IIAC Young Agents - Protecting Your Insureds\' Private Information

968 views

Published on

Personal information security and breach notification requirements are topics that all independent insurance agencies need to be aware of and be prepared for operationally in the event of a loss of clients\' information.

Published in: Economy & Finance, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
968
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 8/18/2010
  • Conn. Gen. Stat. 38a., Chapter 700 Property and Casualty Insurance (e.g.) http://www.cga.ct.gov/2011/pub/title38a.htm §38a-8 “Duties of Commissioner…” §38a-41 “Authority to do business…”
  • Administrative Actions: To minimize that potential, licenses and registrants are urged to follow these procedures.
  • Sec. 36a-1. (Formerly Sec. 36-1). General statement. This title shall be known as the "Banking Law of Connecticut" and shall be applicable to all Connecticut banks, Connecticut credit unions, mortgage lenders, mortgage correspondent lenders, mortgage loan originators and mortgage brokers, money order and travelers check licensees, check cashing service licensees, trustees under mortgages or deeds of trust of real property securing certain investments, corporations exercising fiduciary powers, small loan licensees, sales finance companies, mortgage servicing companies, debt adjusters, and to such other persons as subject themselves to the provisions of this title or who, by violating any of its provisions, become subject to the penalties provided in this title. [This would apply because the breach section pertains to any “person” which is further defined as]    (48) "Person" means an individual, company, including a company described in subparagraphs (A) and (B) of subdivision (11) of this section, or any other legal entity, including a federal, state or municipal government or agency or any political subdivision thereof;
  • One caveat, I am not a lawyer, and although we will take time to answer questions at the end, I do want to remind folks that if they have a specific question pertaining to the laws in their states (or laws that do apply to them regardless), they should consult a lawyer. § - section 46 States as of October 2010.
  • Each state directly addresses “unauthorized” access and both NJ & CT specify that the access (or acquisition) is not secured by encryption. In other words, if someone has access to PI that is encrypted, it is not a breach here. Slightly different than IC-25!
  • http://www.msnbc.msn.com/id/42849365/ns/technology_and_science-security/
  • Notice that NY’s definition does not trigger a breach… we’ll see on the next slide what information would constitute a breach. Again, only slightly different than IC-25.
  • Added the note about IC-25. (5/11/11) If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, the person shall notify the affected individuals as soon as possible as required under this subdivision. (NH)
  • CT DOI – encryption doesn’t matter. And there is much more required in the notification, the other law doesn’t specify. (d)(1) Notice of a security breach pursuant to subsection (b) of this section is not required if the data collector establishes that misuse of personal information is not reasonably possible and the data collector provides notice of the determination that the misuse of the personal information is not reasonably possible pursuant to the requirements of this subsection. If the data collector establishes that misuse of the personal information is not reasonably possible, the data collector shall provide notice of its determination that misuse of the personal information is not reasonably possible and a detailed explanation for said determination to the Vermont attorney general or to the department of banking, insurance, securities, and health care administration in the event that the data collector is a person or entity licensed or registered with the department under Title 8 or this title. The data collector may designate its notice and detailed explanation to the Vermont attorney general or the department of banking, insurance, securities, and health care administration as "trade secret" if the notice and detailed explanation meet the definition of trade secret contained in subdivision 317(c)(9) of Title 1.
  • NY – electronic notice - provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the person or business who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction. NH - Electronic notice, if the agency or business' primary means of communication with affected individuals is by electronic means.
  • This is not in the breach notification law (Sec. 36a-701b).
  • Enacted November 12, 1999  effective November 13, 2000 Compliance: July 1, 2001 http://ftc.gov/privacy/glbact/glboutline.htm
  • http://www.ftc.gov/privacy/glbact/glbsub1.htm#6802
  • Enacted November 12, 1999  effective November 13, 2000 Compliance: July 1, 2001 http://ftc.gov/privacy/glbact/glboutline.htm http://business.ftc.gov/documents/bus53-brief-financial-privacy-requirements-gramm-leach-bliley-act The Federal Trade Commission has authority to enforce the law with respect to "financial institutions" that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. http://www.ftc.gov/privacy/glbact/glbsub1.htm#6809 (5) Nonaffiliated third party The term ''nonaffiliated third party'' means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of such institution. (6) Affiliate The term ''affiliate'' means any company that controls, is controlled by, or is under common control with another company.
  • http://www.ftc.gov/privacy/glbact/glbsub1.htm#6809
  • Enacted November 12, 1999  effective November 13, 2000 Compliance: July 1, 2001 http://ftc.gov/privacy/glbact/glboutline.htm
  • http://www.ftc.gov/privacy/glbact/glbsub1.htm#6803 There is more detail here. The disclosure required by subsection (a) of this section shall include - (1) the policies and practices of the institution with respect to disclosing nonpublic personal information to nonaffiliated third parties, other than agents of the institution, consistent with section 6802 of this title, and including - (A) the categories of persons to whom the information is or may be disclosed, other than the persons to whom the information may be provided pursuant to section 6802(e) of this title; and (B) the policies and practices of the institution with respect to disclosing of nonpublic personal information of persons who have ceased to be customers of the financial institution; (2) the categories of nonpublic personal information that are collected by the financial institution; (3) the policies that the institution maintains to protect the confidentiality and security of nonpublic personal information in accordance with section 6801 of this title; and (4) the disclosures required, if any, under section 1681a(d)(2)(A)(iii) of this title. (Pub. L. 106-102, title V, Sec. 503, Nov. 12, 1999, 113 Stat. 1439.)
  • Almost exactly the same as the other breach laws.
  • Think of a phone book…
  • As long as the risk of losing PI is determined to be low and the cost or resources needed to implement a solution to a compliance gap is prohibitive, you could say that your assessment is such that you will not need to do…
  • This is the one area that I think is a step back.
  • Each state directly addresses “unauthorized” access and both NJ & CT specify that the access (or acquisition) is not secured by encryption. In other words, if someone has access to PI that is encrypted, it is not a breach here.
  • As you will see, for the most part, the states we are discussing today are rather consistent in how they define a breach. NY – it is referred to as a “Breach of the security of the system”…
  • Note that CT does not have “good faith” language in its General Statute.
  • Notice that NY’s definition does not trigger a breach… we’ll see on the next slide what information would constitute a breach.
  • If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, the person shall notify the affected individuals as soon as possible as required under this subdivision. (NH)
  • So, say a breach does occur…
  • Careful if this is the determination that we make.
  • NY – electronic notice - provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the person or business who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction. NH - Electronic notice, if the agency or business' primary means of communication with affected individuals is by electronic means.
  • Only the states of NH, NY (and later we’ll see MA) specify what the breach notifications must contain, information-wise.
