SlideShare a Scribd company logo

Massachusetts New Data Security Laws Presentation

B
billanetworks

Secure Your Data. It\'s now the Law. Massachusetts has issued new regulations that will soon go into effect mandating that “all persons that own, license, store or maintain personal information about a resident of the Commonwealth” comply with strict requirements for safeguarding and disposing of personal information. Don\'t miss this opportunity to understand how 201 CMR 17.00 et seq. will affect your business. If your company accepts credit cards or stores any customer information, you need to attend this important seminar to understand what will now be required of your company under Massachusetts law. Our experts will detail the regulations and how they impact Massachusetts-based companies. We will discuss the compliance structure as well as outline the steps you will need to take to be in compliance with these new regulations. WARNING Failure to comply with the new law exposes a company to substantial monetary penalties. Attorney advertising. Prior results do not guarantee a similar outcome. http://events.anetworks.net

1 of 52
Download to read offline
Massachusetts New Data assac usetts e ata Security Law Presented by Bill Minahan Mark Rogers, Esq. aNetworks, Inc. N t k I The Rogers L Th R Law Fi Firm Hingham, MA Braintree, MA Rogers The Law Firm
Massachusetts New Data Security Law y Goals of Today s Presentation Today’s – Overview of Massachusetts new data security law and associated regulations – Overview of the Federal Red Flags Rule – Guidance on complying with these new laws Rogers The Law Firm
Massachusetts New Data Security Law Two Questions 1. Why Massachusetts? 2. Why now? Rogers The Law Firm
Massachusetts New Data Security Law Answer TJX Rogers The Law Firm
Massachusetts New Data Security Law TJX Data Breach – “U Unauthorized i t i ” affects over th i d intrusion” ff t 100 million accounts – TJX set aside $256 million for costs associated with th b i t d ith the breachh Rogers The Law Firm
Massachusetts New Data Security Law Massachusetts responds – “An Act Relative to Security Freezes and Notification of Data Breaches Breaches” (Effective: February 3, 2008) – “Standards for the Protection of Personal Information of Residents of the Commonwealth” (Effective: January 1, 2010) Rogers The Law Firm
An Act Relative to Security Freezes and Notification of Data Breaches 3 areas addressed by the law dd d b th l 1. Security Freezes 2. Notice of a Security Breach (M.G.L. c. 93H) 3. Data Destruction (M.G.L. c. 93I) Rogers The Law Firm
An Act Relative to Security Freezes and Notification of Data Breaches “Personal Information” Personal Information Resident’s first name + last name or first initial + last name with 1 or more of the following: • Social Security # • Driver’s license # or state-issued ID card # • Financial account # or credit or debit card # Rogers The Law Firm
An Act Relative to Security Freezes and Notification of Data Breaches Notice A person or business that maintains or stores personal information about a resident of the Commonwealth. Commonwealth → must provide notice to the owner or licensor of such information, if they know or have reason to believe , y that: 1. There is a breach of security; or 2. the personal information was acquired or used by an unauthorized person or used for an unauthorized purpose Rogers The Law Firm
An Act Relative to Security Freezes and Notification of Data Breaches Notice A person or business that owns or licenses personal information about a resident of the Commonwealth. → must provide notice to the resident, the Attorney General, Director of Consumer Affairs and Business Regulation if the person knows or has reason to know that there was: 1. a breach of security; or 2. the personal information was acquired or used by an unauthorized person, or used for an unauthorized purpose Rogers The Law Firm
An Act Relative to Security Freezes and Notification of Data Breaches 2 Important Definitions 1. “Breach of Security” The unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security confidentiality or integrity of personal security, confidentiality, information, maintained by a person or business that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. Rogers The Law Firm
An Act Relative to Security Freezes and Notification of Data Breaches 2. “Notice” Written notice Electronic notice “Substitute notice” Rogers The Law Firm
An Act Relative to Security Freezes and Notification of Data Breaches What should be in the “Notice”? Notice ? – Consumer’s right to obtain a police report Consumer s – How a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze ti th it f – Any fees to be paid to any of the consumer reporting agencies Rogers The Law Firm
An Act Relative to Security Freezes and Notification of Data Breaches Data Destruction D t D t ti – When disposing of records records… (a) Paper documents containing personal information shall be either redacted, burned, pulverized or shredded so , ,p that personal data cannot be read or reconstructed (b) Electronic media and other non-paper media containing personal i f l information shall b d t ti h ll be destroyed or erased so d d that personal information cannot practicably be read or reconstructed Rogers The Law Firm
An Act Relative to Security Freezes and Notification of Data Breaches Penalties = Rogers The Law Firm
An Act Relative to Security Freezes and Notification of Data Breaches • Notice Violation → Chapter 93A liability (triple damages, costs, and attorneys fees) • Data Destruction Violation → Chapter 93A liability and a civil fine of not more than $100 per data subject with a maximum fine of $50 000 $50,000 for each instance of improper disposal Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth Massachusetts Data Security Law ↓ Requires the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) to adopt regulations designed to safeguard the p g g g personal information about residents of the Commonwealth Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth • Issued: September, 2008 • Eff ti Effective: J January 1 2009 1, • Delayed to: May 1 2009 1, • Delayed to: January 1, 2010 Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth Two Primary Components: 1. 1 Development of a comprehensive written information security program 2. For 2 F persons that electronically store or transmit th t l t i ll t t it personal information, the establishment and maintenance of a security system covering it’s computers, including a wireless system t i l di i l t Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth Comprehensive Written Information Security Program • Every person that owns licenses stores or owns, licenses, maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written i t i d it h i itt information security program applicable to any records containing such p g personal information. Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth • Every comprehensive written information security program shall include, at least, the following: – Designating 1 or more employees to maintain the program – Identifying and assessing reasonably foreseeable internal and external risks to security, confidentiality and integrity of records, to include: • ongoing employee training • employee compliance with policies • means of detecting and preventing system failures • developing security policies for employees Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth – Imposing disciplinary measures – Preventing terminated employees from accessing records – Verifying your vendors’ providers have the capacity to vendors protect personal information – Limiting the amount of p g personal information collected – Identify records and devices which contain personal information – Reasonable restrictions upon physical access to records containing personal information Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth – Regular monitoring to ensure the program operates in a manner calculated to prevent unauthorized access to or use of personal information – Review of the scope of security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information – Documentation of responsive actions taken in connection with any incident involving a breach of security Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth Computer System Security Requirements – Every person that electronically stores or transmits personal information shall include in its written comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, including, at a minimum, th f ll i t i l di t i i the following elements: Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth Secure user authentication protocols, including: – Control of user IDs and other identifiers – Secure method of assigning and selecting passwords (or use of unique identifier technologies) Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth If you recognize your password here, you may as well hand over your wallet or purse to the first person you see on the street. • password • 123456 • qwerty • abc123 • letmein • monkey • myspace1 • password1 • blink182 • (your first name) http://www.pctools.com/guides/password/ Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth • Control data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the t i th it f th data they protect – Memorize your Password – Do NOT Share your password – If you must write it down, Record It Safel Safely Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth – Restrict access to active users and active user accounts only; and – Blocking access to user identification after multiple unsuccessful attempts to gain access; Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth Secure Sec re access control measures that • Restrict access to records and files containing personal information to those who need information to perform their job duties • Assign unique identifications plus passwords t each person with d to h ith computer access Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Encryption All transmitted records and files containing personal information that will travel across public networks All data containing personal information to be transmitted wirelessly Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth Reasonable monitoring of systems for unauthorized use of, or access to personal information Encryption of all personal information stored on laptops or other portable devices Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth Example #1 Bob is a SMB Executive. He forgets his laptop in a cab. Laptop has ‘BIOS’ p p p password before booting g It also has username and ‘strong password’ Bob is annoyed at loss of laptop, but feels safe about privacy of his data is he right? data… Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth Bob is Wrong! Physical access to a computer almost guarantees any hacker will get to your unencrypted data. Does not require a highly sophisticated attacker. Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth Up-to-date firewall protection and operating system security patches for systems connected to the internet Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Up-to-date U t d t versions of system i f t security agent software • with malware protection • reasonably up-to-date patches and virus definitions Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Example #2 p Senior Executive for CPA Firm ‘does not like the Antivirus program’ program Removes it and installs one of his preference SE is happy, company is unaware New program fails to update User’s PC is infected Main company server is hacked Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Example #3 A company with an active e-commerce site Server is behind a firewall Website uses SSL encryption for all data transmissions SSL, and ONLY SSL, is allowed from the Internet into this server Bob feels good about his server Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Bob is Wrong Again! Bob s Bob’s hacked computer (Example #2) can serve as launch pad for attack against server; other attacks exist that exploit OS vulnerabilities directly Data should be separated Data should be encrypted! Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Example #4 Bob is very conscious of his company’s data, so Bob makes sure everything is backed up daily To protect against disaster, Bob diligently disaster manages several weeks’ worth of tape sets Bob takes one set of tapes to his own house and stores them in his basement basement. Bob’s home is broken into… Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Education and training of employees on the proper use of the computer security f system and the importance of personal information security Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth A determination as to whether the comprehensive written information security program is in compliance itt i f ti it i i li with the Regulations will take into account the following – Size, scope and type of business – Amount of resources available – Amount of stored data – Need for security and confidentiality of both consumer and employee information Rogers The Law Firm
Standards for the Protection of Personal Information of Residents of the Commonwealth • P Penalties lti – Chapter 93A liability • triple damages • costs • attorneys fees Rogers The Law Firm
Applicability of other State and Federal Laws pp y • Still must comply with other state and federal laws regarding the protection and privacy of personal information (HIPAA, Red Flags Rule) • However----a person is deemed to be in compliance with the th NOTICE provisions of th D t S i i f the Data Security B it Breach L h Law and the Regulations if the person maintains procedures for responding to a breach of security pursuant to such “other” l “ th ” laws, provided… id d Rogers The Law Firm
Applicability of other State and Federal Laws pp y Person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs Person notifies the Massachusetts Attorney y General and the Director of OCABR as soon as practicable and without unreasonable delay following the breach. breach Rogers The Law Firm
Applicability of other State and Federal Laws y Still must comply with the Data Destruction elements of the law! Rogers The Law Firm
Applicability of other State and Federal Laws • Example: p A Massachusetts health care provider experiences a data security breach – Under the revised HIPAA Privacy Rule (pursuant to the Federal Stimulus Package), a Massachusetts health care provider must now provide notice of a data breach to the patient – Under the Massachusetts Data Security Law the Provider must also notify the AG and the Director of OCABR of the breach Rogers The Law Firm
Applicability of other State and Federal Laws • Furthermore the Massachusetts health Furthermore, care provider must still comply with the Data Destruction requirements of the Massachusetts Data Security Law Rogers The Law Firm
Applicability of other State and Federal Laws • Red Flags Rule – Requires “creditors” and “financial institutions” with “covered accounts” to implement programs to identify, detect and respond to patterns practices and specific patterns, activities that would indicate identity theft. – Enforcement delayed until August 1 2009 1, 2009. Rogers The Law Firm
Applicability of other State and Federal Laws y Red Flags Rule g Good News: Compliance with Massachusetts Data Security Law = compliance with Red Flags Rule Bad News: Failure to comply with Massachusetts Data Security Law → likely means failure to comply with Red Flags Rule Additional Penalties: $2,500 per knowing violation Rogers The Law Firm
Next Steps Assess your organization’s current y g compliance with the Massachusetts Data Security Law – Do you own, license maintain, or store “Personal Information”? – Do you have a “comprehensive written information security program”? – Have you implemented the required technical security requirements for personal information which is electronically stored or transmitted? Rogers The Law Firm
Next Steps Consider bringing in an outside expert – Consequences of not complying: • Monetary Penalties • Lawsuits • Bad publicity = potential affect on revenues • Business disruption while compliance is overseen b state regulatory agencies by t t l t i Rogers The Law Firm
Questions? • Bill Minahan, aNetworks Minahan 781-753-8501 bill@anetworks.net bill@anetworks net • M k Rogers, E Mark R Esq., Th R The Rogers L Law Fi Firm 781-794-1600 mrogers@therogerslawfirm.com Rogers The Law Firm

