The Massachusetts Data Protection Regime


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Massachusetts Data Protection Regime

  1. 1. presented for Massachusetts Bar Association at The Massachusetts Data Privacy Conference from Sheraton Springfield Monarch Place Hotel on Wednesday, January 27, 2010 presented by Jared D. Correia, Esq. Law Practice Management Advisor Law Office Management Assistance Program 31 Milk Street Suite 815 Boston, MA 02109 Email: Phone: (857) 383-3252
  2. 2. The Massachusetts Data Privacy Regime o Response to High-Profile Data Breach Cases o Late 2007: Massachusetts Becomes 39th State to Enact Data Breach Law o EFFECTIVE DATE: March 1, 2010 o Laws and Regulation Implicated o MGL c. 93H: Security Breaches o MGL c. 93I: Disposition and Destruction of Records o 201 CMR 17: Standards for the Protection of Personal Information of Residents of the Commonwealth o Further Guidance o Office of Consumer Affairs and Business Regulation website o under “For Businesses” o under “Identity Theft”
  3. 3. ANY Business/Business Owner INCLUDING Law Firms and Solo Attorneys Person: “A Natural Person, Corporation, Association, Partnership or Other Legal Entity . . .” (MGL c. 93H, sec. 1) INCLUDING Out-of-State Businesses IF Those Businesses Keep Massachusetts Resident Information
  4. 4. First Name/Last Name OR First Initial/Last Name AND Social Security Number OR Driver’s License/State-Issued Identification Card Number OR Financial Account Number The Threshold Question: What Sort of Information Do You Keep? Piecemeal Compliance versus Compliance In Toto
  5. 5. Regulations to Safeguard the Personal Information of Residents of the Commonwealth, in order to: o insure the security and confidentiality of customer information in a manner fully consistent with industry standards; o protect against anticipated threats or hazards to the security or integrity of such information; o protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to the consumer.
  6. 6. o WISP (Written Information Security Program) o Control Over Electronic Information o Computer System Security Requirements o Control Over Paper Files o Totality of (Most of) the Circumstances o Disposal
  7. 7. Think: Your Handbook for Compliance Write It Down, Get It Right Sources: o Check One: 201 CMR 17.03 o Check Two: Resources at the OCABR Website Some Important Considerations: o Employee to Maintain and Supervise WISP Performance o Review WISP Annually AND When Material Change o Duty to Oversee Third Party Service Providers
  8. 8. o To be Established and Maintained “To the Extent Technically Feasible”, per 201 CMR 17.04: o Control Over Users/Control Over Passwords (17.04, 1) o Secure Access Control Measures (17.04, 2) o Encryption of Data (17.04, 3 and 5) o Travelling Wirelessly OR Stored on Portable Electronic Devices o Protection of Systems (17.04, 4 and 6 and 7) o Firewall o Security Patches o System Security Agent Software o Staff Education/Training (17.04, 8) o Proper Use of Computer Security o Importance of Personal Information Security
  9. 9. The Threshold Question Is the Same: What Sort of Information Do You Keep? Piecemeal Compliance versus Compliance In Toto How To Comply o Determine Reasonably Foreseeable Internal and External Risks to Files o Store Paper Files in “Locked Facilities, Storage Areas or Containers” o Restrict Access to Persons Who Must Access To Perform Job Functions o Record Physical Safeguards in WISP Whither Paper?
  10. 10. Requirement of Reasonable Efforts to Comply o Compliance Judged in Light of/WISP Contains Safeguards Appropriate to: o Size, Scope and Type of Service Provided o Amount of Resources Available o Amount of Stored Data o Need for Security and Confidentiality of Both Consumer and Employee Information
  11. 11. This is Not JUST About How to Keep Data This is ALSO About How to Get Rid of Data Check MGL c. 93I for guidance o Separate Standards for Disposal of (1) Electronic Media and (2) Paper Documents (MGL c. 93I, sec. 2) o Options that Would Make Information UNREADABLE or UNRECONSTRUCTABLE *Nota Bene MGL c. 93I, sec. 1 ADDS a Fourth Category of Protected Information: First Name/Last Name OR First Initial/Last Name AND a Biometric Indicator
  12. 12. o Breach of Security Unauthorized Acquisition/Use of Unencrypted Data OR Encrypted Data PLUS Confidential Process or Key THAT Creates a Substantial Risk of Identity Theft or Fraud
  13. 13. o Notification of Breach o When (to Send) o (To) Whom o What (to Include) o What (Kind)
  14. 14. WHEN (to Send) Knowledge of Breach of Security OR Knowledge that Personal Information Acquired/Used by Unauthorized Person/for Unauthorized Purpose “. . . as soon as practicable and without unreasonable delay . . .” (MGL c. 93H, sec. 3)
  15. 15. (To) WHOM Own/License: o to Attorney General’s Office; o to Director of OCABR; o to Consumer Reporting Agencies Identified by OCABR; and, o to Resident(s).
  16. 16. WHAT (to Include) In Notice to Government: o Nature of Breach; o Number of Residents Affected; and, o Steps Taken/To Be Taken to Respond to Incident. In Notice to Resident: o Right to Obtain Police Report; o Process for Requesting Security Freeze; and, o Any Fees Required to be Paid to Consumer Reporting Agencies. BUT, DO NOT INCLUDE: o Nature of Breach; or, o Number of Residents Affected.
  17. 17. WHAT (Kind): Three Forms of Notice o Written Notice; o Electronic Notice (consistent with Sec. 7001 of Title 15 of the USCS, MGL c. 110G); or, o Substitute Notice (IF cost of providing notice greater than $250,000 OR affected class greater than 500,000 OR insufficient contact information).
  18. 18. Violation of MGL c. 93H o Enforcement via MGL c. 93A o $5,000 Fine per Violation o What is a “Violation”? o A Breach? A Breached Record? An Individual Resident Affected? Violation of MGL c. 93I o Not More Than $100 per Resident Affected o Not to Exceed $50,000 for Each Instance of Improper Disposal o What is an “Instance”? o A Record? A Device? A Series of Disposals?
  19. 19. Six Questions: o What Information Do You Keep? o Are You Careful About How You Keep/Send/Transport Data? o Have You Created a WISP? o Do You Limit Access to Your Data? o Do You Oversee Your Employees and Third Party Providers? o How Do You Dispose of Your Data? Three Problems: o Technology Regime Crafted by Lawyer-Legislators o Lack of Specific Guidance o Ad Hoc Decisionmaking The REAL Question is: How Do You Comply, Technically (Feasible) Speaking?
  20. 20. Contact LOMAP: Massachusetts Law Office Management Assistance Program 31 Milk Street Suite 815 Boston, MA 02109 Email: Phone: (888) 54-LOMAP Follow LOMAP: Rodney S. Dowell, Esq. Director Jared D. Correia, Esq. Law Practice Management Advisor Web: Blog: Twitter: Twitter: