Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mass 201 CMR 17 Data Privacy Law


Published on

An overview of the Massachusetts 201 CMR 17 Data Privacy Law which goes in to effect on March 1. Contact information is available for each presenter in the slidedeck.

Please contact any of us with questions.

Published in: Business
  • Be the first to comment

Mass 201 CMR 17 Data Privacy Law

  1. 1.
  2. 2. Welcome<br />About the Law<br />Affected Organizations<br />Presenters<br />Privacy Partners<br />Compliance<br />Accounting<br />Legal<br />Insurance<br />Technology<br />
  3. 3. Seminar Agenda<br />
  4. 4. Regulatory Compliance<br />Which Organizations are required to comply with the new law?<br />Verbiage: Organizations, “who own, license, store or maintain personal<br />information about a resident of the Commonwealth of Massachusetts.”<br />Personally Identifiable Information (PII) Includes:<br />Electronic Transaction and Billing Data (cc #s, bank data, etc)<br />Identity-Theft Target Data (ss#, identification, etc)<br />Customer Records<br />
  5. 5. What is Required?<br />Four Main Components:<br />Risk Assessment and WISP<br />Data Privacy Awareness Policy<br />Security (A/V, Firewall, Encryption)<br />Vendor WISP or Sign-Off<br />
  6. 6. 201 CMR 17.00<br />Customers<br />Vendors<br />Web Sites<br />Remote Workers<br />Suppliers<br />External Requirements<br />
  7. 7. Inman Technology<br />About Inman Technology <br />Sarah Cortes<br /><ul><li>Education
  8. 8. Clients
  9. 9. Projects</li></ul>Services Provided<br />
  10. 10. History<br />Recent Breach History:<br /><ul><li>TJ Maxx
  11. 11. Heartland
  12. 12. CVS
  13. 13. Every day there are new breaches
  14. 14. Verizon report, April 2009: three-fold increase in breaches in 2008
  15. 15. Industry sources: average cost per stolen record at ~ $202</li></li></ul><li>Massachusetts Laws<br />Mass General Laws ch. 93H and Consumer Affairs Legislature <br /><ul><li>Directed formulation of regulation
  16. 16. Goal – protect the Personal Information of all Mass residents</li></ul>Business Regulation 201 CMR 17.00: Standards for the Protection of Personal Information of Resident of the Commonwealth<br /><ul><li>Established a minimum standard
  17. 17. Compliance is based on size, scope, type of business
  18. 18. Resources available, amount and type of data stored</li></ul>Mass General Laws ch. 93I – Disposition and Destruction<br /><ul><li>Paper Documents
  19. 19. Electronic Media</li></li></ul><li>Data Security Regulations<br />Risk-Based Approach<br /><ul><li>Administrative, technical and physical safeguards appropriate to:
  20. 20. Size, scope and type of business
  21. 21. Amount of resources available to business
  22. 22. Amount of data stored
  23. 23. Need for security and confidentiality of both consumer and employee information
  24. 24. All persons, businesses, agencies must destroy records containing Personal Information “such that the data cannot be practicably read or reconstructed after disposal or destruction”</li></ul>The Program = Your WISP<br />
  25. 25. Your WISP Program<br />Scope<br />Personally Identifiable Information (PII) – defined as:<br /><ul><li>First Name (or initial), and last name, PLUS
  26. 26. SSN,
  27. 27. Driver’s License # (or state-issued ID)
  28. 28. Financial Account Number, or
  29. 29. Credit / debit Card</li></ul>Specific Requirements: All people / organizations who store PII of Mass residents<br /><ul><li>Designate employee(s) to maintain Program
  30. 30. Identify and assess reasonable foreseeable internal and external risks
  31. 31. Evaluate and improve (where necessary) effectiveness of current safeguards for limiting risks
  32. 32. Develop security policies for employees for storage, access, and transportation of Personal Information </li></li></ul><li>Required Compliance Activities<br />1. Written Information Security Program<br /><ul><li>(ISO, IEE, NIST, etc)</li></ul>2. Identification of Records<br /><ul><li>Normalization; Data Classification: Know where your PII exists</li></ul>3. Third Party Providers<br /><ul><li>Must be evaluated for compliance</li></ul>4. Rethinking the Collection, Storage and Access to PII<br /><ul><li>Do NOT collect or store data you do not need</li></ul>5. Implementing and Monitoring Protective Measures<br /><ul><li>Minimum: Annual evaluations</li></li></ul><li>Your WISP Program<br />Specific Requirements<br /><ul><li>Impose disciplinary measures for violations
