Massachusetts New Data Security Laws Presentation
Upcoming SlideShare
Loading in...5
×
 

Massachusetts New Data Security Laws Presentation

on

  • 2,406 views

Secure Your Data. It\'s now the Law. ...

Secure Your Data. It\'s now the Law.

Massachusetts has issued new regulations that will soon go into effect mandating that “all persons that own, license, store or maintain personal information about a resident of the Commonwealth” comply with strict requirements for safeguarding and disposing of personal information.

Don\'t miss this opportunity to understand how
201 CMR 17.00 et seq. will affect your business.

If your company accepts credit cards or stores any customer information, you need to attend this important seminar to understand what will now be required of your company under Massachusetts law. Our experts will detail the regulations and how they impact Massachusetts-based companies. We will discuss the compliance structure as well as outline the steps you will need to take to be in compliance with these new regulations.


WARNING
Failure to comply with the new law exposes a company to substantial monetary penalties. Attorney advertising. Prior results do not guarantee a similar outcome.

http://events.anetworks.net

Statistics

Views

Total Views
2,406
Views on SlideShare
2,401
Embed Views
5

Actions

Likes
0
Downloads
0
Comments
0

3 Embeds 5

http://www.slideshare.net 3
http://www.linkedin.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Massachusetts New Data Security Laws Presentation Massachusetts New Data Security Laws Presentation Presentation Transcript