Recommended

Cyber & Privacy Liability for Health Care Industry
Cyber & Privacy Liability for Health Care IndustryCyber & Privacy Liability for Health Care Industry
Cyber & Privacy Liability for Health Care IndustryFerrariT1
 
Nevada Data Protection & Privacy Regulations
Nevada Data Protection & Privacy RegulationsNevada Data Protection & Privacy Regulations
Nevada Data Protection & Privacy RegulationsJulia Mak
 
Ecommerce Chap 10
Ecommerce Chap 10Ecommerce Chap 10
Ecommerce Chap 10Pimsat University
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Davis Wright Tremaine LLP
 
Law firm data privacy by dave cunningham
Law firm data privacy by dave cunninghamLaw firm data privacy by dave cunningham
Law firm data privacy by dave cunninghamDavid Cunningham
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...David Cunningham
 
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...dmenken60
 

Recommended

Cyber & Privacy Liability for Health Care Industry
Cyber & Privacy Liability for Health Care IndustryCyber & Privacy Liability for Health Care Industry
Cyber & Privacy Liability for Health Care IndustryFerrariT1
 
Nevada Data Protection & Privacy Regulations
Nevada Data Protection & Privacy RegulationsNevada Data Protection & Privacy Regulations
Nevada Data Protection & Privacy RegulationsJulia Mak
 
Ecommerce Chap 10
Ecommerce Chap 10Ecommerce Chap 10
Ecommerce Chap 10Pimsat University
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Davis Wright Tremaine LLP
 
Law firm data privacy by dave cunningham
Law firm data privacy by dave cunninghamLaw firm data privacy by dave cunningham
Law firm data privacy by dave cunninghamDavid Cunningham
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...
Lex mundi 2011 confidentiality and knowledge collaboration presentation - f...David Cunningham
 
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...dmenken60
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Lawtravismd
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesJim Brashear
 