  33. 33. Prevent terminated employees from accessing records
  34. 34. Oversee service providers
  35. 35. Reasonable restrict physical access to, and storage of, recording containing Personal Information
  36. 36. Regularly monitor Program and upgrade safeguards as necessary
  37. 37. Review Scope of security measures at least annually, or whenever there is a material change in business practices
  38. 38. Document responsive actions taken after any breach and conduct post-incident review of events and actions taken</li></ul>In case of breach, REACT IMMEDIATELY <br />(see addendum for directions to be followed)<br />
  39. 39. Your WISP Program<br />Control Access<br /><ul><li>User ID control
  40. 40. Assign unique ID’s plus Passwords – that are NOT vendor supplied defaults passwords
  41. 41. User Passwords / Biometric / Token devices
  42. 42. Control of Data Security Passwords (keys to vault)
  43. 43. Restricting Access to Active Users
  44. 44. Blocking Access after Multiple Attempts
  45. 45. Restrict Access to Records and Files to Needed Personnel
  46. 46. Physical Access</li></li></ul><li>Common Causes of Data Breaches<br />Some Common Causes<br />Stolen Laptops<br />Rogue Employees<br />Inadvertent Disclosure<br />Intra-company Email<br />Hacking<br />
  47. 47. Common Causes of Data Breaches<br />MALware<br />Problems<br /><ul><li>Worms, Viruses, Trojan Horses, Rootkits, Spyware, Dishonest software</li></ul>The Protections<br /><ul><li>Education, Antivirus Software, AntiSpyware, SPAM elimination</li></ul>Wireless<br />Public<br />Private<br />
  48. 48. Solutions<br />BackUp and Disaster Recovery:TEST your systems regularly<br />Storage Media: <br /><ul><li>Secure
  49. 49. Rotation
  50. 50. Staff</li></ul>Hard Drive Based BackUp<br /><ul><li>Limited Rotation</li></ul>Disaster Recovery with BackUp<br />
  51. 51. Solutions<br />“Security is a process, not a Product” – Bruce Schneier<br /><ul><li>Education
  52. 52. Control Access
  53. 53. Multi-Tiered Approach to MALware – firewalls, Virus, Spyware, and SPAM elimination
  54. 54. Encryption
  55. 55. Reduce potential points of breach
  56. 56. Patch Management Program
  57. 57. Monitor Everything – and then again
  58. 58. BackUp and Disaster Recovery / Avoidance
  59. 59. Lock it up</li></li></ul><li>For More Information<br />How to Contact Sarah Cortes:<br /><br /><br />(617)784-6113<br />
  60. 60. Lopez, Chaff & Wiesman<br />Jim Wiesman<br /> About LCWA<br /><ul><li>Founding
  61. 61. Partners
  62. 62. Clients
  63. 63. Services</li></li></ul><li>Types of Data to Reconcile<br />Sensitive Data at LCWA<br /><ul><li>Social Security Numbers
  64. 64. Bank Account Numbers
  65. 65. Financial Data
  66. 66. Tax Documents</li></ul> Storage and Transfer of Data<br /><ul><li>Locked Cabinet
  67. 67. Encryption
  68. 68. Mail
  69. 69. Paper vs. Digital Media</li></li></ul><li>Best Practices for Accounting<br />Advice to Secure Accounting Practices:<br />Bookkeeping<br />Payroll Services<br />Benefits Administrators<br />Access Restrictions<br />Questions to ask your CPA Firm<br />
  70. 70. Contact LCWA<br />Contact Jim Wiesman:<br /><br /><br />(978)689-8822<br />
  71. 71. Shaheen, Guerrera & O’Leary<br />Peter Shaheen, Esq. <br />About SGO<br /><ul><li>Founding
  72. 72. Partners
  73. 73. Clients
  74. 74. Services</li></li></ul><li>Shaheen, Guerrera & O’Leary<br />An Attorney’s opinion of the law<br /><ul><li>Enforceability
  75. 75. Potential for Risk
  76. 76. Comparison to Similar Laws
  77. 77. Explicit Cost of Fines
  78. 78. Cost of Defense
  79. 79. Cost of Reputation / Client Retention vs. implementation </li></li></ul><li>Data Destruction / Disposal Law<br />Chapter 93I<br /><ul><li>Effective Feb 2008
  80. 80. All persons, businesses, agencies must destroy records containing Personal Information “such that the data cannot be practicably read or reconstructed after disposal or destruction”</li></ul>Definition of Personal Information<br /><ul><li>Broader under Chapter 93I than under 93H
