Your SlideShare is downloading. ×

Mass 201 CMR 17 Data Privacy Law


Published on

An overview of the Massachusetts 201 CMR 17 Data Privacy Law which goes in to effect on March 1. Contact information is available for each presenter in the slidedeck. …

An overview of the Massachusetts 201 CMR 17 Data Privacy Law which goes in to effect on March 1. Contact information is available for each presenter in the slidedeck.

Please contact any of us with questions.

Published in: Business

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1.
  • 2. Welcome
    About the Law
    Affected Organizations
    Privacy Partners
  • 3. Seminar Agenda
  • 4. Regulatory Compliance
    Which Organizations are required to comply with the new law?
    Verbiage: Organizations, “who own, license, store or maintain personal
    information about a resident of the Commonwealth of Massachusetts.”
    Personally Identifiable Information (PII) Includes:
    Electronic Transaction and Billing Data (cc #s, bank data, etc)
    Identity-Theft Target Data (ss#, identification, etc)
    Customer Records
  • 5. What is Required?
    Four Main Components:
    Risk Assessment and WISP
    Data Privacy Awareness Policy
    Security (A/V, Firewall, Encryption)
    Vendor WISP or Sign-Off
  • 6. 201 CMR 17.00
    Web Sites
    Remote Workers
    External Requirements
  • 7. Inman Technology
    About Inman Technology
    Sarah Cortes
    Services Provided
  • 10. History
    Recent Breach History:
    • TJ Maxx
    • 11. Heartland
    • 12. CVS
    • 13. Every day there are new breaches
    • 14. Verizon report, April 2009: three-fold increase in breaches in 2008
    • 15. Industry sources: average cost per stolen record at ~ $202
  • Massachusetts Laws
    Mass General Laws ch. 93H and Consumer Affairs Legislature
    • Directed formulation of regulation
    • 16. Goal – protect the Personal Information of all Mass residents
    Business Regulation 201 CMR 17.00: Standards for the Protection of Personal Information of Resident of the Commonwealth
    • Established a minimum standard
    • 17. Compliance is based on size, scope, type of business
    • 18. Resources available, amount and type of data stored
    Mass General Laws ch. 93I – Disposition and Destruction
    • Paper Documents
    • 19. Electronic Media
  • Data Security Regulations
    Risk-Based Approach
    • Administrative, technical and physical safeguards appropriate to:
    • 20. Size, scope and type of business
    • 21. Amount of resources available to business
    • 22. Amount of data stored
    • 23. Need for security and confidentiality of both consumer and employee information
    • 24. All persons, businesses, agencies must destroy records containing Personal Information “such that the data cannot be practicably read or reconstructed after disposal or destruction”
    The Program = Your WISP
  • 25. Your WISP Program
    Personally Identifiable Information (PII) – defined as:
    • First Name (or initial), and last name, PLUS
    • 26. SSN,
    • 27. Driver’s License # (or state-issued ID)
    • 28. Financial Account Number, or
    • 29. Credit / debit Card
    Specific Requirements: All people / organizations who store PII of Mass residents
    • Designate employee(s) to maintain Program
    • 30. Identify and assess reasonable foreseeable internal and external risks
    • 31. Evaluate and improve (where necessary) effectiveness of current safeguards for limiting risks
    • 32. Develop security policies for employees for storage, access, and transportation of Personal Information
  • Required Compliance Activities
    1. Written Information Security Program
    • (ISO, IEE, NIST, etc)
    2. Identification of Records
    • Normalization; Data Classification: Know where your PII exists
    3. Third Party Providers
    • Must be evaluated for compliance
    4. Rethinking the Collection, Storage and Access to PII
    • Do NOT collect or store data you do not need
    5. Implementing and Monitoring Protective Measures
    • Minimum: Annual evaluations
  • Your WISP Program
    Specific Requirements
    • Impose disciplinary measures for violations
    • 33. Prevent terminated employees from accessing records
    • 34. Oversee service providers
    • 35. Reasonable restrict physical access to, and storage of, recording containing Personal Information
    • 36. Regularly monitor Program and upgrade safeguards as necessary
    • 37. Review Scope of security measures at least annually, or whenever there is a material change in business practices
    • 38. Document responsive actions taken after any breach and conduct post-incident review of events and actions taken
    In case of breach, REACT IMMEDIATELY
    (see addendum for directions to be followed)
  • 39. Your WISP Program
    Control Access