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisTape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisThomas Bronack
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 
Privacy presentation for regional directors july 2009
Privacy presentation for regional directors july 2009Privacy presentation for regional directors july 2009
Privacy presentation for regional directors july 2009brentcarey
 
Government Notification of Data Breach
Government Notification of Data BreachGovernment Notification of Data Breach
Government Notification of Data BreachShawn Tuma
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social mediaProf. Jacques Folon (Ph.D)
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Global Forum 2012: Rob Rosendaal of Verizon
Global Forum 2012: Rob Rosendaal of VerizonGlobal Forum 2012: Rob Rosendaal of Verizon
Global Forum 2012: Rob Rosendaal of VerizonGlobalForum
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...David Cunningham
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?Resilient Systems
 
Your User's Privacy
Your User's PrivacyYour User's Privacy
Your User's Privacyadunne
 
Wk White Paper
Wk White PaperWk White Paper
Wk White PaperCreus Moreira Carlos
 
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Jim Brashear
 
Assignment 1
Assignment 1Assignment 1
Assignment 1NWAce
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryptionharshadthakar
 
What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019Ulf Mattsson
 
Privacy Safe Guarding Sensitive PII Handbook 2013
Privacy Safe Guarding Sensitive PII Handbook 2013Privacy Safe Guarding Sensitive PII Handbook 2013
Privacy Safe Guarding Sensitive PII Handbook 2013- Mark - Fullbright
 
Flexible & stretchable electronics for biointegrated devices.. NIT BHOPAL
Flexible & stretchable electronics for biointegrated devices.. NIT BHOPALFlexible & stretchable electronics for biointegrated devices.. NIT BHOPAL
Flexible & stretchable electronics for biointegrated devices.. NIT BHOPALnanonerd07
 
User Interactive Electronic Skin
User Interactive Electronic Skin User Interactive Electronic Skin
User Interactive Electronic Skin Varun Kambrath
 

More Related Content

What's hot

MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Lawtravismd
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesJim Brashear
 
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisTape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisThomas Bronack
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 
Privacy presentation for regional directors july 2009
Privacy presentation for regional directors july 2009Privacy presentation for regional directors july 2009
Privacy presentation for regional directors july 2009brentcarey
 
Government Notification of Data Breach
Government Notification of Data BreachGovernment Notification of Data Breach
Government Notification of Data BreachShawn Tuma
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Global Forum 2012: Rob Rosendaal of Verizon
Global Forum 2012: Rob Rosendaal of VerizonGlobal Forum 2012: Rob Rosendaal of Verizon
Global Forum 2012: Rob Rosendaal of VerizonGlobalForum
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...David Cunningham
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?Resilient Systems
 
Your User's Privacy
Your User's PrivacyYour User's Privacy
Your User's Privacyadunne
 
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Jim Brashear
 
Assignment 1
Assignment 1Assignment 1
Assignment 1NWAce
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryptionharshadthakar
 
What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019Ulf Mattsson
 
Privacy Safe Guarding Sensitive PII Handbook 2013
Privacy Safe Guarding Sensitive PII Handbook 2013Privacy Safe Guarding Sensitive PII Handbook 2013
Privacy Safe Guarding Sensitive PII Handbook 2013- Mark - Fullbright
 

What's hot (20)

MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Law
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New Changes
 
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisTape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysis
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David Mink
 
Privacy presentation for regional directors july 2009
Privacy presentation for regional directors july 2009Privacy presentation for regional directors july 2009
Privacy presentation for regional directors july 2009
 
Government Notification of Data Breach
Government Notification of Data BreachGovernment Notification of Data Breach
Government Notification of Data Breach
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social media
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
 
Global Forum 2012: Rob Rosendaal of Verizon
Global Forum 2012: Rob Rosendaal of VerizonGlobal Forum 2012: Rob Rosendaal of Verizon
Global Forum 2012: Rob Rosendaal of Verizon
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
 
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
 
Your User's Privacy
Your User's PrivacyYour User's Privacy
Your User's Privacy
 
Wk White Paper
Wk White PaperWk White Paper
Wk White Paper
 
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
 
Assignment 1
Assignment 1Assignment 1
Assignment 1
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryption
 
What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019
 
Privacy Safe Guarding Sensitive PII Handbook 2013
Privacy Safe Guarding Sensitive PII Handbook 2013Privacy Safe Guarding Sensitive PII Handbook 2013
Privacy Safe Guarding Sensitive PII Handbook 2013
 

Viewers also liked

Flexible & stretchable electronics for biointegrated devices.. NIT BHOPAL
Flexible & stretchable electronics for biointegrated devices.. NIT BHOPALFlexible & stretchable electronics for biointegrated devices.. NIT BHOPAL
Flexible & stretchable electronics for biointegrated devices.. NIT BHOPALnanonerd07
 