  81. 81. Includes biometric identifiers</li></ul>Paper Records Must be:<br /><ul><li>Redacted
  82. 82. Burned
  83. 83. Pulverized or
  84. 84. Shredded</li></ul>E-Media Must be:<br /><ul><li>Destroyed or
  85. 85. Erased</li></li></ul><li>Data Destruction / Disposal Law<br />3rd Party Disposal Service Provider<br /><ul><li>During collection, transportation and disposal, must:
  86. 86. Implement and monitor compliance with policies and procedures
  87. 87. Ensure the prohibition of unauthorized access to, acquisition of, or use of Personal Information</li></ul>Penalties / Enforcement<br /><ul><li>Civil fine of up to $100 per data subject affected, up to $50,000 for each instance of improper disposal
  88. 88. Attorney General action under Chapter 93A
  89. 89. Civil penalties up to $5,000 for each violation
  90. 90. Costs of investigation and litigation, including attorney’s fees
  91. 91. Restitution</li></li></ul><li>Security Breaches: G.L. ch. 93H<br />Personal Information Notification Triggers<br /><ul><li>No “substantial risk of harm” calculus
  92. 92. Notification is triggered by the breach itself rather than the likelihood of harm or misuse of Personal Information
  93. 93. Entities are therefore not exempt from providing notice if a breach does not create a risk of harm</li></ul>Notice to Affected Mass Residents<br /><ul><li>Law Provides for direct notice to affected consumers unless:
  94. 94. More than 500,000 affected Mass residents; or
  95. 95. Costs of providing written notices shall exceed $250,000</li></ul>Substitute notice consists of:<br />email notice to affected consumers<br />Clear and conspicuous notice on the company&apos;s home page; and<br />Publication in statewide media<br />
  96. 96. Security Breaches: G.L. ch. 93H<br />What must the notice say?<br /><ul><li>Mass law has different content requirements depending on the recipient of the notice</li></ul>Notice to the Attorney General and Director of Consumer Affairs and Business Regulation<br /><ul><li>Nature of the breach of security or the unauthorized access or use of Personal Information
  97. 97. Number of Mass residents affected; and
  98. 98. Steps the notifying entity is taking, or plans to take, relating to the incident</li></li></ul><li>Security Breaches: G.L. ch. 93H<br />Notice to Affected Mass Residents<br />Consumers right to obtain Police report;<br />How a consumer requests a security freeze; (G.L. 93 ss 56 and 62A)<br />Information consumer will need to provide to request security freeze; and<br />Disclosure of fees associated with placing, lifting or removing a security freeze<br />Notice to Affected Mass Residents shall NOT include<br />Nature of the breach or unauthorized access or use; or<br />The number of residents affected<br />
  99. 99. Security Breaches: G.L. ch. 93H<br />COMMON MISTAKES made in Notices to Affected Mass residents<br />Notice is too general<br />Fails to include the four (4) Mass specific requirements<br />Fraud Alert vs. Security Freeze<br />References to websites rather than providing information in letter itself – thereby putting burden on affected residents to find information<br />Provides a range of fees relating to security freeze when in fact amount is set by statute G.L. 93 ss 56 and 62A<br />
  100. 100. Discovery of a Breach<br />Typical situations:<br />Stolen or Laptop, flash drive or other portable media<br />Unauthorized activity on the network<br />Missing, lost or stolen paper files<br />Actions of departing employee<br />Complaints from customers or employees<br />3rd Party Vendor breach<br />In any of these cases, REACT IMMEDIATELY <br />(see addendum for directions to be followed)<br />
  101. 101. Breach Notification Law<br />Requires specific information in notification to<br /><ul><li>Attorney General
  102. 102. Office of Consumer Affairs
  103. 103. Affected individuals</li></ul>Relating to:<br /><ul><li>Data security breaches
  104. 104. Unauthorized use or acquisition of Personal Information</li></ul>Example:<br /><ul><li>Business which suffered PC theft</li></li></ul><li>Breach Notification Law<br />Notice Requirements<br /><ul><li>Notice by mail or “substitute notice” if:
  105. 105. Cost will exceed $250,000, or
  106. 106. Affected class exceeds 500,000 residents, or
