Analysis: Massachusetts Breach Law


Published on

This is an analysis of the Massachusetts data breach nofification law

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Analysis: Massachusetts Breach Law

  1. 1. The Massachusetts Breach Law A legal, policy, and technical analysis (c) 2009 Alina J. Johnson
  2. 2. Overview  Rationale: the development of information law  Public interests and other stakeholders  Competing frameworks  Information rights  Ownership and Control  Expectations in the digital age  Rights, roles, and responsibilities  Limited government interference  Suggested approaches, amendments, revisions, and reform
  3. 3. Rationale  Historical significance: SB 1386 (CA)  The evolution of cybercrime: impact and effects  Current MA legislation: 201 CMR 17.00: M.G.L. c93H  Move towards security – Away from privacy: need for balance
  4. 4. Identity theft, Data breach, and Information security Massachusetts Two statutes Chapter 266: Section Chapter 266: Crimes 37E Against Property Section 37E: Use of personal identification of another; identity fraud; penalty; restitution Chapter 82 of the Acts An Act Relative to of 2007 Security Freezes and Notification of Data Breaches Two regulations 201 CMR 16.00 Placing, Lifting and Removal of Security Freezes 201 CMR 17.00 Standards for the Protection of Personal Information of Residents of the Commonwealth Executive order 504 Order Regarding the Security and Confidentiality of Personal Information Computer Incident laws of the commonwealth of Massachusetts
  5. 5. Public Interests and Other Stakeholders  National/Federal law  Statutory law  Ordinances, rules, regulations, guidelines, and best practices in both private and public sector organizations  Roles and responsibilities: the role of “YOU” in InfoSec
  6. 6. Competing Frameworks  Technical: Security is left to the IT department... until there is a problem  Legal: Compliance and enforcement is confusing as proliferation increases the number of players  Economic: Demand increases for accountability, oversight, and transparency while viable supply options wanes  Social: Networking sites draft their own policies; no uniformity or guidelines to follow
  7. 7. Information Rights  Currently, organizations follow the law... but then there is the third-party (affiliate)  The third-party typically plays the role of the “elephant in the room”: no one knows what to expect when an emergency occurs  Legally, there is no expectation of privacy with third-parties
  8. 8. Ownership and Control  Information rights of the user should be defined  Information usage should be defined by the user, not the organization  Accountability, oversight, and transparency should be employed throughout  Privacy and security should be weighed carefully so that one does not imbalance the other
  9. 9. Expectations • Consumers • Organizations – Any and all – Terms of use, terms agreements (licenses of service, and end or contracts) should user license reflect an awareness agreements should of information rights form a barrier and usage to protect protection against the the consumer at all risk of the third-party times - under any affiliate and all circumstances
  10. 10. Rights, Roles, and Responsibilities The three R's should be evenly distributed among the stakeholders with an emphasis on individual rights of the consumer and the right to control the flow of information in offline and online environments
  11. 11. Rights, roles, and responsibilities • Consumer: as owner of the information, the right of control must be protected • Organization: as data steward, must be accountable, responsible, and compliant to the law. Holds accountability, responsibility, and obligation to the consumer as it has been entrusted with sensitive information; it must protect itself from harm by explicit written agreements that do no harm to the consumer • Government: as public steward, it must protect the interests of both industry and consumer in the broadest means possible
  12. 12. Limited government interference • The government • Voluntarily should not interfere submitted with the rights of information is consumers or especially sensitive companies in so should incur developing special enhanced appropriate best protections practices with respect to information rights and usage
  13. 13. Suggestions • Limitations of • Consumers should be information usage granted enhanced should be imposed rights to protect their on terms of use, personally identifiable terms of service, information (PII), as and end user well as voluntarily license agreements submitted information to protect the as there is an consumer expectation of privacy and security in that submission (c) 2009 – Alina J. Johnson
  14. 14. Final Thoughts • The “new” ROI: – RESULTS – OUTCOMES – IMPACT
  15. 15. Final Thought The status quo is no longer acceptable in the digital age as consumers, organizations, and governments are more informed than ever before - Alina J. Johnson (c) 2009 Alina J. Johnson, MSI