User Interactive Electronic Skin
User Interactive Electronic Skin User Interactive Electronic Skin
User Interactive Electronic Skin Varun Kambrath
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 

Viewers also liked (6)

Flexible & stretchable electronics for biointegrated devices.. NIT BHOPAL
Flexible & stretchable electronics for biointegrated devices.. NIT BHOPALFlexible & stretchable electronics for biointegrated devices.. NIT BHOPAL
Flexible & stretchable electronics for biointegrated devices.. NIT BHOPAL
 
User Interactive Electronic Skin
User Interactive Electronic Skin User Interactive Electronic Skin
User Interactive Electronic Skin
 
ELECTRONIC TATTOO
ELECTRONIC TATTOOELECTRONIC TATTOO
ELECTRONIC TATTOO
 
Electronic skin
Electronic skinElectronic skin
Electronic skin
 
SECP Law presentation
SECP Law presentationSECP Law presentation
SECP Law presentation
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
 

Similar to Massachusetts New Data Security Laws Presentation

Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsBrian Honan
 
Israel Privacy Protection Regulations - Duty To Report A Severe Security Event
Israel Privacy Protection Regulations - Duty To Report A Severe Security EventIsrael Privacy Protection Regulations - Duty To Report A Severe Security Event
Israel Privacy Protection Regulations - Duty To Report A Severe Security EventBarry Schuman
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Cybersecurity & Data Protection: What the GC & CEO Need to Know
Cybersecurity & Data Protection: What the GC & CEO Need to KnowCybersecurity & Data Protection: What the GC & CEO Need to Know
Cybersecurity & Data Protection: What the GC & CEO Need to KnowShawn Tuma
 
Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber AttackShawn Tuma
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Cybersecurity: What the GC and CEO Need to Know
Cybersecurity: What the GC and CEO Need to KnowCybersecurity: What the GC and CEO Need to Know
Cybersecurity: What the GC and CEO Need to KnowShawn Tuma
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
Federal Data Protection Act (FDPA)
Federal Data Protection Act (FDPA)Federal Data Protection Act (FDPA)
Federal Data Protection Act (FDPA)AMIPCI
 
Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)itgsabc
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossLeadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossShawn Tuma
 
BYOD - Bringing Technology to work | Sending Data Everywhere
BYOD - Bringing Technology to work | Sending Data EverywhereBYOD - Bringing Technology to work | Sending Data Everywhere
BYOD - Bringing Technology to work | Sending Data EverywhereJim Brashear
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfProtected Harbor
 
Journal of Criminal Law and CriminologyVolume 103 Issue .docx
Journal of Criminal Law and CriminologyVolume 103 Issue .docxJournal of Criminal Law and CriminologyVolume 103 Issue .docx
Journal of Criminal Law and CriminologyVolume 103 Issue .docxtawnyataylor528
 
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...Shawn Tuma
 
Gao privacy updates
Gao privacy updatesGao privacy updates
Gao privacy updatesInes Mergel
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachLegal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachDawn Yankeelov
 
Information security
Information securityInformation security
Information securityOnkar Sule
 

Similar to Massachusetts New Data Security Laws Presentation (20)

Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure Laws
 
Israel Privacy Protection Regulations - Duty To Report A Severe Security Event
Israel Privacy Protection Regulations - Duty To Report A Severe Security EventIsrael Privacy Protection Regulations - Duty To Report A Severe Security Event
Israel Privacy Protection Regulations - Duty To Report A Severe Security Event
 
Data Breaches
Data BreachesData Breaches
Data Breaches
 
Cybersecurity & Data Protection: What the GC & CEO Need to Know
Cybersecurity & Data Protection: What the GC & CEO Need to KnowCybersecurity & Data Protection: What the GC & CEO Need to Know
Cybersecurity & Data Protection: What the GC & CEO Need to Know
 
Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber Attack
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
 
Cybersecurity: What the GC and CEO Need to Know
Cybersecurity: What the GC and CEO Need to KnowCybersecurity: What the GC and CEO Need to Know
Cybersecurity: What the GC and CEO Need to Know
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
Federal Data Protection Act (FDPA)
Federal Data Protection Act (FDPA)Federal Data Protection Act (FDPA)
Federal Data Protection Act (FDPA)
 
Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossLeadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
 
BYOD - Bringing Technology to work | Sending Data Everywhere
BYOD - Bringing Technology to work | Sending Data EverywhereBYOD - Bringing Technology to work | Sending Data Everywhere
BYOD - Bringing Technology to work | Sending Data Everywhere
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
 
Journal of Criminal Law and CriminologyVolume 103 Issue .docx
Journal of Criminal Law and CriminologyVolume 103 Issue .docxJournal of Criminal Law and CriminologyVolume 103 Issue .docx
Journal of Criminal Law and CriminologyVolume 103 Issue .docx
 
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...
 
