Secure Your Data. It\'s now the Law.
Massachusetts has issued new regulations that will soon go into effect mandating that “all persons that own, license, store or maintain personal information about a resident of the Commonwealth” comply with strict requirements for safeguarding and disposing of personal information.
Don\'t miss this opportunity to understand how
201 CMR 17.00 et seq. will affect your business.
If your company accepts credit cards or stores any customer information, you need to attend this important seminar to understand what will now be required of your company under Massachusetts law. Our experts will detail the regulations and how they impact Massachusetts-based companies. We will discuss the compliance structure as well as outline the steps you will need to take to be in compliance with these new regulations.
WARNING
Failure to comply with the new law exposes a company to substantial monetary penalties. Attorney advertising. Prior results do not guarantee a similar outcome.
http://events.anetworks.net
1. Massachusetts New Data
assac usetts e ata
Security Law
Presented by
Bill Minahan Mark Rogers, Esq.
aNetworks, Inc.
N t k I The Rogers L
Th R Law Fi
Firm
Hingham, MA Braintree, MA
Rogers
The
Law Firm
2. Massachusetts New Data Security Law
y
Goals of Today s Presentation
Today’s
– Overview of Massachusetts new data security
law and associated regulations
– Overview of the Federal Red Flags Rule
– Guidance on complying with these new laws
Rogers
The
Law Firm
3. Massachusetts New Data Security Law
Two Questions
1. Why Massachusetts?
2. Why now?
Rogers
The
Law Firm
5. Massachusetts New Data Security Law
TJX Data Breach
– “U
Unauthorized i t i ” affects over
th i d intrusion” ff t
100 million accounts
– TJX set aside $256 million for costs
associated with th b
i t d ith the breachh
Rogers
The
Law Firm
6. Massachusetts New Data Security Law
Massachusetts responds
– “An Act Relative to Security Freezes and
Notification of Data Breaches
Breaches”
(Effective: February 3, 2008)
– “Standards for the Protection of Personal
Information of Residents of the
Commonwealth”
(Effective: January 1, 2010)
Rogers
The
Law Firm
7. An Act Relative to Security Freezes and
Notification of Data Breaches
3 areas addressed by the law
dd d b th l
1. Security Freezes
2. Notice of a Security Breach (M.G.L. c. 93H)
3. Data Destruction (M.G.L. c. 93I)
Rogers
The
Law Firm
8. An Act Relative to Security Freezes and
Notification of Data Breaches
“Personal Information”
Personal Information
Resident’s first name + last name
or
first initial + last name with 1 or more
of the following:
• Social Security #
• Driver’s license # or state-issued ID card #
• Financial account # or credit or debit card #
Rogers
The
Law Firm
9. An Act Relative to Security Freezes and
Notification of Data Breaches
Notice
A person or business that maintains or stores
personal information about a resident of the
Commonwealth.
Commonwealth
→ must provide notice to the owner or licensor of such
information, if they know or have reason to believe
, y
that:
1. There is a breach of security; or
2. the personal information was acquired or used by an
unauthorized person or used for an unauthorized
purpose
Rogers
The
Law Firm
10. An Act Relative to Security Freezes and
Notification of Data Breaches
Notice
A person or business that owns or licenses personal
information about a resident of the Commonwealth.
→ must provide notice to the resident, the Attorney General,
Director of Consumer Affairs and Business Regulation if the
person knows or has reason to know that there was:
1. a breach of security; or
2. the personal information was acquired or used by an
unauthorized person, or used for an unauthorized purpose
Rogers
The
Law Firm
11. An Act Relative to Security Freezes and
Notification of Data Breaches
2 Important Definitions
1. “Breach of Security”
The unauthorized use of unencrypted data or, encrypted electronic
data and the confidential process or key that is capable of
compromising the security confidentiality or integrity of personal
security, confidentiality,
information, maintained by a person or business that creates a
substantial risk of identity theft or fraud against a resident of the
commonwealth.
Rogers
The
Law Firm
12. An Act Relative to Security Freezes and
Notification of Data Breaches
2. “Notice”
Written notice
Electronic notice
“Substitute notice”
Rogers
The
Law Firm
13. An Act Relative to Security Freezes and
Notification of Data Breaches
What should be in the “Notice”?
Notice ?