  • IIAC Young Agents - Protecting Your Insureds\' Private Information

    1. 1. Client Confidentiality – Protecting Your Insureds’ Private Information IIAC Young Agents Jason Hoeppner, CIC
    2. 2. Objectives <ul><li>To bring awareness about the laws, regulations and administrative letters concerning the protection of clients’ personal information. </li></ul><ul><li>To understand the requirements of these laws and regulations as they pertain to insurance agencies and their operations. </li></ul><ul><li>To describe how you can improve your ability to protect non-public personal information (PI) at your agency. </li></ul>
    3. 3. Agenda <ul><li>CT Laws </li></ul><ul><ul><li>CT Insurance Bulleting IC-25 </li></ul></ul><ul><ul><li>Breach Notification Laws </li></ul></ul><ul><li>Gramm-Leach-Bliley Act </li></ul><ul><li>Ways to better protect PI at your agency. </li></ul><ul><li>Time permitting: </li></ul><ul><li>MA 201 CMR 17.00 </li></ul><ul><li>Federal Legislative Initiatives </li></ul>
    4. 4. Agenda <ul><li>CT Laws </li></ul><ul><ul><li>CT Insurance Bulleting IC-25 </li></ul></ul><ul><ul><li>Breach Notification Laws </li></ul></ul><ul><li>Gramm-Leach-Bliley Act </li></ul><ul><li>Ways to better protect PI at your agency. </li></ul><ul><li>Time permitting: </li></ul><ul><li>MA 201 CMR 17.00 </li></ul><ul><li>Federal Legislative Initiatives </li></ul>
    5. 5. CT Laws <ul><li>Bulletin IC-25 </li></ul><ul><ul><li>To “All regulated entities in CT” </li></ul></ul><ul><ul><li>Including: </li></ul></ul><ul><ul><ul><li>Insurance Producers </li></ul></ul></ul><ul><ul><ul><li>Certified Insurance Consultants </li></ul></ul></ul><ul><ul><ul><li>Property and Casualty Insurers </li></ul></ul></ul><ul><ul><ul><li>Life and Health Insurers </li></ul></ul></ul><ul><ul><ul><li>Surplus Lines Companies </li></ul></ul></ul><ul><ul><ul><li>Casualty Claims Adjusters… </li></ul></ul></ul>
    6. 6. CT Laws <ul><li>Bulletin IC-25 (cont.) </li></ul><ul><ul><li>The CT Insurance Department is requiring all licensees and registrants notify the Department as soon as an incident is identified (but no later than 5 calendar days after) of any information security breach which affects any CT residents. </li></ul></ul><ul><ul><li>Refers back to Title 38a (Insurance) and Title 42 (Conn. Gen. Stat. 42-471) Protection of Social Security Numbers and Personal Information for authority. </li></ul></ul>
    7. 7. CT Laws <ul><li>Bulletin IC-25 (cont.) </li></ul><ul><li>The Department considers an information security incident to be any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information , whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers. </li></ul>
    8. 8. CT Laws <ul><li>Bulletin IC-25 (cont.) </li></ul><ul><ul><li>Notification Procedures (See Breach Notification) </li></ul></ul><ul><ul><li>Vendors / Business Associates </li></ul></ul><ul><ul><ul><li>The Department also specifies that an information security incident at or by a vendor or business associate of a licensee or registrant … should be reported by the licensee or registrant to the Department. </li></ul></ul></ul><ul><ul><li>Administrative Actions </li></ul></ul><ul><ul><ul><li>Each incident will be evaluated on its own merits, and depending on the circumstances, some situations may warrant imposition of administrative penalties by the Department. </li></ul></ul></ul>
    9. 9. CT Laws <ul><li>The state statute that pertains to breaches of personal information is: </li></ul><ul><li>Sec. 36a-701b. Breach of security re computerized data containing personal information. </li></ul>
    10. 10. Agenda <ul><li>CT Laws </li></ul><ul><ul><li>CT Insurance Bulleting IC-25 </li></ul></ul><ul><ul><li>Breach Notification Laws </li></ul></ul><ul><li>Gramm-Leach-Bliley Act </li></ul><ul><li>Ways to better protect PI at your agency. </li></ul><ul><li>Time permitting: </li></ul><ul><li>MA 201 CMR 17.00 </li></ul><ul><li>Federal Legislative Initiatives </li></ul>
    11. 11. National Conference of State Legislatures <ul><li>Links to all state breach notification laws can be found here: http://www.ncsl.org/default.aspx?tabid=13489 </li></ul>State Pertinent Law NY New York General Business Law (GBS) Article 39-F, § 899-aa NJ New Jersey Statute 56:8-163 CT Connecticut General Statute 36a-701(b) VT Vermont Statute Title 9 Chapter 62: Protection of Personal Information NH New Hampshire Statute Chapter 359-C: Right to Privacy, Sections 359-C:19-21
    12. 12. Conn. Gen. Stat. 42-471 <ul><li>Sec. 42-471. Safeguarding of personal information. Social Security numbers. Privacy protection policy. Civil penalty. </li></ul><ul><li>(a) Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal. </li></ul><ul><li>(b) Any person who collects Social Security numbers in the course of business shall create a privacy protection policy which shall be published or publicly displayed. For purposes of this subsection, &quot;publicly displayed&quot; includes, but is not limited to, posting on an Internet web page. Such policy shall: (1) Protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers. </li></ul><ul><li>(c) As used in this section, &quot;personal information&quot; means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media. </li></ul><ul><li>(d) For persons who hold a license, registration or certificate issued by, or a charter subject to the supervision of, a state agency other than the Department of Consumer Protection, this section shall be enforceable only by such other state agency pursuant to such other state agency's existing statutory and regulatory authority. </li></ul><ul><li>(e) Any person or entity that violates the provisions of this section shall be subject to a civil penalty of five hundred dollars for each violation, provided such civil penalty shall not exceed five hundred thousand dollars for any single event. It shall not be a violation of this section if such violation was unintentional. </li></ul><ul><li>(f) The provisions of this section shall not apply to any agency or political subdivision of the state. </li></ul><ul><li>(g) If a financial institution has adopted safeguards that comply with the standards established pursuant to Section 501(b) of the Gramm-Leach-Bliley Act of 1999, 15 USC 6801, then such compliance shall constitute compliance with the provisions of this section. </li></ul><ul><li>(h) Any civil penalties received pursuant to this section shall be deposited into the privacy protection guaranty and enforcement account established pursuant to section 42-472a. </li></ul>
    13. 13. What Is a Breach? <ul><li>According to current legislation in Connecticut, a breach is defined as: </li></ul><ul><ul><li>“ unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.” </li></ul></ul>
    14. 14. What Is a Breach? <ul><li>The bottom line is that any time someone who is not authorized to access personal information, an agency employee or not, obtains that information and has the opportunity to misuse that information, it is most likely a breach. </li></ul>
    15. 15. Personal Information &quot;Personal information&quot; does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media. State Definition of Personal Information CT Individual’s first name (or first initial) and last name, in conjunction with one or more of the following: (1) Social Security Number (2) Driver’s (or motor vehicle operator’s) License number or other state/government ID number (3) (Financial) Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.
