Massachusetts Privacy Laws –  Protecting Personal Information Can You Do It? Presented By: Mark R. Adams, Esq., SPHR Janua...
<ul><li>Background /history leading to the requirements </li></ul><ul><li>Overview of the Massachusetts Data Protection La...
<ul><li>Massachusetts requirements are in response to high-profile identity theft cases: </li></ul><ul><li>The TJX Compani...
<ul><li>Massachusetts requirements are in response to high-profile identity theft cases: </li></ul><ul><li>The TJX Compani...
<ul><li>Massachusetts requirements are in response to high-profile identity theft cases: </li></ul><ul><li>Hannaford Broth...
<ul><li>Massachusetts requirements are in response to high-profile identity theft cases: </li></ul><ul><li>Hannaford Broth...
“ New” Law <ul><li>The  first  stage of the law, Chapter 93H: </li></ul><ul><ul><li>Effective on  October 31, 2007 </li></...
“ New” Law <ul><li>New comprehensive regulations (201 CMR 17.00) </li></ul><ul><ul><li>Regulations issued originally to be...
What is protected personal information? <ul><li>The first and last name or first initial and last name; PLUS </li></ul><ul...
Exercise   <ul><li>What Records Contain Personal Information? </li></ul>
Identity Theft Law:  Employer obligations <ul><li>Notice to: </li></ul><ul><ul><li>Person affected </li></ul></ul><ul><ul>...
What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Risk A...
What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include:   </li></ul><ul><li>Info...
What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Policy...
What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Third ...
What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Limiti...
What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Limiti...
What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Monito...
What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Monito...
What Is a CWISP? <ul><li>For electronically stored files, employers must maintain a security system that : </li></ul><ul><...
What Is a CWISP? <ul><li>For electronically stored files, employers must maintain a security system that : </li></ul><ul><...
What Is a CWISP? <ul><li>Destruction of personal information: </li></ul><ul><li>Personal information shall be destroyed or...
What Is a CWISP? <ul><li>Destruction of personal information: </li></ul><ul><li>Hard drive shredding: </li></ul><ul><ul><l...
What Is a CWISP? <ul><li>Destruction of personal information: </li></ul><ul><li>Degaussing: </li></ul><ul><ul><li>Data is ...
What Is a CWISP? <ul><li>Destruction of personal information: </li></ul><ul><li>Options are generally expensive </li></ul>...
Issues to Consider <ul><li>What files are being preserve and WHERE? </li></ul><ul><li>Who will be accessing this informati...
Structure and Organization <ul><li>Who is going to be accessing these files? </li></ul><ul><ul><li>HR? </li></ul></ul><ul>...
Access and Safeguard Issues <ul><li>The greater the access – the greater the need for structure: </li></ul><ul><ul><li>Mak...
Access and Safeguard Issues <ul><li>The greater the access – the greater the need for structure: </li></ul><ul><ul><li>Dif...
Computer Use Policy <ul><li>Elements: </li></ul><ul><li>Define who is subjected to policy </li></ul><ul><li>Computer, Emai...
Computer Use Policy <ul><li>Elements: </li></ul><ul><li>Prohibit illegal, personal and unprofessional material from being ...
Retention and Purging Policies <ul><li>Policy and procedures need to operate within these constraints </li></ul><ul><ul><l...
Penalties for Non-Compliance
Enforcement <ul><li>Massachusetts Office of the Attorney General </li></ul><ul><li>Office of Consumer Affairs and Business...
Questions? <ul><li>Employers Association of the NorthEast </li></ul><ul><li>3 Convenient Offices: </li></ul>67 Hunt Street...