– Consumer’s right to obtain a police report
Consumer s
– How a consumer requests a security freeze and the
necessary information to be provided when
requesting the security freeze
ti th it f
– Any fees to be paid to any of the consumer reporting
agencies
Rogers
The
Law Firm
14. An Act Relative to Security Freezes and
Notification of Data Breaches
Data Destruction
D t D t ti
– When disposing of records
records…
(a) Paper documents containing personal information shall
be either redacted, burned, pulverized or shredded so
, ,p
that personal data cannot be read or reconstructed
(b) Electronic media and other non-paper media containing
personal i f
l information shall b d t
ti h ll be destroyed or erased so
d d
that personal information cannot practicably be read or
reconstructed
Rogers
The
Law Firm
15. An Act Relative to Security Freezes and
Notification of Data Breaches
Penalties =
Rogers
The
Law Firm
16. An Act Relative to Security Freezes and
Notification of Data Breaches
• Notice Violation
→ Chapter 93A liability (triple damages, costs, and
attorneys fees)
• Data Destruction Violation
→ Chapter 93A liability and a civil fine of not more than
$100 per data subject with a maximum fine of $50 000
$50,000
for each instance of improper disposal
Rogers
The
Law Firm
17. Standards for the Protection of Personal
Information of Residents of the Commonwealth
Massachusetts Data Security Law
↓
Requires the Massachusetts Office of Consumer
Affairs and Business Regulation (OCABR) to adopt
regulations designed to safeguard the p
g g g personal
information about residents of the Commonwealth
Rogers
The
Law Firm
18. Standards for the Protection of Personal
Information of Residents of the Commonwealth
• Issued: September, 2008
• Eff ti
Effective: J
January 1 2009
1,
• Delayed to: May 1 2009
1,
• Delayed to: January 1, 2010
Rogers
The
Law Firm
19. Standards for the Protection of Personal
Information of Residents of the Commonwealth
Two Primary Components:
1.
1 Development of a comprehensive written
information security program
2. For
2 F persons that electronically store or transmit
th t l t i ll t t it
personal information, the establishment and
maintenance of a security system covering it’s
computers, including a wireless system
t i l di i l t
Rogers
The
Law Firm
20. Standards for the Protection of Personal
Information of Residents of the Commonwealth
Comprehensive Written Information Security Program
• Every person that owns licenses stores or
owns, licenses,
maintains personal information about a resident of
the Commonwealth shall develop, implement,
maintain and monitor a comprehensive, written
i t i d it h i itt
information security program applicable to any
records containing such p
g personal information.
Rogers
The
Law Firm
21. Standards for the Protection of Personal
Information of Residents of the Commonwealth
• Every comprehensive written information security program
shall include, at least, the following:
– Designating 1 or more employees to maintain the program
– Identifying and assessing reasonably foreseeable internal and
external risks to security, confidentiality and integrity of records,
to include:
• ongoing employee training
• employee compliance with policies
• means of detecting and preventing system failures
• developing security policies for employees
Rogers
The
Law Firm
22. Standards for the Protection of Personal
Information of Residents of the Commonwealth
– Imposing disciplinary measures
– Preventing terminated employees from accessing records
– Verifying your vendors’ providers have the capacity to
vendors
protect personal information
– Limiting the amount of p
g personal information collected
– Identify records and devices which contain personal
information
– Reasonable restrictions upon physical access to records
containing personal information
Rogers
The
Law Firm
23. Standards for the Protection of Personal
Information of Residents of the Commonwealth
– Regular monitoring to ensure the program operates in a
manner calculated to prevent unauthorized access to or
use of personal information
– Review of the scope of security measures at least annually
or whenever there is a material change in business
practices that may reasonably implicate the security or
integrity of records containing personal information
– Documentation of responsive actions taken in connection
with any incident involving a breach of security
Rogers
The
Law Firm
24. Standards for the Protection of Personal
Information of Residents of the Commonwealth
Computer System Security Requirements
– Every person that electronically stores or transmits
personal information shall include in its written
comprehensive information security program the
establishment and maintenance of a security system
covering its computers, including any wireless
system, including, at a minimum, th f ll i
t i l di t i i the following
elements:
Rogers
The
Law Firm
25. Standards for the Protection of Personal
Information of Residents of the Commonwealth
Secure user authentication
protocols, including:
– Control of user IDs and other identifiers
– Secure method of assigning and selecting
passwords (or use of unique identifier
technologies)
Rogers
The
Law Firm
26. Standards for the Protection of Personal
Information of Residents of the Commonwealth
If you recognize your password here, you may as well hand over
your wallet or purse to the first person you see on the street.