    16. 16. Breach Notification Requirements Additionally, as we see with IC-25, the CT Insurance Department must also be notified. State Who needs to be notified? When? CT <ul><li>- The owner or licensee of the breached PI. </li></ul><ul><li>Residents of the state of CT whose PI was breached. </li></ul><ul><li>Immediately following the </li></ul><ul><li>discovery of the breach. </li></ul><ul><li>Without unreasonable delay subject to a law enforcement agency determination that such notification will not impede a criminal investigation. </li></ul>
    17. 17. Additional Points on Notifications <ul><li>CT: </li></ul><ul><ul><li>Such notification shall not be required if, after an appropriate investigation and consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed. </li></ul></ul><ul><ul><li>As we can see, the requirements for reporting a breach are slightly higher for the CT Insurance Department than for the standard breach notification requirements under the banking law. </li></ul></ul>
    18. 18. Methods for Breach Notifications Type of Notification Notes Written Electronic Provided such notice is consistent with the provisions regarding electronic records and signatures set forth in 15 USC 7001. Telephone <ul><li>Substitute </li></ul><ul><li>Email </li></ul><ul><li>Website </li></ul><ul><li>Major (statewide) media </li></ul>In cases where notification costs are greater than $250,000 or more than 500,000 individuals have been affected.
    19. 19. Breach Notification Contents <ul><li>What a notification should contain as outlined in Bulletin IC-25: </li></ul><ul><ul><li>Date and description of incident (how information was lost, stolen, breached) </li></ul></ul><ul><ul><li>How (it was) discovered </li></ul></ul><ul><ul><li>Whether lost, stolen, or breached information has been recovered, and if so, how </li></ul></ul><ul><ul><li>Whether individuals involved in the incident (both internal and external) have been identified </li></ul></ul><ul><ul><li>Whether a police report has been filed </li></ul></ul><ul><ul><li>Type of information lost, stolen, or breached (equipment, paper, electronic, claims, applications, … etc.) </li></ul></ul>
    20. 20. Breach Notification Contents <ul><li>What a notification should contain (cont.) </li></ul><ul><ul><li>Whether information was encrypted </li></ul></ul><ul><ul><li>Period of time lost, stolen or breached information covered </li></ul></ul><ul><ul><li>How many Connecticut residents affected </li></ul></ul><ul><ul><li>Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed </li></ul></ul><ul><ul><li>Identification of remedial efforts being undertaken to cure the situation that permitted the information security incident to occur </li></ul></ul><ul><ul><li>Copies of the licensee/registrants’ Privacy Policies and Data Breach Policy </li></ul></ul>
    21. 21. Breach Notification Contents <ul><li>What a notification should contain (cont.) </li></ul><ul><ul><li>Regulated entity contact person with whom the Department can communicate regarding the incident. (This should be someone who is both familiar with the details and able to authorize actions for the licensee or registrant.) </li></ul></ul><ul><ul><li>Other regulatory or law enforcement agencies notified (who, when). </li></ul></ul><ul><ul><li>For the Department’s review, a draft version of any communications proposed to be made to affected insureds, members, subscribers, policyholders or providers advising them of the incident. Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection that the Department will require to be offered to affected consumers and for what period of time. </li></ul></ul>
    22. 22. Agenda <ul><li>CT Laws </li></ul><ul><ul><li>CT Insurance Bulleting IC-25 </li></ul></ul><ul><ul><li>Breach Notification Laws </li></ul></ul><ul><li>Gramm-Leach-Bliley Act </li></ul><ul><li>Ways to better protect PI at your agency. </li></ul><ul><li>Time permitting: </li></ul><ul><li>MA 201 CMR 17.00 </li></ul>
    23. 23. The Gramm-Leach-Bliley ( GLB ) Act <ul><li>The Gramm-Leach-Bliley Act contains “privacy provisions relating to consumers' financial information. Under these provisions, financial institutions have restrictions on when they may disclose a consumer's personal financial information to nonaffiliated third parties.” </li></ul>The GLB Act also specifies that financial institutions provide consumers with a privacy notice as well as a way to “opt-out” of the sharing of their information.
    24. 24. The Gramm-Leach-Bliley ( GLB ) Act <ul><li>This law states that “a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice…” (Sec. 6802.) </li></ul>What does this mean? You need to have a privacy notice that is available to your customers.
    25. 25. The Gramm-Leach-Bliley ( GLB ) Act <ul><li>Before we get too far…a few definitions: </li></ul><ul><ul><li>Financial Institution </li></ul></ul><ul><ul><li> “ Companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance…” So YES, we are covered. </li></ul></ul><ul><ul><li>Affiliate </li></ul></ul><ul><ul><li>“ Any company that controls, is controlled by or is under common control with another company.” </li></ul></ul><ul><ul><li>Nonaffiliated third party </li></ul></ul><ul><ul><li>Not an affiliate; does not include joint employees. </li></ul></ul>
    26. 26. The Gramm-Leach-Bliley ( GLB ) Act <ul><li>More definitions </li></ul><ul><ul><li>Nonpublic personal information </li></ul></ul><ul><li>Personally identifiable financial information - </li></ul><ul><li>(i) provided by a consumer to a financial institution; </li></ul><ul><li>(ii) resulting from any transaction with the consumer or any service performed for the consumer; or </li></ul><ul><li>(iii) otherwise obtained by the financial institution. </li></ul><ul><ul><li>Also covers lists that contain publicly available information, and that are derived from, or grouped based on, nonpublic personal information. </li></ul></ul>
    27. 27. The Gramm-Leach-Bliley ( GLB ) Act <ul><li>So what does it mean to insurance agencies? </li></ul><ul><ul><li>You need a Privacy Notice to provide your clients. </li></ul></ul><ul><ul><li>Part of the Privacy Notice should explain how to “opt-out” of having personal information shared. </li></ul></ul><ul><ul><li>You “may not disclose nonpublic personal information to a nonaffiliated third party” otherwise. </li></ul></ul><ul><ul><li>There are exceptions, such as when disclosure is needed to provide a service the consumer requests (think credit reports), with their consent or where required by law. </li></ul></ul>
    28. 28. The Gramm-Leach-Bliley ( GLB ) Act <ul><li>When do you need to share your agency’s Privacy Policy? </li></ul><ul><ul><li>“ At the time of establishing a customer relationship…” </li></ul></ul><ul><ul><li>“ And not less than annually…” </li></ul></ul><ul><ul><li>Renewals happen annually (or semi-annually!) </li></ul></ul><ul><li>What does this notice need to include? </li></ul><ul><ul><li>“ Policies and practices with respect to disclosing nonpublic personal information (NPI)…” </li></ul></ul><ul><ul><li>The types of NPI you collect. </li></ul></ul>
    29. 29. Agenda <ul><li>CT Laws </li></ul><ul><ul><li>CT Insurance Bulleting IC-25 </li></ul></ul><ul><ul><li>Breach Notification Laws </li></ul></ul><ul><li>Gramm-Leach-Bliley Act </li></ul><ul><li>Ways to better protect PI at your agency. </li></ul><ul><li>Time permitting: </li></ul><ul><li>MA 201 CMR 17.00 </li></ul>