    • Massachusetts New Data assac usetts e ata Security Law Presented by Bill Minahan Mark Rogers, Esq. aNetworks, Inc. N t k I The Rogers L Th R Law Fi Firm Hingham, MA Braintree, MA Rogers The Law Firm
    • Massachusetts New Data Security Law y Goals of Today s Presentation Today’s – Overview of Massachusetts new data security law and associated regulations – Overview of the Federal Red Flags Rule – Guidance on complying with these new laws Rogers The Law Firm
    • Massachusetts New Data Security Law Two Questions 1. Why Massachusetts? 2. Why now? Rogers The Law Firm
    • Massachusetts New Data Security Law Answer TJX Rogers The Law Firm
    • Massachusetts New Data Security Law TJX Data Breach – “U Unauthorized i t i ” affects over th i d intrusion” ff t 100 million accounts – TJX set aside $256 million for costs associated with th b i t d ith the breachh Rogers The Law Firm
    • Massachusetts New Data Security Law Massachusetts responds – “An Act Relative to Security Freezes and Notification of Data Breaches Breaches” (Effective: February 3, 2008) – “Standards for the Protection of Personal Information of Residents of the Commonwealth” (Effective: January 1, 2010) Rogers The Law Firm
    • An Act Relative to Security Freezes and Notification of Data Breaches 3 areas addressed by the law dd d b th l 1. Security Freezes 2. Notice of a Security Breach (M.G.L. c. 93H) 3. Data Destruction (M.G.L. c. 93I) Rogers The Law Firm
    • An Act Relative to Security Freezes and Notification of Data Breaches “Personal Information” Personal Information Resident’s first name + last name or first initial + last name with 1 or more of the following: • Social Security # • Driver’s license # or state-issued ID card # • Financial account # or credit or debit card # Rogers The Law Firm
    • An Act Relative to Security Freezes and Notification of Data Breaches Notice A person or business that maintains or stores personal information about a resident of the Commonwealth. Commonwealth → must provide notice to the owner or licensor of such information, if they know or have reason to believe , y that: 1. There is a breach of security; or 2. the personal information was acquired or used by an unauthorized person or used for an unauthorized purpose Rogers The Law Firm
    • An Act Relative to Security Freezes and Notification of Data Breaches Notice A person or business that owns or licenses personal information about a resident of the Commonwealth. → must provide notice to the resident, the Attorney General, Director of Consumer Affairs and Business Regulation if the person knows or has reason to know that there was: 1. a breach of security; or 2. the personal information was acquired or used by an unauthorized person, or used for an unauthorized purpose Rogers The Law Firm
    • An Act Relative to Security Freezes and Notification of Data Breaches 2 Important Definitions 1. “Breach of Security” The unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security confidentiality or integrity of personal security, confidentiality, information, maintained by a person or business that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. Rogers The Law Firm
    • An Act Relative to Security Freezes and Notification of Data Breaches 2. “Notice” Written notice Electronic notice “Substitute notice” Rogers The Law Firm
    • An Act Relative to Security Freezes and Notification of Data Breaches What should be in the “Notice”? Notice ? – Consumer’s right to obtain a police report Consumer s – How a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze ti th it f – Any fees to be paid to any of the consumer reporting agencies Rogers The Law Firm
    • An Act Relative to Security Freezes and Notification of Data Breaches Data Destruction D t D t ti – When disposing of records records… (a) Paper documents containing personal information shall be either redacted, burned, pulverized or shredded so , ,p that personal data cannot be read or reconstructed (b) Electronic media and other non-paper media containing personal i f l information shall b d t ti h ll be destroyed or erased so d d that personal information cannot practicably be read or reconstructed Rogers The Law Firm
    • An Act Relative to Security Freezes and Notification of Data Breaches Penalties = Rogers The Law Firm
    • An Act Relative to Security Freezes and Notification of Data Breaches • Notice Violation → Chapter 93A liability (triple damages, costs, and attorneys fees) • Data Destruction Violation → Chapter 93A liability and a civil fine of not more than $100 per data subject with a maximum fine of $50 000 $50,000 for each instance of improper disposal Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth Massachusetts Data Security Law ↓ Requires the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) to adopt regulations designed to safeguard the p g g g personal information about residents of the Commonwealth Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth • Issued: September, 2008 • Eff ti Effective: J January 1 2009 1, • Delayed to: May 1 2009 1, • Delayed to: January 1, 2010 Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth Two Primary Components: 1. 1 Development of a comprehensive written information security program 2. For 2 F persons that electronically store or transmit th t l t i ll t t it personal information, the establishment and maintenance of a security system covering it’s computers, including a wireless system t i l di i l t Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth Comprehensive Written Information Security Program • Every person that owns licenses stores or owns, licenses, maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written i t i d it h i itt information security program applicable to any records containing such p g personal information. Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth • Every comprehensive written information security program shall include, at least, the following: – Designating 1 or more employees to maintain the program – Identifying and assessing reasonably foreseeable internal and external risks to security, confidentiality and integrity of records, to include: • ongoing employee training • employee compliance with policies • means of detecting and preventing system failures • developing security policies for employees Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth – Imposing disciplinary measures – Preventing terminated employees from accessing records – Verifying your vendors’ providers have the capacity to vendors protect personal information – Limiting the amount of p g personal information collected – Identify records and devices which contain personal information – Reasonable restrictions upon physical access to records containing personal information Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth – Regular monitoring to ensure the program operates in a manner calculated to prevent unauthorized access to or use of personal information – Review of the scope of security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information – Documentation of responsive actions taken in connection with any incident involving a breach of security Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth Computer System Security Requirements – Every person that electronically stores or transmits personal information shall include in its written comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, including, at a minimum, th f ll i t i l di t i i the following elements: Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth Secure user authentication protocols, including: – Control of user IDs and other identifiers – Secure method of assigning and selecting passwords (or use of unique identifier