• password
• 123456
• qwerty
• abc123
• letmein
• monkey
• myspace1
• password1
• blink182
• (your first name)
http://www.pctools.com/guides/password/
Rogers
The
Law Firm
27. Standards for the Protection of Personal
Information of Residents of the Commonwealth
• Control data security passwords to
ensure that such passwords are kept
in a location and/or format that does
not compromise the security of the
t i th it f th
data they protect
– Memorize your Password
– Do NOT Share your password
– If you must write it down, Record
It Safel
Safely
Rogers
The
Law Firm
28. Standards for the Protection of Personal
Information of Residents of the Commonwealth
– Restrict access to active users and active user
accounts only; and
– Blocking access to user identification after multiple
unsuccessful attempts to gain access;
Rogers
The
Law Firm
29. Standards for the Protection of Personal
Information of Residents of the Commonwealth
Secure
Sec re access control
measures that
• Restrict access to records and files
containing personal information to those
who need information to perform their
job duties
• Assign unique identifications plus
passwords t each person with
d to h ith
computer access
Rogers
The
Law Firm
30. Standards for the Protection of Personal
Information of Residents of the Commonwealth
I f ti f R id t f th C lth
Encryption
All transmitted records and files containing
personal information that will travel across
public networks
All data containing personal information to
be transmitted wirelessly
Rogers
The
Law Firm
31. Standards for the Protection of Personal
Information of Residents of the Commonwealth
Reasonable monitoring of systems for
unauthorized use of, or access to personal
information
Encryption of all personal information
stored on laptops or other portable devices
Rogers
The
Law Firm
32. Standards for the Protection of Personal
Information of Residents of the Commonwealth
Example #1
Bob is a SMB Executive. He forgets his
laptop in a cab.
Laptop has ‘BIOS’ p
p p password before booting g
It also has username and ‘strong password’
Bob is annoyed at loss of laptop, but feels safe
about privacy of his data is he right?
data…
Rogers
The
Law Firm
33. Standards for the Protection of Personal
Information of Residents of the Commonwealth
Bob is Wrong!
Physical access to a computer
almost guarantees any hacker will
get to your unencrypted data.
Does not require a highly
sophisticated attacker.
Rogers
The
Law Firm
34. Standards for the Protection of Personal
Information of Residents of the Commonwealth
Up-to-date firewall protection and operating
system security patches for systems
connected to the internet
Rogers
The
Law Firm
35. Standards for the Protection of Personal
Information of Residents of the Commonwealth
I f ti f R id t f th C lth
Up-to-date
U t d t versions of system
i f t
security agent software
• with malware protection
• reasonably up-to-date patches
and virus definitions
Rogers
The
Law Firm
36. Standards for the Protection of Personal
Information of Residents of the Commonwealth
I f ti f R id t f th C lth
Example #2
p
Senior Executive for CPA Firm ‘does not like the
Antivirus program’
program
Removes it and installs one of his preference
SE is happy, company is unaware
New program fails to update
User’s PC is infected
Main company server is hacked
Rogers
The
Law Firm
37. Standards for the Protection of Personal
Information of Residents of the Commonwealth
I f ti f R id t f th C lth
Example #3
A company with an active e-commerce site
Server is behind a firewall
Website uses SSL encryption for all data
transmissions
SSL, and ONLY SSL, is allowed from the
Internet into this server
Bob feels good about his server
Rogers
The
Law Firm
38. Standards for the Protection of Personal
Information of Residents of the Commonwealth
I f ti f R id t f th C lth
Bob is Wrong Again!
Bob s
Bob’s hacked computer (Example #2)
can serve as launch pad for attack
against server; other attacks exist
that exploit OS vulnerabilities directly
Data should be separated
Data should be encrypted!