    30. 30. How To Better Protect PI <ul><li>Try going paperless!! … Or at least reduce what you keep. </li></ul><ul><ul><li>Networks are much easier to secure than paper files & filing cabinets. </li></ul></ul><ul><ul><li>It might also make you more efficient. </li></ul></ul><ul><li>Update your management systems. </li></ul><ul><ul><li>Newer versions & platforms often have additional protective measures for fields that contain PI. </li></ul></ul><ul><ul><li>This will also help with streamlining work and supporting paperless operations. </li></ul></ul>
    31. 31. How To Better Protect PI <ul><li>Encrypt portable devices. </li></ul><ul><ul><li>These items (laptops, thumb drives, CDs/DVDs) are very easily lost or stolen. </li></ul></ul><ul><ul><li>And, any hacker with any amount of skill can get into your data given a short amount of time. </li></ul></ul><ul><li>Secure your paper! </li></ul><ul><ul><li>At the office… </li></ul></ul><ul><ul><ul><li>Done for the day? </li></ul></ul></ul><ul><ul><ul><li>Clients at your desk. </li></ul></ul></ul><ul><ul><li>Visiting clients. </li></ul></ul>
    32. 32. CT - Additional <ul><li>       (f) Any person that maintains such person's own security breach procedures as part of an information security policy for the treatment of personal information and otherwise complies with the timing requirements of this section, shall be deemed to be in compliance with the security breach notification requirements of this section, provided such person notifies subject persons in accordance with such person's policies in the event of a breach of security. Any person that maintains such a security breach procedure pursuant to the rules, regulations, procedures or guidelines established by the primary or functional regulator, as defined in 15 USC 6809(2), shall be deemed to be in compliance with the security breach notification requirements of this section, provided such person notifies subject persons in accordance with the policies or the rules, regulations, procedures or guidelines established by the primary or functional regulator in the event of a breach of security of the system.       (g) Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced by the Attorney General.       (P.A. 05-148, S. 3; 05-288, S. 231, 232.)       History: P.A. 05-148 effective January 1, 2006; P.A. 05-288 made technical changes in Subsecs. (b) and (f), effective January 1, 2006. </li></ul>
    33. 33. References <ul><li>CT Information Security Incidents Bulletin (IC-25) </li></ul><ul><li>http://www.ct.gov/cid/lib/cid/Bulletin_IC_25_Data_Breach_Notification.pdf </li></ul><ul><li>CT Breach Notification Laws </li></ul><ul><li>http://www.cga.ct.gov/2011/pub/chap669.htm#Sec36a-701b.htm </li></ul><ul><li>Gramm-Leach-Bliley Act </li></ul><ul><li>http://www.ftc.gov/privacy/glbact/glbsub1.htm </li></ul>
    34. 34. Agenda <ul><li>CT Laws </li></ul><ul><ul><li>CT Insurance Bulleting IC-25 </li></ul></ul><ul><ul><li>Breach Notification Laws </li></ul></ul><ul><li>Gramm-Leach-Bliley Act </li></ul><ul><li>Ways to better protect PI at your agency. </li></ul><ul><li>Time permitting: </li></ul><ul><li>MA 201 CMR 17.00 </li></ul>
    35. 35. What is MGL c 93H? <ul><li>It is Chapter 93H of the General Laws of Massachusetts, which regulates security breaches and which has been in place since October 2007. </li></ul><ul><li>In it, personal information breaches are defined & the requirement to report any breaches is also specified. </li></ul><ul><li>However, up until 201 CMR 17.00 was passed, there was nothing that implemented “the provisions of MGL c 93H relative to the standards to be met” for the protection of personal information of residents of the Commonwealth. </li></ul>
    36. 36. What is 201 CMR 17.00? <ul><li>201 CMR 17.00 : Standards for the Protection of Personal Information of Residents of the Commonwealth, is the regulation that implements the provisions of MGL c. 93H relative to the standards to be met by persons who own or license personal information ( PI ) about a resident of the Commonwealth of Massachusetts. </li></ul><ul><li>A direct link to the regulation can be found here (on the MA OCABR web page): </li></ul><ul><li>http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf </li></ul><ul><li>  </li></ul>
    37. 37. The Basics of 201 CMR 17.00 <ul><li>As of March 1, 2010, all entities that own or license personal information about a resident of MA are required to comply with this law. </li></ul><ul><li>Every agency (or entity) must designate a Security Officer & have a written information security program ( WISP ) in place. </li></ul><ul><li>All employees must be trained on the security program. </li></ul><ul><li>The safeguarding of this information applies to physical security as well as electronic security (paper & computer files as well). </li></ul><ul><li>If a breach occurs, it must be reported and the corrective actions must be taken. </li></ul>
    38. 38. Does This Regulation Apply to Agencies? <ul><li>The definition of persons in 201 CMR 17.00 is: </li></ul><ul><ul><li>“ a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.” </li></ul></ul><ul><li>And the scope of the law specifies that: </li></ul><ul><li>“ The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth.” </li></ul><ul><li>So, yes, an insurance agency is a “person” and is therefore required to comply with this regulation. </li></ul>
    39. 39. What is Personal Information (PI)? <ul><li>Per the definition in both MGL c 93H & 201 CMR 17.00, personal information is: </li></ul><ul><ul><li>A Massachusetts resident's first name (or first initial) and last name in combination with any one or more of the following data elements that relate to such resident: </li></ul></ul><ul><ul><ul><li>(a) Social Security number; </li></ul></ul></ul><ul><ul><ul><li>(b) driver's license number or state-issued identification card number; </li></ul></ul></ul><ul><ul><ul><li>(c) financial account number, or credit or debit card number </li></ul></ul></ul>
    40. 40. What is Personal Information Is Not <ul><li>Personal information is not : </li></ul><ul><li>“… Information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public...” </li></ul>
    41. 41. Conducting a Security Assessment <ul><li>Per 201 CMR 17.00, your security program must include “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…” </li></ul><ul><li>First – step out of your agency role… become a completely objective observer. </li></ul>
    42. 42. What is a WISP? <ul><li>As a reminder, 201 CMR 17.00 requires that “every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards…” </li></ul><ul><li>This Written Information Security Program ( WISP ) is your agency’s policy document on how you handle, and ensure the security of, your clients’, prospects’, and employees’ PI. </li></ul>
    43. 43. What is a WISP? <ul><li>Your WISP will “include, but shall not be limited to:” </li></ul><ul><li>(a) Designating one or more employees to maintain the comprehensive information security program </li></ul><ul><li>(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: </li></ul><ul><li>1. ongoing employee (including temporary & contract employee) training; </li></ul><ul><li>2. employee compliance with policies and procedures; and </li></ul><ul><li>3. means for detecting and preventing security system failures. </li></ul>
