to the IT department... until there is a problem  Legal: Compliance and enforcement is confusing as proliferation increases the number of players  Economic: Demand increases for accountability, oversight, and transparency while viable supply options wanes  Social: Networking sites draft their own policies; no uniformity or guidelines to follow
  7. 7. Information Rights  Currently, organizations follow the law... but then there is the third-party (affiliate)  The third-party typically plays the role of the “elephant in the room”: no one knows what to expect when an emergency occurs  Legally, there is no expectation of privacy with third-parties
  8. 8. Ownership and Control  Information rights of the user should be defined  Information usage should be defined by the user, not the organization  Accountability, oversight, and transparency should be employed throughout  Privacy and security should be weighed carefully so that one does not imbalance the other
  9. 9. Expectations • Consumers • Organizations – Any and all – Terms of use, terms agreements (licenses of service, and end or contracts) should user license reflect an awareness agreements should of information rights form a barrier and usage to protect protection against the the consumer at all risk of the third-party times - under any affiliate and all circumstances
  10. 10. Rights, Roles, and Responsibilities The three R's should be evenly distributed among the stakeholders with an emphasis on individual rights of the consumer and the right to control the flow of information in offline and online environments
  11. 11. Rights, roles, and responsibilities • Consumer: as owner of the information, the right of control must be protected • Organization: as data steward, must be accountable, responsible, and compliant to the law. Holds accountability, responsibility, and obligation to the consumer as it has been entrusted with sensitive information; it must protect itself from harm by explicit written agreements that do no harm to the consumer • Government: as public steward, it must protect the interests of both industry and consumer in the broadest means possible
  12. 12. Limited government interference • The government • Voluntarily should not interfere submitted with the rights of information is consumers or especially sensitive companies in so should incur developing special enhanced appropriate best protections practices with respect to information rights and usage
  13. 13. Suggestions • Limitations of • Consumers should be information usage granted enhanced should be imposed rights to protect their on terms of use, personally identifiable terms of service, information (PII), as and end user well as voluntarily license agreements submitted information to protect the as there is an consumer expectation of privacy and security in that submission (c) 2009 – Alina J. Johnson
  14. 14. Final Thoughts • The “new” ROI: – RESULTS – OUTCOMES – IMPACT
  15. 15. Final Thought The status quo is no longer acceptable in the digital age as consumers, organizations, and governments are more informed than ever before - Alina J. Johnson (c) 2009 Alina J. Johnson, MSI
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×