Gao privacy updates
Gao privacy updatesGao privacy updates
Gao privacy updates
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
 
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachLegal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
 
Information security
Information securityInformation security
Information security
 

Massachusetts New Data Security Laws Presentation

  • 1. Massachusetts New Data assac usetts e ata Security Law Presented by Bill Minahan Mark Rogers, Esq. aNetworks, Inc. N t k I The Rogers L Th R Law Fi Firm Hingham, MA Braintree, MA Rogers The Law Firm
  • 2. Massachusetts New Data Security Law y Goals of Today s Presentation Today’s – Overview of Massachusetts new data security law and associated regulations – Overview of the Federal Red Flags Rule – Guidance on complying with these new laws Rogers The Law Firm
  • 3. Massachusetts New Data Security Law Two Questions 1. Why Massachusetts? 2. Why now? Rogers The Law Firm
  • 4. Massachusetts New Data Security Law Answer TJX Rogers The Law Firm
  • 5. Massachusetts New Data Security Law TJX Data Breach – “U Unauthorized i t i ” affects over th i d intrusion” ff t 100 million accounts – TJX set aside $256 million for costs associated with th b i t d ith the breachh Rogers The Law Firm
  • 6. Massachusetts New Data Security Law Massachusetts responds – “An Act Relative to Security Freezes and Notification of Data Breaches Breaches” (Effective: February 3, 2008) – “Standards for the Protection of Personal Information of Residents of the Commonwealth” (Effective: January 1, 2010) Rogers The Law Firm
  • 7. An Act Relative to Security Freezes and Notification of Data Breaches 3 areas addressed by the law dd d b th l 1. Security Freezes 2. Notice of a Security Breach (M.G.L. c. 93H) 3. Data Destruction (M.G.L. c. 93I) Rogers The Law Firm
  • 8. An Act Relative to Security Freezes and Notification of Data Breaches “Personal Information” Personal Information Resident’s first name + last name or first initial + last name with 1 or more of the following: • Social Security # • Driver’s license # or state-issued ID card # • Financial account # or credit or debit card # Rogers The Law Firm
  • 9. An Act Relative to Security Freezes and Notification of Data Breaches Notice A person or business that maintains or stores personal information about a resident of the Commonwealth. Commonwealth → must provide notice to the owner or licensor of such information, if they know or have reason to believe , y that: 1. There is a breach of security; or 2. the personal information was acquired or used by an unauthorized person or used for an unauthorized purpose Rogers The Law Firm
  • 10. An Act Relative to Security Freezes and Notification of Data Breaches Notice A person or business that owns or licenses personal information about a resident of the Commonwealth. → must provide notice to the resident, the Attorney General, Director of Consumer Affairs and Business Regulation if the person knows or has reason to know that there was: 1. a breach of security; or 2. the personal information was acquired or used by an unauthorized person, or used for an unauthorized purpose Rogers The Law Firm
  • 11. An Act Relative to Security Freezes and Notification of Data Breaches 2 Important Definitions 1. “Breach of Security” The unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security confidentiality or integrity of personal security, confidentiality, information, maintained by a person or business that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. Rogers The Law Firm
  • 12. An Act Relative to Security Freezes and Notification of Data Breaches 2. “Notice” Written notice Electronic notice “Substitute notice” Rogers The Law Firm
  • 13. An Act Relative to Security Freezes and Notification of Data Breaches What should be in the “Notice”? Notice ? – Consumer’s right to obtain a police report Consumer s – How a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze ti th it f – Any fees to be paid to any of the consumer reporting agencies Rogers The Law Firm
  • 14. An Act Relative to Security Freezes and Notification of Data Breaches Data Destruction D t D t ti – When disposing of records records… (a) Paper documents containing personal information shall be either redacted, burned, pulverized or shredded so , ,p that personal data cannot be read or reconstructed (b) Electronic media and other non-paper media containing personal i f l information shall b d t ti h ll be destroyed or erased so d d that personal information cannot practicably be read or reconstructed Rogers The Law Firm
  • 15. An Act Relative to Security Freezes and Notification of Data Breaches Penalties = Rogers The Law Firm
  • 16. An Act Relative to Security Freezes and Notification of Data Breaches • Notice Violation → Chapter 93A liability (triple damages, costs, and attorneys fees) • Data Destruction Violation → Chapter 93A liability and a civil fine of not more than $100 per data subject with a maximum fine of $50 000 $50,000 for each instance of improper disposal Rogers The Law Firm
  • 17. Standards for the Protection of Personal Information of Residents of the Commonwealth Massachusetts Data Security Law ↓ Requires the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) to adopt regulations designed to safeguard the p g g g personal information about residents of the Commonwealth Rogers The Law Firm
  • 18. Standards for the Protection of Personal Information of Residents of the Commonwealth • Issued: September, 2008 • Eff ti Effective: J January 1 2009 1, • Delayed to: May 1 2009 1, • Delayed to: January 1, 2010 Rogers The Law Firm