    44. 44. What is a WISP? <ul><li>Your WISP will “include, but shall not be limited to:” </li></ul><ul><li>(c) Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises. </li></ul><ul><li>(d) Imposing disciplinary measures for violations of the comprehensive information security program rules. </li></ul><ul><li>(e) Preventing terminated employees from accessing records containing personal information. </li></ul>
    45. 45. What is a WISP? <ul><li>Your WISP will “include, but shall not be limited to:” </li></ul><ul><li>(f) Oversee service providers, by: </li></ul><ul><li>1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and </li></ul><ul><li>2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however , that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person’s behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010. </li></ul>
    46. 46. What is a WISP? <ul><li>Your WISP will “include, but shall not be limited to:” </li></ul><ul><li>(g) Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers. </li></ul><ul><li>(h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks. </li></ul>
    47. 47. What is a WISP? <ul><li>Your WISP will “include, but shall not be limited to:” </li></ul><ul><li>(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information. </li></ul><ul><li>(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information. </li></ul>
    48. 48. What About a Breach? <ul><li>A person or agency that owns or licenses data that includes PI about a resident of the commonwealth, shall provide notice , as soon as practicable and without unreasonable delay, when such person or agency </li></ul><ul><ul><li>knows or has reason to know of a breach of security or </li></ul></ul><ul><ul><li>when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose, </li></ul></ul><ul><ul><li>to the attorney general , the director of consumer affairs and business regulation and to such resident , in accordance with… M.G.L. c 93H </li></ul></ul><ul><ul><li>(Chapter 93H: Section 3.) </li></ul></ul>
    49. 49. What About a Breach? <ul><li>In addition, and in accordance with the WISP, the person or agency must: </li></ul><ul><ul><li>Conduct an immediate, mandatory post-incident review of events and actions taken, if any. </li></ul></ul><ul><ul><li>Determine whether any changes in security practices are required to improve the security of personal information for which the person or agency is responsible. </li></ul></ul><ul><li>These Requirements Apply Whether One or a Thousand Records Have Been Breached. </li></ul>
    50. 50. How Does This Affect Agency Operations? <ul><li>It is a fair assumption that these requirements will prompt changes in the way your agency operates. </li></ul><ul><li>Employees need to be cognizant of what information is contained on the documents they are handling and treat them accordingly. </li></ul><ul><li>This will most likely also mean some changes to the physical layout or storage areas at your agency. </li></ul><ul><li>You may find that you are operating more efficiently and effectively after implementing changes. </li></ul>
    51. 51. How Does This Affect Agency Operations? <ul><li>Network security and password policies must be up-to-date and enforced  No yellow sticky notes with passwords!!!!! </li></ul><ul><li>Emails that contain personal information (PI) must be encrypted as much as it is technically feasible and reasonable. </li></ul><ul><li>Any portable devices (e.g., laptops, thumb drives) that store PI (even in a copy of an email or other document) must be encrypted. </li></ul><ul><li>Wireless networks must be encrypted. </li></ul><ul><li>Paper records must be stored in a secure, locked area and accessible only to those employees who need access. </li></ul><ul><li>Ideally all files (even management system screens) should never be visible to customers or personnel who do not work for the agency. </li></ul>
    52. 52. Assessing Risk <ul><li>Ultimately 201 CMR 17.00 specifies that the safeguards that should be in place and defined in the program “are appropriate to (a) the size, scope and type of business…”. </li></ul><ul><li>The risk-based approach, as further discussed in the 201 CMR 17.00 FAQs , allows for some flexibility in the implementation of the requirements of the regulation based on the amount of PI stored. </li></ul><ul><li>However, as insurance agencies, this is probably not applicable because we do have PI for every single client (and perhaps prospect) in our books. </li></ul>
    53. 53. Assessing Risk <ul><li>“ Technically Feasible” is the term that is used to describe whether or not the specific elements outlined in the regulation need to be implemented in your program. </li></ul><ul><li>“ Technically Feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used. </li></ul><ul><li>Must I encrypt my email if it contains personal information? If it is not technically feasible to do so, then no. However, you should implement best practices by not sending unencrypted personal information in an email. (From the FAQs) </li></ul>
    54. 54. Conducting a Security Assessment <ul><li>Per 201 CMR 17.00, your program must include “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…” </li></ul><ul><li>First – step out of your agency role… become a completely objective observer. </li></ul>
    55. 55. Conducting a Security Assessment <ul><li>Take a look at the following areas and determine if there is a risk to the confidentiality, security, and integrity of the PI you have already identified (and its locations) at your agency: </li></ul><ul><ul><li>Doors, windows & entrances to the agency. </li></ul></ul><ul><ul><ul><li>Are the locks adequate? </li></ul></ul></ul><ul><ul><ul><li>Is there an alarm system in place? </li></ul></ul></ul><ul><ul><ul><li>Do employees or non-agency employees have keys, the alarm code, or otherwise access the agency? </li></ul></ul></ul><ul><ul><ul><li>Are the windows reasonably secure? </li></ul></ul></ul><ul><ul><li>Document management. </li></ul></ul><ul><ul><ul><li>Is there a shred policy in place? </li></ul></ul></ul><ul><ul><ul><li>Are documents with PI kept out in the open? </li></ul></ul></ul><ul><ul><ul><li>Are documents with PI kept in filing cabinets? Are they locked (at night)? </li></ul></ul></ul><ul><ul><ul><li>Are documents with PI visible when clients/prospects are in the office? </li></ul></ul></ul>
    56. 56. Conducting a Security Assessment <ul><li>Assessment areas (continued): </li></ul><ul><ul><li>Network, management system and/or document management system access. </li></ul></ul><ul><ul><ul><li>Do all users have unique logins and passwords? </li></ul></ul></ul><ul><ul><ul><li>Do passwords expire regularly? </li></ul></ul></ul><ul><ul><ul><li>Do accounts lock up after numerous incorrect attempts? </li></ul></ul></ul><ul><ul><ul><li>Do third-party systems (RMV/EVR, ChoicePoint, Collaborative Edge) where PI is gathered have unique logins and passwords (that expire regularly)? </li></ul></ul></ul><ul><ul><li>Portable media. </li></ul></ul><ul><ul><ul><li>Do any employees use laptops outside of the office? </li></ul></ul></ul><ul><ul><ul><li>Are thumb drives, CDs, etc. used? </li></ul></ul></ul><ul><ul><ul><li>Do you have a tape back-up system? Are these tapes taken offsite? </li></ul></ul></ul><ul><ul><ul><li>Are any of the above encrypted? </li></ul></ul></ul>
