Your SlideShare is downloading. ×
The new massachusetts privacy rules v5.35.1
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The new massachusetts privacy rules v5.35.1


Published on

Published in: Technology, Business

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. The MassachusettsData Privacy Rules
    Stephen E. Meltzer, Esquire, CIPP
  • 2. The [New] MassachusettsData Security Rules
  • 3. Agenda
    Scope of Rules
    Comprehensive Written Information Security Program (cWISP)
    [Computer System Security Requirements]
    Breach Reporting Requirements
    What To Do Now
    Questions and Answers
  • 4. The MassachusettsData Security Rules
    New Mandate:
    PI = PI
    Personal Information = Privacy Infrastructure
  • 5.
  • 6. What Prompted the Rules?
    • High-profile data breach cases
    • 7. Breach notification alone insufficient
    • 8. Reflection of states’ interest in protecting personal information
    • 9. Data in transit or on portable devices most at risk
  • Who Cares?
    Consequences for non-compliance:
    Increased risk of government enforcement or private litigation
    93H § 6 incorporates 93A, § 4
    93A, § 4
    $5,000 per occurrence
    Attorneys fees
    Cost of Investigation/Enforcement
    Enforcement PLUS Bad PR then Compliance and oversight
  • 10. Enforcement
    Litigation and enforcement by the Massachusetts Attorney General
    Massachusetts law requires notice to Attorney General of any breach, in addition to affected consumers
    Attorney General likely to investigate based on breach reports
    No explicit private right of action or penalties
  • 11. Looking Ahead
    • Massachusetts is one of the first, but is likely not the last
    • 12. Federal Legislation:
    • 13. HITECH (ARRA)
    • 14. Red Flags
    • 15. H.2221 (prospect of preemption)
  • Scope of Rules
  • 16. Scope of Rules
    Covers ALL PERSONS that own or license personal information about a Massachusetts resident
    Need not have operations in Massachusetts
    Financial institutions, health care and other regulated entities not exempt
  • 17. Scope of Rules
    “Personal information”
    Resident’s first and last name or first initial and last name in combination with
    Driver’s license or State ID, or
    Financial account number or credit/debit card that would permit access to a financial account
  • 18. Three Requirements
    1.Develop, implement, maintain and maintain a comprehensive, written information security program that meets very specific requirements (cWISP)
    2.Heightened information security meeting specific computer information security requirements
    3.Vendor Compliance
  • 19. Evaluating Compliance(not Evaluating Applicability)
    Size of business
    Scope of business
    Type of business
    Resources available
    Amount of data stored
    Need for security and confidentiality
    Consumer and employee information
  • 20. Evaluating Compliance(not Evaluating Applicability)
    “The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”
  • 21. Comprehensive WrittenInformation SecurityProgram
    201 CMR 17.03
  • 22. Information SecurityProgram
    “[D]evelop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards”
  • 23. Comprehensive Information Security Program201 CMR 17.03 (2)(a) through (j)
    a. Designate
    b. Identify
    c. Develop
    d. Impose
    e. Prevent
  • 24. Comprehensive Information Security Program
    (a) Designate an employee to maintain the WISP.
    (b) Identify and assess reasonably foreseeable risks (Internal and external).
    (c) Develop security policies for keeping, accessing and transporting records.
    (d) Impose disciplinary measures for violations of the program.
    (e) Prevent access by terminated employees.
    (f) Oversee service providers and contractually ensure compliance.
    (g) Restrict physical access to records.
    (h) Monitor security practices to ensure effectiveness and make changes if warranted.
    (i) Review the program at least annually.
    (j) Document responsive actions to breaches.
  • 25. Comprehensive Information Security Program
    Third Party Compliance
    1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and
    2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information
  • 26. Comprehensive Information Security Program
    Third Party Compliance
    Contracts entered “no later than” March 1, 2010:
    Two – year phase-in.
    Contracts entered into “later than” March 1, 2010:
    Immediate compliance.
  • 27. Comprehensive Information Security Program
  • 28. Breach Reporting
    G.L. c. 93H § 3
  • 29. Breach Reporting
    Breach of security –
    “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”
  • 30. Breach Reporting
    Possessor must give notice of
    Breach of Security
    Unauthorized Use or Acquisition
    To Owner/Licensor of Information
    Owner/Licensor must give notice of
    Breach of Security
    Unauthorized Use or Acquisition
    To –
    Attorney General
    Office of Consumer Affairs
  • 31. Breach Reporting
    “The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to:
    the nature of the breach of security or the unauthorized acquisition or use;
    the number of Massachusetts residents affected by such incident at the time of notification; and
    any steps the person or agency has taken or plans to take relating to the incident.”
  • 32. Sample Breach Notification Letter
  • 33. Breach Reporting
    Be afraid
    Call for help
  • 34. Computer System SecurityRequirements
    201 CMR 17.04
  • 35. Electronic Requirements201 CMR 17.04
    • Laptop and mobile device encryption
    • 36. Security patches and firewalls
    • 37. System security agents
    • 38. IT Security user awareness
    Use authentication protocols
    Secure access controls
    Encryption of transmittable records
    Mentoring systems
  • 39. User Authentication Protocols