Rogers
The
Law Firm
39. Standards for the Protection of Personal
Information of Residents of the Commonwealth
I f ti f R id t f th C lth
Example #4
Bob is very conscious of his company’s
data, so Bob makes sure everything is
backed up daily
To protect against disaster, Bob diligently
disaster
manages several weeks’ worth of tape sets
Bob takes one set of tapes to his own house
and stores them in his basement
basement.
Bob’s home is broken into…
Rogers
The
Law Firm
40. Standards for the Protection of Personal
Information of Residents of the Commonwealth
I f ti f R id t f th C lth
Education and training of employees
on the proper use of the computer security
f
system and the importance of personal
information security
Rogers
The
Law Firm
41. Standards for the Protection of Personal
Information of Residents of the Commonwealth
A determination as to whether the comprehensive
written information security program is in compliance
itt i f ti it i i li
with the Regulations will take into account the
following
– Size, scope and type of business
– Amount of resources available
– Amount of stored data
– Need for security and confidentiality of both
consumer and employee information
Rogers
The
Law Firm
42. Standards for the Protection of Personal
Information of Residents of the Commonwealth
• P
Penalties
lti
– Chapter 93A liability
• triple damages
• costs
• attorneys fees
Rogers
The
Law Firm
43. Applicability of other State and Federal Laws
pp y
• Still must comply with other state and federal laws
regarding the protection and privacy of personal
information (HIPAA, Red Flags Rule)
• However----a person is deemed to be in compliance with
the
th NOTICE provisions of th D t S
i i f the Data Security B
it Breach L
h Law
and the Regulations if the person maintains procedures
for responding to a breach of security pursuant to such
“other” l
“ th ” laws, provided…
id d
Rogers
The
Law Firm
44. Applicability of other State and Federal Laws
pp y
Person notifies affected Massachusetts residents
in accordance with the maintained or required
procedures when a breach occurs
Person notifies the Massachusetts Attorney
y
General and the Director of OCABR as soon as
practicable and without unreasonable delay
following the breach.
breach
Rogers
The
Law Firm
45. Applicability of other State and Federal Laws
y
Still must comply with the Data
Destruction elements of the law!
Rogers
The
Law Firm
46. Applicability of other State and Federal Laws
• Example:
p
A Massachusetts health care provider
experiences a data security breach
– Under the revised HIPAA Privacy Rule
(pursuant to the Federal Stimulus Package), a
Massachusetts health care provider must now
provide notice of a data breach to the patient
– Under the Massachusetts Data Security Law
the Provider must also notify the AG and the
Director of OCABR of the breach
Rogers
The
Law Firm
47. Applicability of other State and Federal Laws
• Furthermore the Massachusetts health
Furthermore,
care provider must still comply with the
Data Destruction requirements of the
Massachusetts Data Security Law
Rogers
The
Law Firm
48. Applicability of other State and Federal Laws
• Red Flags Rule
– Requires “creditors” and “financial institutions” with
“covered accounts” to implement programs to identify,
detect and respond to patterns practices and specific
patterns,
activities that would indicate identity theft.
– Enforcement delayed until August 1 2009
1, 2009.
Rogers
The
Law Firm
49. Applicability of other State and Federal Laws
y
Red Flags Rule
g
Good News: Compliance with Massachusetts Data
Security Law = compliance with Red Flags Rule
Bad News: Failure to comply with Massachusetts
Data Security Law → likely means failure to comply
with Red Flags Rule
Additional Penalties: $2,500 per knowing violation
Rogers
The
Law Firm
50. Next Steps
Assess your organization’s current
y g
compliance with the Massachusetts Data
Security Law
– Do you own, license maintain, or store
“Personal Information”?
– Do you have a “comprehensive written
information security program”?
– Have you implemented the required technical
security requirements for personal information
which is electronically stored or transmitted?
Rogers
The
Law Firm
51. Next Steps
Consider bringing in an outside expert
– Consequences of not complying:
• Monetary Penalties
• Lawsuits
• Bad publicity = potential affect on revenues
• Business disruption while compliance is
overseen b state regulatory agencies
by t t l t i
Rogers
The
Law Firm
52. Questions?
• Bill Minahan, aNetworks
Minahan
781-753-8501
bill@anetworks.net
bill@anetworks net
• M k Rogers, E
Mark R Esq., Th R
The Rogers L
Law Fi
Firm
781-794-1600
mrogers@therogerslawfirm.com
Rogers
The
Law Firm