    57. 57. Conducting a Security Assessment <ul><li>Assessment areas (continued): </li></ul><ul><ul><li>Email. </li></ul></ul><ul><ul><ul><li>Is PI ever sent in emails? As an attachment or in the body of the message? </li></ul></ul></ul><ul><ul><ul><li>Is this PI being encrypted or password protected? </li></ul></ul></ul><ul><ul><ul><li>Are employees allowed to access personal (non-business) email accounts? </li></ul></ul></ul><ul><ul><ul><li>Do employees ever send PI through personal email accounts? (NO!!) </li></ul></ul></ul><ul><ul><li>Miscellaneous </li></ul></ul><ul><ul><ul><li>Do screen savers automatically come up after a certain amount of time? </li></ul></ul></ul><ul><ul><ul><li>Do employees have to re-login after the screen saver appears? </li></ul></ul></ul><ul><ul><ul><li>Is there a wireless network set up at the agency? Is it encrypted? </li></ul></ul></ul><ul><ul><ul><li>Do you utilize 3 rd -party providers? Do they ever have access to areas where PI is stored – during or after business hours? </li></ul></ul></ul>
    58. 58. Gaps & How to Fix Them <ul><li>Filing cabinets </li></ul><ul><ul><li>Who has access? </li></ul></ul><ul><ul><ul><li>Employees </li></ul></ul></ul><ul><ul><ul><li>Clients/prospects </li></ul></ul></ul><ul><ul><ul><li>Third-party service providers </li></ul></ul></ul><ul><ul><li>Are they out in the open? </li></ul></ul><ul><ul><li>Are they in a separate room? </li></ul></ul><ul><ul><li>Can they, the filing cabinets or the separate room, be locked? </li></ul></ul>
    59. 59. Gaps & How to Fix Them <ul><li>Paper at employees’ desks </li></ul><ul><ul><li>Is it left out? </li></ul></ul><ul><ul><li>“ Working folders” </li></ul></ul><ul><ul><li>Lock it up at night or when out of the office for an extended period of time. </li></ul></ul><ul><ul><li>Move it to the side, or put it in the “working folder” when clients/prospects are there. </li></ul></ul>
    60. 60. Gaps & How to Fix Them <ul><li>Network, agency management, and document management system logins & passwords </li></ul><ul><ul><li>Enable Active Directory and Group Security Policies to control network access. </li></ul></ul><ul><ul><li>Set password lengths, expirations, & lockouts. </li></ul></ul><ul><ul><li>Ensure agency management, document management systems, and other websites/portals are set in a similar manner with regard to passwords and logins. </li></ul></ul>
    61. 61. Gaps & How to Fix Them <ul><li>Email encryption </li></ul><ul><ul><li>If you send PI through email or in attachments to email, you should encrypt the emails. </li></ul></ul><ul><ul><li>Minimally, if the PI is in an attachment, you may password protect the document (not as good). </li></ul></ul><ul><li>Get Your IT Support Team Involved (if not already) in This Area As Well As the Other Electronic Security Issues. </li></ul>
    62. 62. Gaps & How to Fix Them <ul><li>Portable devices: laptops, thumb drives, CDs/DVDs, back-up tapes. </li></ul><ul><ul><li>Encrypt them or do not use them. </li></ul></ul><ul><ul><li>Back-up systems may have an encryption option in the settings to encrypt the tapes. </li></ul></ul><ul><ul><li>Password protection is not enough, you need to use a whole-disk encryption solution. </li></ul></ul>
    63. 63. Gaps & How to Fix Them <ul><li>Working remotely </li></ul><ul><ul><li>PI on paper </li></ul></ul><ul><ul><ul><li>Need to lock it up too! </li></ul></ul></ul><ul><ul><ul><li>Treat it as you do at the office. </li></ul></ul></ul><ul><ul><li>Remote access </li></ul></ul><ul><ul><ul><li>If you are logging in to a terminal services machine or over the internet to your hosted management system, you should be alright as long as nothing is saved on your local drive (including emails). </li></ul></ul></ul><ul><ul><ul><li>However, you still should encrypt your laptop (or desktop) to protect against theft. </li></ul></ul></ul>
    64. 64. Gaps & How to Fix Them <ul><li>Taking PI out of the office </li></ul><ul><ul><li>Can’t avoid it! </li></ul></ul><ul><ul><li>Control it. </li></ul></ul><ul><ul><li>Set up a policy about how much PI can be taken out at a time & the permissible “travel routes”. </li></ul></ul><ul><ul><li>Inventory or log the PI in and out of the agency. </li></ul></ul><ul><ul><li>This is Probably the Largest Risk for Losing PI! </li></ul></ul>
    65. 65. Creating Your WISP <ul><li>Start with the template! </li></ul><ul><li>Sections to include: </li></ul><ul><ul><li>Part 1 Objectives </li></ul></ul><ul><ul><li>Part 2 Purpose & Scope </li></ul></ul><ul><ul><li>Part 3 Designation of a Security Manager </li></ul></ul><ul><ul><li>Parts 1 & 2 are Legalese & the Example Template Wording Should Be Fine. </li></ul></ul>
    66. 66. Creating Your WISP <ul><li>Sections to include (cont.): </li></ul><ul><ul><li>Part 4 Risks Identified </li></ul></ul><ul><ul><ul><li>What did we find during our assessment? </li></ul></ul></ul><ul><ul><ul><li>Where is the PI & how is it at risk? </li></ul></ul></ul><ul><ul><li>Part 5 Safeguards </li></ul></ul><ul><ul><ul><li>What we are going to do at the agency to protect PI. </li></ul></ul></ul><ul><ul><ul><li>Operations, technology, and management practices. </li></ul></ul></ul><ul><ul><ul><li>This section shows how we have fixed any gaps or other risks we identified! </li></ul></ul></ul>
    67. 67. What About a Breach? <ul><li>A person or agency that owns or licenses data that includes PI about a resident of the commonwealth, shall provide notice , as soon as practicable and without unreasonable delay, when such person or agency </li></ul><ul><ul><li>knows or has reason to know of a breach of security or </li></ul></ul><ul><ul><li>when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose, </li></ul></ul><ul><ul><li>to the attorney general , the director of consumer affairs and business regulation and to such resident , in accordance with… M.G.L. c 93H </li></ul></ul><ul><ul><li>(Chapter 93H: Section 3.) </li></ul></ul>
    68. 68. What About a Breach? <ul><li>In addition, and in accordance with the WISP you are creating, you must: </li></ul><ul><ul><li>Conduct an immediate, mandatory post-incident review of events and actions taken, if any. </li></ul></ul><ul><ul><li>Determine whether any changes in your security practices are required to improve the security of personal information for which you are responsible. </li></ul></ul><ul><li>It Does Not Matter if One or a Thousand Records that Are Breached. </li></ul>
    69. 69. List of Some Encryption Software Whole-Disk Encryption: www.truecrypt.org www.pgp.com www.drivecrypt.com/ http://www.symantec.com/business/endpoint-encryption
    70. 70. MA Links / References <ul><li>Jason Hoeppner, CIC </li></ul><ul><li>B. H. Burke & Co., Inc. </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>(860) 399-8288 </li></ul></ul><ul><ul><li>http://twitter.com/JasonHoeppner </li></ul></ul><ul><ul><li>http://www.linkedin.com/in/JasonHoeppner </li></ul></ul><ul><ul><li>http://www.facebook.com/JasonHoeppner </li></ul></ul>MA Office of Consumer Affairs & Business Regulation (OCABR): http://www.mass.gov/?pageID=ocahomepage&L=1&L0=Home&sid=Eoca A direct link to the regulation can be found here (also on the MA OCABR web page): http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf 201 CMR 17.00 FAQs: http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf Compliance Checklist: http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf Small Business Guide to Formulating a Comprehensive WISP: http://www.mass.gov/Eoca/docs/idtheft/sec_plan_smallbiz_guide.pdf