Upcoming SlideShare
Loading in …5
×

Mass Information Security Requirements January 2010

494 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
494
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mass Information Security Requirements January 2010

  1. 1. Massachusetts Privacy Laws – Protecting Personal Information Can You Do It? Presented By: Mark R. Adams, Esq., SPHR January 13th, 2010
  2. 2. <ul><li>Background /history leading to the requirements </li></ul><ul><li>Overview of the Massachusetts Data Protection Law </li></ul><ul><li>What is “Personal Information?” </li></ul><ul><li>What is a “Comprehensive Written Information Security Program?” (CWISP) </li></ul><ul><li>Issues to consider in developing a program that meets your company’s needs </li></ul><ul><li>Logistical problems in keeping information accessible yet confidential </li></ul><ul><li>Penalties for non-compliance </li></ul><ul><li>Enforcement </li></ul>Agenda
  3. 3. <ul><li>Massachusetts requirements are in response to high-profile identity theft cases: </li></ul><ul><li>The TJX Companies : </li></ul><ul><ul><li>Massachusetts-based retailer with approx. 2,500 stores. </li></ul></ul><ul><ul><li>Computer system first breached in July 2005. </li></ul></ul><ul><ul><li>Information from 45.7 million cards was stolen from transactions from January through November 2003; TJX did not discover breach until late 2006. </li></ul></ul><ul><ul><li>455,000 customers affected </li></ul></ul>Background
  4. 4. <ul><li>Massachusetts requirements are in response to high-profile identity theft cases: </li></ul><ul><li>The TJX Companies : </li></ul><ul><ul><li>TJX settled in late 2007 and early 2008 with issuing banks of Visa and MasterCard for $40.9 million and $24 million, respectively. </li></ul></ul><ul><ul><li>TJX reached an agreement with the FTC in April 2008 to immediately upgrade and implement comprehensive data security procedures and to submit to outside audits. </li></ul></ul><ul><ul><li>In August 2008, 11 individuals were indicted for crimes in connection with what the Justice Department described as “the single largest and most complex identity theft case ever charged in this country.” </li></ul></ul>Background
  5. 5. <ul><li>Massachusetts requirements are in response to high-profile identity theft cases: </li></ul><ul><li>Hannaford Brothers Company : </li></ul><ul><ul><li>Maine-based supermarket chain with 165 stores in the Northeast. </li></ul></ul><ul><ul><li>Security breach began in December 2007. </li></ul></ul><ul><ul><li>Credit card numbers were stolen when shoppers swiped their cards and the information was transmitted to banks for approval. </li></ul></ul>Background
  6. 6. <ul><li>Massachusetts requirements are in response to high-profile identity theft cases: </li></ul><ul><li>Hannaford Brothers Company : </li></ul><ul><ul><li>Estimated 4.2 million credit and debit card numbers were exposed. </li></ul></ul><ul><ul><li>The thefts occurred despite Hannaford’s compliance with the Data Security Standards promulgated by the Payment Card Industry (PCI)–which do not require companies to encrypt data at the point of sale–raising doubts about the sufficiency of the PCI standards and merchants’ reliance on them. </li></ul></ul><ul><ul><li>1,800 cases of reported fraud related to the breach. </li></ul></ul>Background
  7. 7. “ New” Law <ul><li>The first stage of the law, Chapter 93H: </li></ul><ul><ul><li>Effective on October 31, 2007 </li></ul></ul><ul><ul><li>Requires notification to residents and state authorities if personal information is improperly accessed or used. </li></ul></ul><ul><li>The second stage of the law, Chapter 93I: </li></ul><ul><ul><li>Became effective on February 3, 2008 </li></ul></ul><ul><ul><li>Mandates destruction of hard copy and electronic data containing personal information </li></ul></ul><ul><ul><li>Sets forth minimum standards for proper disposal of paper or electronic records containing personal information </li></ul></ul><ul><ul><ul><li>“ electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.” </li></ul></ul></ul>
  8. 8. “ New” Law <ul><li>New comprehensive regulations (201 CMR 17.00) </li></ul><ul><ul><li>Regulations issued originally to be effective January 1, 2009 </li></ul></ul><ul><ul><li>Effective on March 1, 2010 </li></ul></ul><ul><ul><li>Define parameters of a Comprehensive Written Information Security Program (“CWISP”) </li></ul></ul><ul><ul><ul><li>policies and procedures for storing and protecting personal information and </li></ul></ul></ul><ul><ul><ul><li>employee training </li></ul></ul></ul>