technologies) Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth If you recognize your password here, you may as well hand over your wallet or purse to the first person you see on the street. • password • 123456 • qwerty • abc123 • letmein • monkey • myspace1 • password1 • blink182 • (your first name) http://www.pctools.com/guides/password/ Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth • Control data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the t i th it f th data they protect – Memorize your Password – Do NOT Share your password – If you must write it down, Record It Safel Safely Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth – Restrict access to active users and active user accounts only; and – Blocking access to user identification after multiple unsuccessful attempts to gain access; Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth Secure Sec re access control measures that • Restrict access to records and files containing personal information to those who need information to perform their job duties • Assign unique identifications plus passwords t each person with d to h ith computer access Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Encryption All transmitted records and files containing personal information that will travel across public networks All data containing personal information to be transmitted wirelessly Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth Reasonable monitoring of systems for unauthorized use of, or access to personal information Encryption of all personal information stored on laptops or other portable devices Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth Example #1 Bob is a SMB Executive. He forgets his laptop in a cab. Laptop has ‘BIOS’ p p p password before booting g It also has username and ‘strong password’ Bob is annoyed at loss of laptop, but feels safe about privacy of his data is he right? data… Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth Bob is Wrong! Physical access to a computer almost guarantees any hacker will get to your unencrypted data. Does not require a highly sophisticated attacker. Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth Up-to-date firewall protection and operating system security patches for systems connected to the internet Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Up-to-date U t d t versions of system i f t security agent software • with malware protection • reasonably up-to-date patches and virus definitions Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Example #2 p Senior Executive for CPA Firm ‘does not like the Antivirus program’ program Removes it and installs one of his preference SE is happy, company is unaware New program fails to update User’s PC is infected Main company server is hacked Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Example #3 A company with an active e-commerce site Server is behind a firewall Website uses SSL encryption for all data transmissions SSL, and ONLY SSL, is allowed from the Internet into this server Bob feels good about his server Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Bob is Wrong Again! Bob s Bob’s hacked computer (Example #2) can serve as launch pad for attack against server; other attacks exist that exploit OS vulnerabilities directly Data should be separated Data should be encrypted! Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Example #4 Bob is very conscious of his company’s data, so Bob makes sure everything is backed up daily To protect against disaster, Bob diligently disaster manages several weeks’ worth of tape sets Bob takes one set of tapes to his own house and stores them in his basement basement. Bob’s home is broken into… Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth I f ti f R id t f th C lth Education and training of employees on the proper use of the computer security f system and the importance of personal information security Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth A determination as to whether the comprehensive written information security program is in compliance itt i f ti it i i li with the Regulations will take into account the following – Size, scope and type of business – Amount of resources available – Amount of stored data – Need for security and confidentiality of both consumer and employee information Rogers The Law Firm
    • Standards for the Protection of Personal Information of Residents of the Commonwealth • P Penalties lti – Chapter 93A liability • triple damages • costs • attorneys fees Rogers The Law Firm
    • Applicability of other State and Federal Laws pp y • Still must comply with other state and federal laws regarding the protection and privacy of personal information (HIPAA, Red Flags Rule) • However----a person is deemed to be in compliance with the th NOTICE provisions of th D t S i i f the Data Security B it Breach L h Law and the Regulations if the person maintains procedures for responding to a breach of security pursuant to such “other” l “ th ” laws, provided… id d Rogers The Law Firm
    • Applicability of other State and Federal Laws pp y Person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs Person notifies the Massachusetts Attorney y General and the Director of OCABR as soon as practicable and without unreasonable delay following the breach. breach Rogers The Law Firm
    • Applicability of other State and Federal Laws y Still must comply with the Data Destruction elements of the law! Rogers The Law Firm
    • Applicability of other State and Federal Laws • Example: p A Massachusetts health care provider experiences a data security breach – Under the revised HIPAA Privacy Rule (pursuant to the Federal Stimulus Package), a Massachusetts health care provider must now provide notice of a data breach to the patient – Under the Massachusetts Data Security Law the Provider must also notify the AG and the Director of OCABR of the breach Rogers The Law Firm
    • Applicability of other State and Federal Laws • Furthermore the Massachusetts health Furthermore, care provider must still comply with the Data Destruction requirements of the Massachusetts Data Security Law Rogers The Law Firm
    • Applicability of other State and Federal Laws • Red Flags Rule – Requires “creditors” and “financial institutions” with “covered accounts” to implement programs to identify, detect and respond to patterns practices and specific patterns, activities that would indicate identity theft. – Enforcement delayed until August 1 2009 1, 2009. Rogers The Law Firm
    • Applicability of other State and Federal Laws y Red Flags Rule g Good News: Compliance with Massachusetts Data Security Law = compliance with Red Flags Rule Bad News: Failure to comply with Massachusetts Data Security Law → likely means failure to comply with Red Flags Rule Additional Penalties: $2,500 per knowing violation Rogers The Law Firm
    • Next Steps Assess your organization’s current y g compliance with the Massachusetts Data Security Law – Do you own, license maintain, or store “Personal Information”? – Do you have a “comprehensive written information security program”? – Have you implemented the required technical security requirements for personal information which is electronically stored or transmitted? Rogers The Law Firm
    • Next Steps Consider bringing in an outside expert – Consequences of not complying: • Monetary Penalties • Lawsuits • Bad publicity = potential affect on revenues • Business disruption while compliance is overseen b state regulatory agencies by t t l t i Rogers The Law Firm
    • Questions? • Bill Minahan, aNetworks Minahan 781-753-8501 bill@anetworks.net bill@anetworks net • M k Rogers, E Mark R Esq., Th R The Rogers L Law Fi Firm 781-794-1600 mrogers@therogerslawfirm.com Rogers The Law Firm