    71. 71. What Is a Breach? <ul><li>According to current legislation in New Jersey and Connecticut, a breach is defined as: </li></ul><ul><ul><li>“ unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable… ” (NJ) </li></ul></ul><ul><ul><li>“ unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.” (CT) </li></ul></ul>
    72. 72. What Is a Breach? <ul><li>According to current legislation in New York and New Hampshire, a breach is defined as : </li></ul><ul><ul><li>“ unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business.” (NY) </li></ul></ul><ul><ul><li>“ unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in this state.” (NH) </li></ul></ul><ul><li>Notice that these definitions use the term computerized data . </li></ul>
    73. 73. However… <ul><li>In New Jersey and New Hampshire: </li></ul><ul><ul><li>A “good faith acquisition of personal information by an employee or agent of the business for a legitimate business purpose is not a breach of security, provided that the personal information is not [used for a purpose unrelated to the business ( NJ only) ] or subject to further unauthorized disclosure.” </li></ul></ul><ul><li>In New York: </li></ul><ul><ul><li>A “good faith acquisition of personal information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure. In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, such business may consider the following factors, among others: </li></ul></ul><ul><ul><ul><li>(1) indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information; or </li></ul></ul></ul><ul><ul><ul><li>(2) indications that the information has been downloaded or copied; or </li></ul></ul></ul><ul><ul><ul><li>(3) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.” </li></ul></ul></ul>
    74. 74. Personal Information State Definition of Personal Information NJ, CT, & NH Individual’s first name (or first initial) and last name, in conjunction with one or more of the following: (1) Social Security Number (2) Driver’s (or motor vehicle operator’s) License number or other state/government ID number (3) (Financial) Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account. NY Any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person NJ Also: dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data. VT Account information in which the number could be used without additional identifying information; access codes, or passwords and account passwords or PINs are also included.
    75. 75. Personal Information <ul><li>In all four states, personal (or private for NY) information… </li></ul><ul><li>“ does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records [plus widely distributed media in NJ and CT] . </li></ul>State Definition of Private Information NY <ul><li>Personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired: </li></ul><ul><ul><li>(1) social security number; </li></ul></ul><ul><ul><li>(2) driver's license number or non-driver identification card number; or </li></ul></ul><ul><ul><li>(3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; </li></ul></ul>
    76. 76. Breach Notification Requirements State Who needs to be notified? When? CT <ul><li>- The owner or licensee of the breached PI. </li></ul><ul><li>Residents of the state of CT whose PI was </li></ul><ul><li>breached. </li></ul><ul><li>Immediately following the </li></ul><ul><li>discovery of the breach. </li></ul><ul><li>Without unreasonable delay </li></ul><ul><li>subject to a law enforcement </li></ul><ul><li>agency determination that such </li></ul><ul><li>notification will not impede a </li></ul><ul><li>criminal investigation. </li></ul>NH <ul><li>NH Attorney General’s Office </li></ul><ul><li>or trade regulator. </li></ul><ul><li>Owner or licensee of the breached PI. </li></ul><ul><li>Affected individuals. </li></ul>- As quickly as possible. However, “Notification… may be delayed if a law enforcement agency, or national or homeland security agency determines that the notification will impede a criminal investigation or jeopardize national or homeland security. “
    77. 77. Breach Notification Requirements State Who needs to be notified? When? NJ <ul><li>- Division of State Police. </li></ul><ul><li>Any business or entity for whom you </li></ul><ul><li>compile the PI that was breached. </li></ul><ul><li>Customers whose PI was breached who </li></ul><ul><li>are residents of NJ. </li></ul><ul><li>In advance of notice to NJ residents </li></ul><ul><li>affected. </li></ul><ul><li>Expediently & without reasonable </li></ul><ul><li>delay “consistent with the </li></ul><ul><li>legitimate needs of law </li></ul><ul><li>enforcement” </li></ul>NY <ul><li>The owner or licensee of the private </li></ul><ul><li>information. </li></ul><ul><li>Residents of the state of NY whose </li></ul><ul><li>private information was breached. </li></ul><ul><li>State Attorney General </li></ul><ul><li>Consumer Protection Board </li></ul><ul><li>State Office of Cyber Security </li></ul><ul><li>“ The notification required by this </li></ul><ul><li>section shall be made after such law </li></ul><ul><li>enforcement agency determines </li></ul><ul><li>that such notification does not </li></ul><ul><li>compromise [a criminal] </li></ul><ul><li>investigation.” </li></ul><ul><li>Expediently & without reasonable </li></ul><ul><li>delay “consistent with the legitimate </li></ul><ul><li>needs of law enforcement” </li></ul>
    78. 78. Breach Notification Requirements State Who needs to be notified? When? VT <ul><li>- The consumer whose PI was breached. </li></ul><ul><li>Owner or licensee of the PI. </li></ul><ul><li>In the most expedient time possible </li></ul><ul><li>and without unreasonable delay, </li></ul><ul><li>consistent with the legitimate </li></ul><ul><li>needs of… law enforcement... </li></ul>
    79. 79. <ul><li>VT: </li></ul><ul><ul><li>Also includes a Social Security Number Protection Act that requires business to treat SSNs in a much more protected manner. </li></ul></ul>
    80. 80. Additional Points on Notifications <ul><li>NJ: </li></ul><ul><ul><li>Disclosure of a breach of security to a customer shall not be required under this section if the business or public entity establishes that misuse of the information is not reasonably possible.  Any determination shall be documented in writing and retained for five years. </li></ul></ul><ul><li>NH: </li></ul><ul><ul><li>If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, the person shall notify the affected individuals as soon as possible as required under this subdivision. </li></ul></ul>
    81. 81. Methods for Breach Notifications Type of Notification States allowed Notes Written NY, NJ, CT, VT, NH Electronic NY, NJ, CT, VT, NH Provided such notice is consistent with the provisions regarding electronic records and signatures set forth in 15 USC 7001. (NY, VT, CT) Telephone NY, CT, VT, NH <ul><li>Substitute </li></ul><ul><li>Email </li></ul><ul><li>Website </li></ul><ul><li>Major (statewide) media </li></ul>NY, NJ, CT, VT, NH In cases where notification costs are greater than $250,000 or more than 500,000 individuals have been affected. ($5000/5000 for VT)