  9. 9. What is protected personal information? <ul><li>The first and last name or first initial and last name; PLUS </li></ul><ul><li>Any one of the following: </li></ul><ul><ul><li>social security number; </li></ul></ul><ul><ul><li>driver’s license number; </li></ul></ul><ul><ul><li>state identification number; </li></ul></ul><ul><ul><li>financial account; debit or credit card number [in combination with or without any required security code, access code or password that would permit access to the individual’s account]. </li></ul></ul><ul><li>Applies to both electronically stored information and paper files. </li></ul>
  10. 10. Exercise <ul><li>What Records Contain Personal Information? </li></ul>
  11. 11. Identity Theft Law: Employer obligations <ul><li>Notice to: </li></ul><ul><ul><li>Person affected </li></ul></ul><ul><ul><li>Attorney General’s Office </li></ul></ul><ul><ul><li>Director of Consumer Affairs and Business Regulation </li></ul></ul><ul><li>Notice regardless of whether there is likelihood of harm </li></ul><ul><li>Destruction. </li></ul>
  12. 12. What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Risk Assessment : </li></ul><ul><ul><li>Designating an employee to maintain the program; </li></ul></ul><ul><ul><li>Identifying and assessing reasonably foreseeable internal and external risks to the security </li></ul></ul><ul><ul><li>Evaluating and improving the effectiveness of the current safeguards including but not limited to: </li></ul></ul><ul><ul><ul><li>ongoing employee (including temporary and contract employee) training; </li></ul></ul></ul><ul><ul><ul><li>employee compliance with policies and procedures; and </li></ul></ul></ul><ul><ul><ul><li>means for detecting and preventing security system failures; </li></ul></ul></ul>
  13. 13. What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Information Storage Assessment : </li></ul><ul><ul><li>Identify where personal information is stored including: </li></ul></ul><ul><ul><ul><li>paper, electronic and other records, </li></ul></ul></ul><ul><ul><ul><li>computing systems, and storage media, </li></ul></ul></ul><ul><ul><ul><li>laptops and portable devices used to store personal information, to determine which records contain personal information, </li></ul></ul></ul><ul><ul><li>except where the comprehensive information security program provides for the handling of all records as if they all contained personal information. </li></ul></ul>
  14. 14. What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Policy Development : </li></ul><ul><ul><li>Developing security policies for employees that: </li></ul></ul><ul><ul><li>Take into account whether and how employees should be allowed to keep, access and transport records containing personal information; </li></ul></ul><ul><ul><li>Impose disciplinary measures for violations of the program rules; </li></ul></ul><ul><ul><li>Prevent terminated employees from accessing records by immediately terminating their access information outside of business premises. </li></ul></ul>
  15. 15. What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Third Party Compliance : </li></ul><ul><ul><li>Contractually requiring service providers to maintain such safeguards; </li></ul></ul><ul><ul><li>Take “reasonable steps” to verify that third-party service providers are capable of maintaining appropriate security measures to protect personal information; </li></ul></ul><ul><ul><li>What are examples of reasonable steps? </li></ul></ul>
  16. 16. What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Limiting Access to Personal Information : </li></ul><ul><ul><li>Limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected; </li></ul></ul><ul><ul><li>Limit the time such information is retained to that reasonably necessary to accomplish such purpose; </li></ul></ul><ul><ul><li>Limit access to those persons who are reasonably required to know such information. </li></ul></ul>