  • 19. Standards for the Protection of Personal Information of Residents of the Commonwealth Two Primary Components: 1. 1 Development of a comprehensive written information security program 2. For 2 F persons that electronically store or transmit th t l t i ll t t it personal information, the establishment and maintenance of a security system covering it’s computers, including a wireless system t i l di i l t Rogers The Law Firm
  • 20. Standards for the Protection of Personal Information of Residents of the Commonwealth Comprehensive Written Information Security Program • Every person that owns licenses stores or owns, licenses, maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written i t i d it h i itt information security program applicable to any records containing such p g personal information. Rogers The Law Firm
  • 21. Standards for the Protection of Personal Information of Residents of the Commonwealth • Every comprehensive written information security program shall include, at least, the following: – Designating 1 or more employees to maintain the program – Identifying and assessing reasonably foreseeable internal and external risks to security, confidentiality and integrity of records, to include: • ongoing employee training • employee compliance with policies • means of detecting and preventing system failures • developing security policies for employees Rogers The Law Firm
  • 22. Standards for the Protection of Personal Information of Residents of the Commonwealth – Imposing disciplinary measures – Preventing terminated employees from accessing records – Verifying your vendors’ providers have the capacity to vendors protect personal information – Limiting the amount of p g personal information collected – Identify records and devices which contain personal information – Reasonable restrictions upon physical access to records containing personal information Rogers The Law Firm
  • 23. Standards for the Protection of Personal Information of Residents of the Commonwealth – Regular monitoring to ensure the program operates in a manner calculated to prevent unauthorized access to or use of personal information – Review of the scope of security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information – Documentation of responsive actions taken in connection with any incident involving a breach of security Rogers The Law Firm
  • 24. Standards for the Protection of Personal Information of Residents of the Commonwealth Computer System Security Requirements – Every person that electronically stores or transmits personal information shall include in its written comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, including, at a minimum, th f ll i t i l di t i i the following elements: Rogers The Law Firm
  • 25. Standards for the Protection of Personal Information of Residents of the Commonwealth Secure user authentication protocols, including: – Control of user IDs and other identifiers – Secure method of assigning and selecting passwords (or use of unique identifier technologies) Rogers The Law Firm
  • 26. Standards for the Protection of Personal Information of Residents of the Commonwealth If you recognize your password here, you may as well hand over your wallet or purse to the first person you see on the street. • password • 123456 • qwerty • abc123 • letmein • monkey • myspace1 • password1 • blink182 • (your first name) http://www.pctools.com/guides/password/ Rogers The Law Firm
  • 27. Standards for the Protection of Personal Information of Residents of the Commonwealth • Control data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the t i th it f th data they protect – Memorize your Password – Do NOT Share your password – If you must write it down, Record It Safel Safely Rogers The Law Firm
  • 28. Standards for the Protection of Personal Information of Residents of the Commonwealth – Restrict access to active users and active user accounts only; and – Blocking access to user identification after multiple unsuccessful attempts to gain access; Rogers The Law Firm
  • 29. Standards for the Protection of Personal Information of Residents of the Commonwealth Secure Sec re access control measures that • Restrict access to records and files containing personal information to those who need information to perform their job duties • Assign unique identifications plus passwords t each person with d to h ith computer access Rogers The Law Firm
  • 30. Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Encryption All transmitted records and files containing personal information that will travel across public networks All data containing personal information to be transmitted wirelessly Rogers The Law Firm
  • 31. Standards for the Protection of Personal Information of Residents of the Commonwealth Reasonable monitoring of systems for unauthorized use of, or access to personal information Encryption of all personal information stored on laptops or other portable devices Rogers The Law Firm
  • 32. Standards for the Protection of Personal Information of Residents of the Commonwealth Example #1 Bob is a SMB Executive. He forgets his laptop in a cab. Laptop has ‘BIOS’ p p p password before booting g It also has username and ‘strong password’ Bob is annoyed at loss of laptop, but feels safe about privacy of his data is he right? data… Rogers The Law Firm
  • 33. Standards for the Protection of Personal Information of Residents of the Commonwealth Bob is Wrong! Physical access to a computer almost guarantees any hacker will get to your unencrypted data. Does not require a highly sophisticated attacker. Rogers The Law Firm
  • 34. Standards for the Protection of Personal Information of Residents of the Commonwealth Up-to-date firewall protection and operating system security patches for systems connected to the internet Rogers The Law Firm