    82. 82. Breach Notification Contents <ul><li>NY: </li></ul><ul><ul><li>Such notice shall include contact information for the person or business making the notification and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so acquired. </li></ul></ul><ul><li>NH: </li></ul><ul><ul><li>Notice under this section shall include at a minimum:  (a) A description of the incident in general terms.  (b) The approximate date of breach.  (c) The type of personal information obtained as a result of the security breach.  (d) The telephonic contact information of the person subject to this section. </li></ul></ul>
    83. 83. NJ - Additional <ul><li>56:8-164  Prohibited actions relative to display of social security numbers. 13. a. No person, including any public or private entity, shall: (1)Publicly post or publicly display an individual's Social Security number, or any four or more consecutive numbers taken from the individual's Social Security number; (2)Print an individual's Social Security number on any materials that are mailed to the individual, unless State or federal law requires the Social Security number to be on the document to be mailed; (3)Print an individual's Social Security number on any card required for the individual to access products or services provided by the entity; (4)Intentionally communicate or otherwise make available to the general public an individual's Social Security number; (5)Require an individual to transmit his Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted; or (6)Require an individual to use his Social Security number to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site. </li></ul>
    84. 84. NJ - Additional <ul><li>b.Nothing in this section shall prevent a public or private entity from using a Social Security number for internal verification and administrative purposes, so long as the use does not require the release of the Social Security number to persons not designated by the entity to perform associated functions allowed or authorized by law. c.Nothing in this section shall prevent the collection, use or release of a Social Security number, as required by State or federal law. d.Notwithstanding this section, Social Security numbers may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the Social Security number.  A Social Security number that is permitted to be mailed under this subsection may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been open. e.Nothing in this section shall apply to documents that are recorded or required to be open to the public pursuant to Title 47 of the Revised Statutes.  This section shall not apply to records that are required by statute, case law, or New Jersey Court Rules, to be made available to the public by entities provided for in Article VI of the New Jersey Constitution. f.Nothing in this section shall apply to the interactive computer service provider's transmissions or routing or intermediate temporary storage or caching of an image, information or data that is otherwise subject to this section. </li></ul><ul><li>L.2005,c.226,s.13. </li></ul>
    85. 85. NJ - Additional <ul><li>  56:8-165  Regulations concerning security of personal information. 14. The Director of the Division of Consumer Affairs in the Department of Law and Public Safety, in consultation with the Commissioner of Banking and Insurance, shall promulgate regulations pursuant to the &quot;Administrative Procedure Act,&quot; P.L.1968, c.410 (C.52:14B-1 et seq.), necessary to effectuate sections 4 through 15 of this amendatory and supplementary act. L.2005,c.226,s.14.   56:8-166  Unlawful practice, violation. 15. It shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.) to willfully, knowingly or recklessly violate sections 10 through 13 of this amendatory and supplementary act. L.2005,c.226,s.15. </li></ul>
    86. 86. <ul><li>(a) whenever the attorney general shall believe from evidence satisfactory to him that there is a violation of this article he may bring an action in the name and on behalf of the people of the state of New York, in a court of justice having jurisdiction to issue an injunction, to enjoin and restrain the continuation of such violation. In such action, preliminary relief may be granted under article sixty-three of the civil practice law and rules. In such action the court may award damages for actual costs or losses incurred by a person entitled to notice pursuant to this article, if notification was not provided to such person pursuant to this article, including consequential financial losses. Whenever the court shall determine in such action that a person or business violated this article knowingly or recklessly, the court may impose a civil penalty of the greater of five thousand dollars or up to ten dollars per instance of failed notification, provided that the latter amount shall not exceed one hundred fifty thousand dollars. </li></ul><ul><li>(b) the remedies provided by this section shall be in addition to any other lawful remedy available. </li></ul><ul><li>(c) no action may be brought under the provisions of this section unless such action is commenced within two years immediately after the date of the act complained of or the date of discovery of such act. </li></ul>NY - Additional
    87. 87. <ul><li>Regardless of the method by which notice is provided, such notice shall include contact information for the person or business making the notification and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so acquired. </li></ul><ul><li>8. (a) In the event that any New York residents are to be notified, the person or business shall notify the state attorney general, the consumer protection board, and the state office of cyber security and critical infrastructure coordination as to the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York residents. </li></ul><ul><li>(b) In the event that more than five thousand New York residents are to be notified at one time, the person or business shall also notify consumer reporting agencies as to the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York residents. </li></ul>NY - Additional
    88. 88. NH - Additional <ul><li>359-C:21 Violation. –     I. Any person injured by any violation under this subdivision may bring an action for damages and for such equitable relief, including an injunction, as the court deems necessary and proper. If the court finds for the plaintiff, recovery shall be in the amount of actual damages. If the court finds that the act or practice was a willful or knowing violation of this chapter, it shall award as much as 3 times, but not less than 2 times, such amount. In addition, a prevailing plaintiff shall be awarded the costs of the suit and reasonable attorney's fees, as determined by the court. Any attempted waiver of the right to the damages set forth in this paragraph shall be void and unenforceable. Injunctive relief shall be available to private individuals under this chapter without bond, subject to the discretion of the court.     II. The New Hampshire attorney general's office shall enforce the provisions of this subdivision pursuant to RSA 358-A:4.     III. The burden shall be on the person responsible for the determination under RSA 359-C:20, I to demonstrate compliance with this subdivision. Source. 2006, 242:1, eff. Jan. 1, 2007. </li></ul>

    ×