  17. 17. What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Limiting Access to Personal Information : </li></ul><ul><ul><li>Place reasonable restrictions upon physical access to records containing personal information, </li></ul></ul><ul><ul><li>*** Including a written procedure that sets forth </li></ul></ul><ul><ul><ul><li>the manner in which physical access to such records is restricted; </li></ul></ul></ul><ul><ul><ul><li>and storage of such records and data in locked facilities, storage areas or containers. </li></ul></ul></ul>
  18. 18. What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Monitoring and Maintenance : </li></ul><ul><ul><li>Regularly monitor to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and </li></ul></ul><ul><ul><li>Upgrading information safeguards as necessary to limit risks. </li></ul></ul>
  19. 19. What Is a CWISP? <ul><li>Comprehensive Written Information Security Program (CWISP) must include: </li></ul><ul><li>Monitoring and Maintenance : </li></ul><ul><ul><li>Review the scope of the security measures at least annually; </li></ul></ul><ul><ul><li>Or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information. </li></ul></ul><ul><ul><li>Document responsive actions taken in connection with any incident involving a breach of security </li></ul></ul><ul><ul><li>Conduct mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information. </li></ul></ul>
  20. 20. What Is a CWISP? <ul><li>For electronically stored files, employers must maintain a security system that : </li></ul><ul><ul><li>Secures user ids and passwords </li></ul></ul><ul><ul><li>Blocks access after multiple unsuccessful attempts to log in </li></ul></ul><ul><ul><li>Encrypts records traveling across public networks and transmitted wirelessly </li></ul></ul><ul><ul><li>Encrypts personal information stored on laptops, and other devices (smartphones, memory sticks, PDA’s etc) . </li></ul></ul><ul><ul><ul><li>Deadline for ensuring encryption on laptops: May 1, 2009. </li></ul></ul></ul><ul><ul><ul><li>Deadline for ensuring encryption on other devices: January 1, 2010. </li></ul></ul></ul>
  21. 21. What Is a CWISP? <ul><li>For electronically stored files, employers must maintain a security system that : </li></ul><ul><ul><li>Has reasonably up-to-date firewall protection for files containing personal information on a system that is connected to the Internet </li></ul></ul><ul><ul><li>Has reasonably up-to-date Malware </li></ul></ul><ul><ul><li>Educate and train employees on the proper use of the computer security system and the importance of personal information security. </li></ul></ul>
  22. 22. What Is a CWISP? <ul><li>Destruction of personal information: </li></ul><ul><li>Personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed </li></ul><ul><li>Unacceptable forms of destruction: </li></ul><ul><ul><li>More than just “hitting the delete button” </li></ul></ul><ul><ul><li>Smashing the hard drive with a hammer </li></ul></ul><ul><ul><li>Drilling a hole (or multiple holes) in the hard drive </li></ul></ul><ul><li>Acceptable forms of destruction: </li></ul><ul><ul><li>Hard drive shredding </li></ul></ul><ul><ul><li>Scrubbing </li></ul></ul><ul><ul><li>Degaussing </li></ul></ul>
  23. 23. What Is a CWISP? <ul><li>Destruction of personal information: </li></ul><ul><li>Hard drive shredding: </li></ul><ul><ul><li>Melts all the particles within the drive. While inexpensive, shredding is only an option if you can afford to constantly purchase new hard drives. </li></ul></ul><ul><li>Scrubbing: </li></ul><ul><ul><li>Programs that delete the data stored on a hard drive and then overwrite it with random data several times. </li></ul></ul>
  24. 24. What Is a CWISP? <ul><li>Destruction of personal information: </li></ul><ul><li>Degaussing: </li></ul><ul><ul><li>Data is stored in magnetic media, such as hard drives, tapes and diskettes (floppy disks), by making very small areas change their magnetic alignment to go in a certain direction. Degaussing equipment applies a strong magnetic field to the media, effectively destroying it because it removes the magnetic alignment. Again, this process is only useful if you can afford to continually purchase new storage media. Further, there is no way to be sure that the degaussing was successful. </li></ul></ul>
  25. 25. What Is a CWISP? <ul><li>Destruction of personal information: </li></ul><ul><li>Options are generally expensive </li></ul><ul><li>Recommend companies use third parties who can destroy information for them. </li></ul>
  26. 26. Issues to Consider <ul><li>What files are being preserve and WHERE? </li></ul><ul><li>Who will be accessing this information? </li></ul><ul><li>How this information safeguarded? </li></ul><ul><ul><li>Centralized? </li></ul></ul><ul><ul><li>Decentralized? </li></ul></ul>
  27. 27. Structure and Organization <ul><li>Who is going to be accessing these files? </li></ul><ul><ul><li>HR? </li></ul></ul><ul><ul><li>Supervisors? </li></ul></ul><ul><ul><li>Employees? </li></ul></ul><ul><ul><li>Third parties? </li></ul></ul><ul><li>Where are these files being accessed from? </li></ul><ul><ul><li>Office? </li></ul></ul><ul><ul><li>Home? </li></ul></ul>
  28. 28. Access and Safeguard Issues <ul><li>The greater the access – the greater the need for structure: </li></ul><ul><ul><li>Making sure firewalls and encryption software is updated to protect level of access </li></ul></ul><ul><ul><li>The need for a policy and training of staff on acceptable computer use. </li></ul></ul>
  29. 29. Access and Safeguard Issues <ul><li>The greater the access – the greater the need for structure: </li></ul><ul><ul><li>Different passwords with different levels of access to information </li></ul></ul><ul><ul><li>Need to ACTIVELY oversee that access is added and removed timely </li></ul></ul><ul><ul><li>Regulate how passwords are provided and changed </li></ul></ul><ul><ul><ul><li>Don’t get locked out of your proprietary information! </li></ul></ul></ul>
  30. 30. Computer Use Policy <ul><li>Elements: </li></ul><ul><li>Define who is subjected to policy </li></ul><ul><li>Computer, Email, Network and Servers are company property </li></ul><ul><li>No right to privacy </li></ul><ul><ul><li>Regarding files, data or email message stored or transmitted through a company’s network or systems. </li></ul></ul><ul><li>Limited to use in normal course of business </li></ul><ul><ul><li>Information accessed or retrieved only to be used or shared with persons who have “need to know” </li></ul></ul><ul><ul><li>Extend standard to home access/telecommuting. </li></ul></ul>
  31. 31. Computer Use Policy <ul><li>Elements: </li></ul><ul><li>Prohibit illegal, personal and unprofessional material from being transmitted through systems </li></ul><ul><ul><li>Including email!!!! </li></ul></ul><ul><li>Define where files are to be created and stored (on network or on individual PC’s) </li></ul><ul><ul><li>Require use of proper naming protocols for files and folders </li></ul></ul><ul><li>Passwords must be kept on file at all times </li></ul><ul><li>Only license software to company is permitted to be loaded on to systems. </li></ul><ul><li>Tie enforcement to discipline policy. </li></ul>
  32. 32. Retention and Purging Policies <ul><li>Policy and procedures need to operate within these constraints </li></ul><ul><ul><li>Identifying communication channels between HR and IT for reviewing files scheduled to be removed </li></ul></ul><ul><ul><li>Methodology for indexing or classifying files that can be expunged or deleted </li></ul></ul><ul><ul><ul><li>Temporary files v. semi-permanent or permanent files </li></ul></ul></ul><ul><ul><li>If email incorporates documents that need to be retained, identifying protocols for archiving and preserving that information in conjunction with other files. </li></ul></ul><ul><ul><li>MAKING SURE HR AND IT ARE ON THE SAME PAGE!!!! </li></ul></ul>
  33. 33. Penalties for Non-Compliance
  34. 34. Enforcement <ul><li>Massachusetts Office of the Attorney General </li></ul><ul><li>Office of Consumer Affairs and Business Regulation (OCABR) </li></ul><ul><li>Individuals can sue on their own: </li></ul><ul><ul><li>Unfair or deceptive trade practices pursuant to G.L. c. 93A, § 11- an individual may seek injunctive relief and/or monetary damages, including double or treble damages, attorneys' fees and costs. </li></ul></ul><ul><ul><li>Negligence- an individual may seek actual and consequential damages against a non-compliant entity. </li></ul></ul>
  35. 35. Questions? <ul><li>Employers Association of the NorthEast </li></ul><ul><li>3 Convenient Offices: </li></ul>67 Hunt Street PO Box 1070 Agawam, MA 01001-6070 413-789-6400 250 Pomeroy Avenue Suite 200 Meriden, CT 06450 203-686-1739 67 Millbrook Street Worcester, MA 01606 508-767-3415 Toll Free – 877-662-6444 www.eane.org

×