    • User ID control
    • 40. Assign unique ID’s plus Passwords – that are NOT vendor supplied defaults passwords
    • 41. User Passwords / Biometric / Token devices
    • 42. Control of Data Security Passwords (keys to vault)
    • 43. Restricting Access to Active Users
    • 44. Blocking Access after Multiple Attempts
    • 45. Restrict Access to Records and Files to Needed Personnel
    • 46. Physical Access
  • Common Causes of Data Breaches
    Some Common Causes
    Stolen Laptops
    Rogue Employees
    Inadvertent Disclosure
    Intra-company Email
  • 47. Common Causes of Data Breaches
    • Worms, Viruses, Trojan Horses, Rootkits, Spyware, Dishonest software
    The Protections
    • Education, Antivirus Software, AntiSpyware, SPAM elimination
  • 48. Solutions
    BackUp and Disaster Recovery:TEST your systems regularly
    Storage Media:
    Hard Drive Based BackUp
    • Limited Rotation
    Disaster Recovery with BackUp
  • 51. Solutions
    “Security is a process, not a Product” – Bruce Schneier
    • Education
    • 52. Control Access
    • 53. Multi-Tiered Approach to MALware – firewalls, Virus, Spyware, and SPAM elimination
    • 54. Encryption
    • 55. Reduce potential points of breach
    • 56. Patch Management Program
    • 57. Monitor Everything – and then again
    • 58. BackUp and Disaster Recovery / Avoidance
    • 59. Lock it up
  • For More Information
    How to Contact Sarah Cortes:
  • 60. Lopez, Chaff & Wiesman
    Jim Wiesman
    About LCWA
  • Types of Data to Reconcile
    Sensitive Data at LCWA
    • Social Security Numbers
    • 64. Bank Account Numbers
    • 65. Financial Data
    • 66. Tax Documents
    Storage and Transfer of Data
  • Best Practices for Accounting
    Advice to Secure Accounting Practices:
    Payroll Services
    Benefits Administrators
    Access Restrictions
    Questions to ask your CPA Firm
  • 70. Contact LCWA
    Contact Jim Wiesman:
  • 71. Shaheen, Guerrera & O’Leary
    Peter Shaheen, Esq.
    About SGO
  • Shaheen, Guerrera & O’Leary
    An Attorney’s opinion of the law
    • Enforceability
    • 75. Potential for Risk
    • 76. Comparison to Similar Laws
    • 77. Explicit Cost of Fines
    • 78. Cost of Defense
    • 79. Cost of Reputation / Client Retention vs. implementation
  • Data Destruction / Disposal Law
    Chapter 93I
    • Effective Feb 2008
    • 80. All persons, businesses, agencies must destroy records containing Personal Information “such that the data cannot be practicably read or reconstructed after disposal or destruction”
    Definition of Personal Information
    • Broader under Chapter 93I than under 93H
    • 81. Includes biometric identifiers
    Paper Records Must be:
    E-Media Must be:
  • Data Destruction / Disposal Law
    3rd Party Disposal Service Provider
    • During collection, transportation and disposal, must:
    • 86. Implement and monitor compliance with policies and procedures
    • 87. Ensure the prohibition of unauthorized access to, acquisition of, or use of Personal Information
    Penalties / Enforcement
    • Civil fine of up to $100 per data subject affected, up to $50,000 for each instance of improper disposal
    • 88. Attorney General action under Chapter 93A
    • 89. Civil penalties up to $5,000 for each violation
    • 90. Costs of investigation and litigation, including attorney’s fees
    • 91. Restitution
  • Security Breaches: G.L. ch. 93H
    Personal Information Notification Triggers
    • No “substantial risk of harm” calculus
    • 92. Notification is triggered by the breach itself rather than the likelihood of harm or misuse of Personal Information
    • 93. Entities are therefore not exempt from providing notice if a breach does not create a risk of harm
    Notice to Affected Mass Residents
    • Law Provides for direct notice to affected consumers unless:
    • 94. More than 500,000 affected Mass residents; or
    • 95. Costs of providing written notices shall exceed $250,000
    Substitute notice consists of:
    email notice to affected consumers
    Clear and conspicuous notice on the company's home page; and
    Publication in statewide media
  • 96. Security Breaches: G.L. ch. 93H
    What must the notice say?
    • Mass law has different content requirements depending on the recipient of the notice
    Notice to the Attorney General and Director of Consumer Affairs and Business Regulation
    • Nature of the breach of security or the unauthorized access or use of Personal Information
    • 97. Number of Mass residents affected; and
    • 98. Steps the notifying entity is taking, or plans to take, relating to the incident
  • Security Breaches: G.L. ch. 93H
    Notice to Affected Mass Residents
    Consumers right to obtain Police report;
    How a consumer requests a security freeze; (G.L. 93 ss 56 and 62A)
