Massachusetts data privacy rules v6.0

903 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
903
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Massachusetts data privacy rules v6.0

  1. 1. The MassachusettsData Privacy Rules<br />Stephen E. Meltzer, Esquire, CIPP<br />
  2. 2.
  3. 3.
  4. 4. Agenda<br />Introduction<br />Scope of Rules<br />Overview<br />Comprehensive Written Information Security Program (cWISP)<br />
  5. 5. The MassachusettsData Security Rules<br />New Mandate:<br />PI = PI<br />Personal Information = Privacy Infrastructure<br />
  6. 6. Who Cares?<br />Consequences for non-compliance:<br />AT LEAST: <br />Increased risk of government enforcement or private litigation<br />93H § 6 incorporates 93A, § 4<br />93A, § 4<br />$5,000 per occurrence<br />Attorneys fees<br />Cost of Investigation/Enforcement<br />AT WORST:<br />Enforcement PLUS Bad PR then Compliance and oversight<br />
  7. 7. Enforcement<br />Litigation and enforcement by the Massachusetts Attorney General<br />Massachusetts law requires notice to Attorney General of any breach, in addition to affected consumers<br />Attorney General likely to investigate based on breach reports<br />No explicit private right of action or penalties<br />
  8. 8. Scope of Rules<br />
  9. 9. Scope of Rules<br />Covers ALL PERSONS that own or license personal information about a Massachusetts resident<br />Need not have operations in Massachusetts<br />Financial institutions, health care and other regulated entities not exempt<br />
  10. 10. Scope of Rules<br />“Personal information”<br />Resident’s first and last name or first initial and last name in combination with<br />SSN<br />Driver’s license or State ID, or<br />Financial account number or credit/debit card that would permit access to a financial account <br />
  11. 11. Three Requirements<br />1.Develop, implement, maintain and maintain a comprehensive, written information security program that meets very specific requirements (cWISP)<br />2.Heightened information security meeting specific computer information security requirements<br />3.Vendor Compliance<br /> (Phase-in)<br />
  12. 12. Evaluating Compliance(not Evaluating Applicability)<br />Appropriate<br />Size of business<br />Scope of business<br />Type of business<br />Resources available<br />Amount of data stored<br />Need for security and confidentiality<br />Consumer and employee information<br />
  13. 13. Evaluating Compliance(not Evaluating Applicability)<br />“The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”<br />
  14. 14. Comprehensive WrittenInformation SecurityProgram<br />201 CMR 17.03<br />Sample cWISP<br />
  15. 15. Information SecurityProgram<br />“[D]evelop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards”<br />Sample cWISP<br />
  16. 16. Comprehensive Information Security Program<br />(a) Designate an employee to maintain the WISP.<br />(b) Identify and assess reasonably foreseeable risks (Internal and external).<br />(c) Develop security policies for keeping, accessing and transporting records.<br />(d) Impose disciplinary measures for violations of the program.<br />(e) Prevent access by terminated employees.<br />(f) Oversee service providers and contractually ensure compliance.<br />(g) Restrict physical access to records.<br />(h) Monitor security practices to ensure effectiveness and make changes if warranted.<br />(i) Review the program at least annually.<br />(j) Document responsive actions to breaches.<br />Sample cWISP<br />
  17. 17. Comprehensive Information Security Program<br />Third Party Compliance<br />1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and <br />2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information <br />Sample cWISP<br />
  18. 18. Comprehensive Information Security Program<br />Third Party Compliance<br />Contracts entered “no later than” March 1, 2010:<br /> Two – year phase-in.<br />Contracts entered into “later than” March 1, 2010:<br /> Immediate compliance.<br />Sample cWISP<br />
  19. 19. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br />Sample cWISP<br />
  20. 20. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  21. 21. Information Security Policy
  22. 22. Definitions
  23. 23. Security Risks Considered
  24. 24. Security Risks
  25. 25. Internet Policy
  26. 26. Email Policy
  27. 27. Acceptable Use Policy
  28. 28. Privacy Policy
  29. 29. Record Retention & Destruction Policy
  30. 30. Data Loss Response
  31. 31. Forms
  32. 32. Appendices</li></ul>Sample cWISP<br />
  33. 33. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  34. 34. Program Purpose
  35. 35. Program Chapters
  36. 36. Management & Board of Directors Commitment
  37. 37. Program Maintenance
  38. 38. Program Annual Reviews and Testing
  39. 39. Program Enforcement
  40. 40. Training Requirements
  41. 41. Training Content
  42. 42. Training Documentation
  43. 43. New Personnel Training
  44. 44. Monitoring</li></ul>Sample cWISP<br />
  45. 45. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  46. 46. Information Security Policy </li></li></ul><li>Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Policy
  47. 47. Applicable Regulations
  48. 48. Information Security Officer</li></ul>Sample cWISP<br />
  49. 49. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Policy</li></ul>“The current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of this Information Security Program. <br />Safeguarding the personal information of employees and consumers, business continuity and contingency plans, data backup procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy. Control objectives for each of these areas are contained in this Program and are supported by specific, documented policies and procedures. <br />All our employees and certain external parties are expected to comply with this policy. All staff, and certain external parties, will receive appropriate training. <br />In addition, these policies are subject to continuous, systematic review and improvement. <br />We are is committed to complying with the requirements of Mass. Gen. L. ch. 93H & 93I and 201 CMR 17.00 and has adopted this Information Security Program and these policies for that purpose. This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and at least annually. “<br />
  50. 50. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  51. 51. Information Security Policy
  52. 52. Definitions</li></li></ul><li>Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Definitions
  53. 53. Encrypted
  54. 54. Financial Account
  55. 55. Personal Information
  56. 56. Reportable Security Incident
  57. 57. Reportable Sensitive Personal Information
  58. 58. Service Provider
  59. 59. Substantial Harm or Inconvenience
  60. 60. Security Breach</li></ul>Sample cWISP<br />
  61. 61. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  62. 62. Information Security Policy
  63. 63. Definitions
  64. 64. Security Risks Considered</li></li></ul><li>Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Security Risks Considered
  65. 65. Administrative Security Risks
  66. 66. Technical (Electronic) Security Risks
  67. 67. Physical Security Risks</li></ul>Sample cWISP<br />
  68. 68. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  69. 69. Information Security Policy
  70. 70. Definitions
  71. 71. Security Risks Considered
  72. 72. Security Risks</li></li></ul><li>Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Security Risks
  73. 73. Security Risk Control Matrix</li></ul>Sample cWISP<br />
  74. 74. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  75. 75. Information Security Policy
  76. 76. Definitions
  77. 77. Security Risks Considered
  78. 78. Security Risks
  79. 79. Internet Policy</li></ul>Sample cWISP<br />
  80. 80. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  81. 81. Information Security Policy
  82. 82. Definitions
  83. 83. Security Risks Considered
  84. 84. Security Risks
  85. 85. Internet Policy
  86. 86. Email Policy</li></ul>Sample cWISP<br />
  87. 87. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  88. 88. Information Security Policy
  89. 89. Definitions
  90. 90. Security Risks Considered
  91. 91. Security Risks
  92. 92. Internet Policy
  93. 93. Email Policy
  94. 94. Acceptable Use Policy</li></ul>Sample cWISP<br />
  95. 95. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  96. 96. Information Security Policy
  97. 97. Definitions
  98. 98. Security Risks Considered
  99. 99. Security Risks
  100. 100. Internet Policy
  101. 101. Email Policy
  102. 102. Acceptable Use Policy
  103. 103. Privacy Policy</li></li></ul><li>Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Privacy Policy
  104. 104. Website Privacy Policy
  105. 105. Organizational Privacy Policy</li></ul>Sample cWISP<br />
  106. 106. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  107. 107. Information Security Policy
  108. 108. Definitions
  109. 109. Security Risks Considered
  110. 110. Security Risks
  111. 111. Internet Policy
  112. 112. Email Policy
  113. 113. Acceptable Use Policy
  114. 114. Privacy Policy
  115. 115. Record Retention & Destruction Policy</li></li></ul><li>Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Record Retention & Destruction Policy
  116. 116. Purpose
  117. 117. Recordkeeping
  118. 118. Record Shredding
  119. 119. Records Destruction Process
  120. 120. Records Destruction Log
  121. 121. Electronic media
  122. 122. Transportation of Records
  123. 123. Enforcement</li></ul>Sample cWISP<br />
  124. 124. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  125. 125. Information Security Policy
  126. 126. Definitions
  127. 127. Security Risks Considered
  128. 128. Security Risks
  129. 129. Internet Policy
  130. 130. Email Policy
  131. 131. Acceptable Use Policy
  132. 132. Privacy Policy
  133. 133. Record Retention & Destruction Policy
  134. 134. Data Loss Response</li></li></ul><li>Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Data Loss Response
  135. 135. Initial Notification
  136. 136. Data Breach Actions</li></ul>Sample cWISP<br />
  137. 137. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  138. 138. Information Security Policy
  139. 139. Definitions
  140. 140. Security Risks Considered
  141. 141. Security Risks
  142. 142. Internet Policy
  143. 143. Email Policy
  144. 144. Acceptable Use Policy
  145. 145. Privacy Policy
  146. 146. Record Retention & Destruction Policy
  147. 147. Data Loss Response
  148. 148. Forms</li></ul>Sample cWISP<br />
  149. 149. Comprehensive Information Security Program<br />Information Security ProgramTable of Contents<br /><ul><li>Information Security Program Overview
  150. 150. Information Security Policy
  151. 151. Definitions
  152. 152. Security Risks Considered
  153. 153. Security Risks
  154. 154. Internet Policy
  155. 155. Email Policy
  156. 156. Acceptable Use Policy
  157. 157. Privacy Policy
  158. 158. Record Retention & Destruction Policy
  159. 159. Data Loss Response
  160. 160. Forms
  161. 161. Appendices</li></ul>Sample cWISP<br />
  162. 162. Breach Reporting<br />G.L. c. 93H § 3<br />
  163. 163. Breach Reporting<br />Breach of security –<br />“the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”<br />
  164. 164. Breach Reporting<br />Possessor must give notice of<br />Breach of Security<br />Unauthorized Use or Acquisition<br />To Owner/Licensor of Information<br />Owner/Licensor must give notice of <br />Breach of Security<br />Unauthorized Use or Acquisition<br />To – <br />Attorney General<br />Office of Consumer Affairs<br />Resident<br />
  165. 165. Breach Reporting<br />“The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to: <br />the nature of the breach of security or the unauthorized acquisition or use; <br />the number of Massachusetts residents affected by such incident at the time of notification; and <br />any steps the person or agency has taken or plans to take relating to the incident.”<br />
  166. 166. Sample Breach Notification Letter<br />http://www.mass.gov/Cago/docs/Consumer/93h_sampleletter_ago.pdf<br />
  167. 167. Breach Reporting<br />Stop<br />Be afraid<br />Call for help<br />
  168. 168. Data Destruction<br />G.L. c. 93I<br />
  169. 169. Data Destruction (93I)<br />Paper documents/ electronic Media: <br />Redact, Burn, Pulverize, Shred<br />So that Personal Information cannot be read or reconstructed<br />
  170. 170. Thank You<br />

×