    Control of user IDs
    Secure password selection
    Secure or encrypted password files
    User accounts blocked for unusual logon attempts
    Passwords should be at least 9 characters, alpha numeric with special characters
    After 3 attempts to login users are blocked access
  • 40. Secure Access Control Measures
    Permit “access” on a need to know basis
    Password protect account and login to determine level of access
    Network Access Control Software/Hardware
    Audit control who is accessing what and when?
  • 41. Encryption of Transmitted Records
    Encryption of personal information accessed over a public network
    Tunneling options (VPN)
    Faxes, VOIP, phone calls
    Encryption of PI on wireless
    Bluetooth, WEP, Wifi
    Encryption definition if very broad
    PGP and Utimaco are encryption technologies
  • 42. Monitoring of Systems
    Require systems to detect unauthorized use of, access to personal information
    Some existing user account based on systems will already comply
    Again, Network Access Control
    Audit controls
  • 43. Laptop and Mobile Device Encryption
    Encryption of PI stored on laptops
    Applies regardless of laptop location
    Encryption of PI stored on “mobile” devices
    Does incoming email become a problem?
    This applies only if you have data in motion of personal information.
    Email is clear text. So anyone can read any ones email on the internet.
  • 44. Security Patches and Firewalls
    “Reasonably up-to-date firewall protection and operating systems patches” for Internet connected computers
    Date on operating systems
    All organizations should have a firewall in place (not a router a firewall)
    Can hire an organization to update and manage the security infrastructure:
  • 45. Systems Security Agent Software
    Malware is what is infecting most enviroments. HTTP and HTTPS traffic.
    Your users are your worst enemy
    Products to look at for Malware
    Anti-malware technology required
    Are certain products better?
    What about MACs or Linux?
    Set to receive auto-updates
  • 46. Employee Education and IT Security Training
    Proper training on all IT security policies
    User awareness
    Importance of PI security
    Proper use of the computer
    Everyone is involved
    Your employees are your weakest link to any IT security program.
    They need to know the rules.
    Stand up training
    News Letters
    Online training
  • 47. The Approach
    Inventory type of personal information is being kept
    Assess risk
    Plan information security strategy
    Security, Confidentially, Integrity
    IT infrastructure and information change processes
    Implement, plan and policies
    Technology deployment
    Policy implementation
    User awareness
    Continual review
    Security is all about vigilance…
    Compliance is knowing what you need to protect and building a fortress around it and testing it on a frequent basis!
  • 48. Data Destruction
    G.L. c. 93I
  • 49. Data Destruction (93I)
    Paper documents/ electronic Media:
    Redact, Burn, Pulverize, Shred
    So that Personal Information cannot be read or reconstructed
  • 50. Data Destruction (93I)
    Attorney General: Unfair and Deceptive Practices remedies - 93H
    Civil Fine-$100/data subject not to exceed $50,000/instance – 93I
  • 51. What To Do Now
  • 52. Compliance DeadlinesMarch 1, 2010
    Take all reasonable steps to ensure vendors apply protections as stringent as these (written certification not necessary)
    Encrypt other (nonlaptop) portable devices
    Implement internal policies and practices
    Encrypt company laptops
    Amend contracts with service providers to incorporate the data security requirements
  • 53. Tasks
  • 54. Tasks
    Form a team
    – Include necessary Management, IT, HR, Legal and Compliance personnel
    Review existing policies
    – Do your current data security policies and procedures create barriers to compliance.
    Map data flows that include personal information
    – Consider limiting collection of personal information and restrict access to those with a need to know
  • 55. Tasks
    Identify internal and external risks and effectiveness of current safeguards
    Draft comprehensive written information security program
    Negotiate amendments to vendor agreements and audit for vendor compliance
    Encrypt laptops, portable devices and data in transit
  • 56. Tasks
    Restrict access to personal information
    Train employees
    Institute monitoring and self-auditing procedures
    Update systems including firewall protection and malware and virus protection
  • 57. Sample WISP Please
  • 58. Sample WISP Please
    Information Security Program Manual
    Risk Management Framework
    Security policy
    Organization of information security
    Asset management
    Human resources security
    Physical and environmental security
    Communications and operations management
    Access control
    Information systems acquisition, development and maintenance
    Information security incident management
    Business continuity management
    Change history
  • 59. Sample WISP Please
    Information Security ProgramTable of Contents
    Information Security Program Overview 6
    Information Security Policy 11
    Definitions 13
    Security Risks Considered 15
    Security Risks 17
    Internet Policy 33
    Email Policy 34
    Privacy Policy 38
    Record Retention & Destruction Policy 40
    Acceptable Use Policy 43
    Data Loss Response 47
  • 60. Action Plan
    Compliance Engagement Plan
    • In-house IT/HR/Legal
    • 61. Outsourced IT/HR/Legal
    • 62. Combination
  • Resources
    Statute (M.G.L. c. 93H)
    Rules (201 CMR 17.00)
    OCABR Guidance
    Compliance Checklist
    Small Business Guide
    Frequently Asked Question Regarding 201 CMR 17.00
  • 63. Thank You