  • 35. Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Up-to-date U t d t versions of system i f t security agent software • with malware protection • reasonably up-to-date patches and virus definitions Rogers The Law Firm
  • 36. Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Example #2 p Senior Executive for CPA Firm ‘does not like the Antivirus program’ program Removes it and installs one of his preference SE is happy, company is unaware New program fails to update User’s PC is infected Main company server is hacked Rogers The Law Firm
  • 37. Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Example #3 A company with an active e-commerce site Server is behind a firewall Website uses SSL encryption for all data transmissions SSL, and ONLY SSL, is allowed from the Internet into this server Bob feels good about his server Rogers The Law Firm
  • 38. Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Bob is Wrong Again! Bob s Bob’s hacked computer (Example #2) can serve as launch pad for attack against server; other attacks exist that exploit OS vulnerabilities directly Data should be separated Data should be encrypted! Rogers The Law Firm
  • 39. Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Example #4 Bob is very conscious of his company’s data, so Bob makes sure everything is backed up daily To protect against disaster, Bob diligently disaster manages several weeks’ worth of tape sets Bob takes one set of tapes to his own house and stores them in his basement basement. Bob’s home is broken into… Rogers The Law Firm
  • 40. Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Education and training of employees on the proper use of the computer security f system and the importance of personal information security Rogers The Law Firm
  • 41. Standards for the Protection of Personal Information of Residents of the Commonwealth A determination as to whether the comprehensive written information security program is in compliance itt i f ti it i i li with the Regulations will take into account the following – Size, scope and type of business – Amount of resources available – Amount of stored data – Need for security and confidentiality of both consumer and employee information Rogers The Law Firm
  • 42. Standards for the Protection of Personal Information of Residents of the Commonwealth • P Penalties lti – Chapter 93A liability • triple damages • costs • attorneys fees Rogers The Law Firm
  • 43. Applicability of other State and Federal Laws pp y • Still must comply with other state and federal laws regarding the protection and privacy of personal information (HIPAA, Red Flags Rule) • However----a person is deemed to be in compliance with the th NOTICE provisions of th D t S i i f the Data Security B it Breach L h Law and the Regulations if the person maintains procedures for responding to a breach of security pursuant to such “other” l “ th ” laws, provided… id d Rogers The Law Firm
  • 44. Applicability of other State and Federal Laws pp y Person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs Person notifies the Massachusetts Attorney y General and the Director of OCABR as soon as practicable and without unreasonable delay following the breach. breach Rogers The Law Firm
  • 45. Applicability of other State and Federal Laws y Still must comply with the Data Destruction elements of the law! Rogers The Law Firm
  • 46. Applicability of other State and Federal Laws • Example: p A Massachusetts health care provider experiences a data security breach – Under the revised HIPAA Privacy Rule (pursuant to the Federal Stimulus Package), a Massachusetts health care provider must now provide notice of a data breach to the patient – Under the Massachusetts Data Security Law the Provider must also notify the AG and the Director of OCABR of the breach Rogers The Law Firm
  • 47. Applicability of other State and Federal Laws • Furthermore the Massachusetts health Furthermore, care provider must still comply with the Data Destruction requirements of the Massachusetts Data Security Law Rogers The Law Firm
  • 48. Applicability of other State and Federal Laws • Red Flags Rule – Requires “creditors” and “financial institutions” with “covered accounts” to implement programs to identify, detect and respond to patterns practices and specific patterns, activities that would indicate identity theft. – Enforcement delayed until August 1 2009 1, 2009. Rogers The Law Firm
  • 49. Applicability of other State and Federal Laws y Red Flags Rule g Good News: Compliance with Massachusetts Data Security Law = compliance with Red Flags Rule Bad News: Failure to comply with Massachusetts Data Security Law → likely means failure to comply with Red Flags Rule Additional Penalties: $2,500 per knowing violation Rogers The Law Firm
  • 50. Next Steps Assess your organization’s current y g compliance with the Massachusetts Data Security Law – Do you own, license maintain, or store “Personal Information”? – Do you have a “comprehensive written information security program”? – Have you implemented the required technical security requirements for personal information which is electronically stored or transmitted? Rogers The Law Firm
  • 51. Next Steps Consider bringing in an outside expert – Consequences of not complying: • Monetary Penalties • Lawsuits • Bad publicity = potential affect on revenues • Business disruption while compliance is overseen b state regulatory agencies by t t l t i Rogers The Law Firm
  • 52. Questions? • Bill Minahan, aNetworks Minahan 781-753-8501 bill@anetworks.net bill@anetworks net • M k Rogers, E Mark R Esq., Th R The Rogers L Law Fi Firm 781-794-1600 mrogers@therogerslawfirm.com Rogers The Law Firm