  107. 107. Do not have sufficient contact information
  108. 108. Substitute Notice
  109. 109. Email
  110. 110. Website
  111. 111. Publication in statewide media</li></li></ul><li>Breach Notification Law<br />Compliance with Federal Law<br /><ul><li>A Business that maintains procedures for responding to a security breach that comply with federal laws, rules, regulations guidance or guidelines will be deemed to be in compliance if it provides notice in compliance with those procedures
  112. 112. Must still notify Attorney General and Director of Consumer Affairs</li></ul>Other State’s Laws<br /><ul><li>45 states, DC, Puerto Rico, and the USVI have enacted breach notification laws
  113. 113. Most protect financial information, but some also protect medical information
  114. 114. States have differing notice requirements for timing, content and recipients</li></li></ul><li>Shaheen, Guerrera & O’Leary<br />Enforcement<br /><ul><li>Dealing with the AG’s Office
  115. 115. Penalties
  116. 116. Fines
  117. 117. Liability</li></ul>Advice to Clients<br /><ul><li>Actions to Take
  118. 118. Assessment of Potential Risk</li></ul>SGO Compliance<br />
  119. 119. Contact SGO<br />Contact Peter Shaheen, Esq.<br /><br /><br />(978)689-0800<br />
  120. 120. Doherty Insurance<br />Sheila M. Doherty<br />About Doherty Insurance<br /><ul><li>Founding
  121. 121. Leadership
  122. 122. Clients
  123. 123. Services</li></li></ul><li>Doherty Insurance<br />Liability Policies<br />Types of Coverage<br /><ul><li>1st Party VS 3rd Party Coverage
  124. 124. Cyber –tech Coverage
  125. 125. Liability
  126. 126. Employment Practices
  127. 127. Malicious Disgruntled Employees?</li></li></ul><li>Doherty Insurance<br />Risk Analysis<br /><ul><li>Where are you vulnerable?
  128. 128. How Much Coverage should you purchase?
  129. 129. Fast & Easy changes to make immediately</li></ul>Policy Premiums<br /><ul><li>Variables Affecting Them
  130. 130. Cost of Premium vs. Risk</li></li></ul><li>Doherty Insurance<br />Contact Sheila Doherty<br /><br /><br />(978)475-0260<br />1-800- DOHERTY<br />
  131. 131. Internet & Telephone<br /> About Internet & Telephone<br /><ul><li> Services
  132. 132. IT Managed Services
  133. 133. Corporate Voice & Data
  134. 134. Leadership
  135. 135. Pete Peterson
  136. 136. Paul Cissel
  137. 137. Rick Umenhofer
  138. 138. Doug Smith
  139. 139. Clients</li></li></ul><li>Solutions<br />Server & Database Security<br /><ul><li> System Monitoring
  140. 140. Encryption of Sensitive Data
  141. 141. Intrusion Detection</li></ul> Maintenance<br /><ul><li> Regular Testing
  142. 142. Updates
  143. 143. Configuration Review</li></li></ul><li>Solutions<br />Firewall<br /> What a Firewall Does<br /><ul><li> Protects from External Intrusion</li></ul> Maintenance<br /><ul><li> Regular Testing
  144. 144. Updates
  145. 145. Configuration Review</li></ul> Average Cost to Implement<br /><ul><li>$500+ For Hardware
  146. 146. $100 / yr Software Maintenance</li></li></ul><li>Solutions<br />Endpoint Security Software<br />Stops malware such as viruses, worms, Trojans, spyware, adware, bots, zero-day threats and Rootkits.<br />Maintenance<br /><ul><li> Definition Updates
  147. 147. Monitoring</li></ul> Average Cost to Implement<br /><ul><li> Average $35 / PC per year</li></li></ul><li>Solutions<br />Data Archival and Disaster Recovery<br />Creates a Backup of Critical Data for Retrieval or Recovery. Protects Against the Loss of Data and/or Complete Systems.<br />Maintenance<br /><ul><li>Configuration
  148. 148. Regular Updates
  149. 149. Periodic Testing of Data Integrity
  150. 150. Retention Policy</li></ul> Average Cost to Implement<br /><ul><li>Storage Device $300 - $3,000 Based on Size.
  151. 151. Software $20-$80 per PC / Month</li></li></ul><li>Solutions<br />Mobile Device Security<br /><ul><li>Secure Mobile Devices with Encryption, Identity Authentication, Software Firewall and Remote-Wipe.
  152. 152. Encryption
  153. 153. Disable & Destroy
  154. 154. Biometric Authentication</li></li></ul><li>Internet & Telephone<br />Contact Rick Umenhofer<br /><br /><br />(978)683-9100<br />
  155. 155. 201 CMR 17.00<br />Customers<br />Vendors<br />Web Sites<br />Remote Workers<br />Suppliers<br />External Requirements<br />