    Information consumer will need to provide to request security freeze; and
    Disclosure of fees associated with placing, lifting or removing a security freeze
    Notice to Affected Mass Residents shall NOT include
    Nature of the breach or unauthorized access or use; or
    The number of residents affected
  • 99. Security Breaches: G.L. ch. 93H
    COMMON MISTAKES made in Notices to Affected Mass residents
    Notice is too general
    Fails to include the four (4) Mass specific requirements
    Fraud Alert vs. Security Freeze
    References to websites rather than providing information in letter itself – thereby putting burden on affected residents to find information
    Provides a range of fees relating to security freeze when in fact amount is set by statute G.L. 93 ss 56 and 62A
  • 100. Discovery of a Breach
    Typical situations:
    Stolen or Laptop, flash drive or other portable media
    Unauthorized activity on the network
    Missing, lost or stolen paper files
    Actions of departing employee
    Complaints from customers or employees
    3rd Party Vendor breach
    In any of these cases, REACT IMMEDIATELY
    (see addendum for directions to be followed)
  • 101. Breach Notification Law
    Requires specific information in notification to
    • Attorney General
    • 102. Office of Consumer Affairs
    • 103. Affected individuals
    Relating to:
    • Data security breaches
    • 104. Unauthorized use or acquisition of Personal Information
    • Business which suffered PC theft
  • Breach Notification Law
    Notice Requirements
    • Notice by mail or “substitute notice” if:
    • 105. Cost will exceed $250,000, or
    • 106. Affected class exceeds 500,000 residents, or
    • 107. Do not have sufficient contact information
    • 108. Substitute Notice
    • 109. Email
    • 110. Website
    • 111. Publication in statewide media
  • Breach Notification Law
    Compliance with Federal Law
    • A Business that maintains procedures for responding to a security breach that comply with federal laws, rules, regulations guidance or guidelines will be deemed to be in compliance if it provides notice in compliance with those procedures
    • 112. Must still notify Attorney General and Director of Consumer Affairs
    Other State’s Laws
    • 45 states, DC, Puerto Rico, and the USVI have enacted breach notification laws
    • 113. Most protect financial information, but some also protect medical information
    • 114. States have differing notice requirements for timing, content and recipients
  • Shaheen, Guerrera & O’Leary
    Advice to Clients
    • Actions to Take
    • 118. Assessment of Potential Risk
    SGO Compliance
  • 119. Contact SGO
    Contact Peter Shaheen, Esq.
  • 120. Doherty Insurance
    Sheila M. Doherty
    About Doherty Insurance
  • Doherty Insurance
    Liability Policies
    Types of Coverage
    • 1st Party VS 3rd Party Coverage
    • 124. Cyber –tech Coverage
    • 125. Liability
    • 126. Employment Practices
    • 127. Malicious Disgruntled Employees?
  • Doherty Insurance
    Risk Analysis
    • Where are you vulnerable?
    • 128. How Much Coverage should you purchase?
    • 129. Fast & Easy changes to make immediately
    Policy Premiums
    • Variables Affecting Them
    • 130. Cost of Premium vs. Risk
  • Doherty Insurance
    Contact Sheila Doherty
    1-800- DOHERTY
  • 131. Internet & Telephone
    About Internet & Telephone
  • Solutions
    Server & Database Security
    • System Monitoring
    • 140. Encryption of Sensitive Data
    • 141. Intrusion Detection
  • Solutions
    What a Firewall Does
    • Protects from External Intrusion
    Average Cost to Implement
    • $500+ For Hardware
    • 146. $100 / yr Software Maintenance
  • Solutions
    Endpoint Security Software
    Stops malware such as viruses, worms, Trojans, spyware, adware, bots, zero-day threats and Rootkits.
    • Definition Updates
    • 147. Monitoring
    Average Cost to Implement
    • Average $35 / PC per year
  • Solutions
    Data Archival and Disaster Recovery
    Creates a Backup of Critical Data for Retrieval or Recovery. Protects Against the Loss of Data and/or Complete Systems.
    • Configuration
    • 148. Regular Updates
    • 149. Periodic Testing of Data Integrity
    • 150. Retention Policy
    Average Cost to Implement
    • Storage Device $300 - $3,000 Based on Size.
    • 151. Software $20-$80 per PC / Month
  • Solutions
    Mobile Device Security
    • Secure Mobile Devices with Encryption, Identity Authentication, Software Firewall and Remote-Wipe.
    • 152. Encryption
    • 153. Disable & Destroy
    • 154. Biometric Authentication
  • Internet & Telephone
    Contact Rick Umenhofer
  • 155. 201 CMR 17.00
    Web Sites
    Remote Workers
    External Requirements