The document summarizes the key aspects of the Massachusetts Data Privacy Rules, including: 1. The rules cover any person or organization that owns or licenses personal information about Massachusetts residents, regardless of location. They require a comprehensive written information security program, heightened computer security, and vendor compliance. 2. Non-compliance can result in enforcement actions and penalties by the Massachusetts Attorney General, as well as increased litigation risks. Any data breach must be reported to affected individuals and the Attorney General. 3. The comprehensive written information security program must contain specific administrative, technical, and physical safeguards to protect personal information. It must be regularly reviewed and updated.

1. The MassachusettsData Privacy Rules Stephen E. Meltzer, Esquire, CIPP

4. Agenda Introduction Scope of Rules Overview Comprehensive Written Information Security Program (cWISP)

5. The MassachusettsData Security Rules New Mandate: PI = PI Personal Information = Privacy Infrastructure

6. Who Cares? Consequences for non-compliance: AT LEAST: Increased risk of government enforcement or private litigation 93H § 6 incorporates 93A, § 4 93A, § 4 $5,000 per occurrence Attorneys fees Cost of Investigation/Enforcement AT WORST: Enforcement PLUS Bad PR then Compliance and oversight

7. Enforcement Litigation and enforcement by the Massachusetts Attorney General Massachusetts law requires notice to Attorney General of any breach, in addition to affected consumers Attorney General likely to investigate based on breach reports No explicit private right of action or penalties

8. Scope of Rules

9. Scope of Rules Covers ALL PERSONS that own or license personal information about a Massachusetts resident Need not have operations in Massachusetts Financial institutions, health care and other regulated entities not exempt

10. Scope of Rules “Personal information” Resident’s first and last name or first initial and last name in combination with SSN Driver’s license or State ID, or Financial account number or credit/debit card that would permit access to a financial account

11. Three Requirements 1.Develop, implement, maintain and maintain a comprehensive, written information security program that meets very specific requirements (cWISP) 2.Heightened information security meeting specific computer information security requirements 3.Vendor Compliance (Phase-in)

12. Evaluating Compliance(not Evaluating Applicability) Appropriate Size of business Scope of business Type of business Resources available Amount of data stored Need for security and confidentiality Consumer and employee information

13. Evaluating Compliance(not Evaluating Applicability) “The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”

14. Comprehensive WrittenInformation SecurityProgram 201 CMR 17.03 Sample cWISP

15. Information SecurityProgram “[D]evelop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards” Sample cWISP

16. Comprehensive Information Security Program (a) Designate an employee to maintain the WISP. (b) Identify and assess reasonably foreseeable risks (Internal and external). (c) Develop security policies for keeping, accessing and transporting records. (d) Impose disciplinary measures for violations of the program. (e) Prevent access by terminated employees. (f) Oversee service providers and contractually ensure compliance. (g) Restrict physical access to records. (h) Monitor security practices to ensure effectiveness and make changes if warranted. (i) Review the program at least annually. (j) Document responsive actions to breaches. Sample cWISP

17. Comprehensive Information Security Program Third Party Compliance 1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and 2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information Sample cWISP

18. Comprehensive Information Security Program Third Party Compliance Contracts entered “no later than” March 1, 2010: Two – year phase-in. Contracts entered into “later than” March 1, 2010: Immediate compliance. Sample cWISP

19. Comprehensive Information Security Program Information Security ProgramTable of Contents Sample cWISP

21. Information Security Policy

22. Definitions

23. Security Risks Considered

24. Security Risks

25. Internet Policy

26. Email Policy

27. Acceptable Use Policy

28. Privacy Policy

29. Record Retention & Destruction Policy

30. Data Loss Response

31. Forms

32. AppendicesSample cWISP

34. Program Purpose

35. Program Chapters

36. Management & Board of Directors Commitment

37. Program Maintenance

38. Program Annual Reviews and Testing

39. Program Enforcement

40. Training Requirements

41. Training Content

42. Training Documentation

43. New Personnel Training

44. MonitoringSample cWISP

47. Applicable Regulations

48. Information Security OfficerSample cWISP

51. Information Security Policy

53. Encrypted

54. Financial Account

55. Personal Information

56. Reportable Security Incident

57. Reportable Sensitive Personal Information

58. Service Provider

59. Substantial Harm or Inconvenience

60. Security BreachSample cWISP

62. Information Security Policy

63. Definitions

65. Administrative Security Risks

66. Technical (Electronic) Security Risks

67. Physical Security RisksSample cWISP

69. Information Security Policy

70. Definitions

71. Security Risks Considered

73. Security Risk Control MatrixSample cWISP

75. Information Security Policy

76. Definitions

77. Security Risks Considered

78. Security Risks

79. Internet PolicySample cWISP

81. Information Security Policy

82. Definitions

83. Security Risks Considered

84. Security Risks

85. Internet Policy

86. Email PolicySample cWISP

88. Information Security Policy

89. Definitions

90. Security Risks Considered

91. Security Risks

92. Internet Policy

93. Email Policy

94. Acceptable Use PolicySample cWISP

96. Information Security Policy

97. Definitions

98. Security Risks Considered

99. Security Risks

100. Internet Policy

101. Email Policy

102. Acceptable Use Policy

104. Website Privacy Policy

105. Organizational Privacy PolicySample cWISP

107. Information Security Policy

108. Definitions

109. Security Risks Considered

110. Security Risks

111. Internet Policy

112. Email Policy

113. Acceptable Use Policy

114. Privacy Policy

116. Purpose

117. Recordkeeping

118. Record Shredding

119. Records Destruction Process

120. Records Destruction Log

121. Electronic media

122. Transportation of Records

123. EnforcementSample cWISP

125. Information Security Policy

126. Definitions

127. Security Risks Considered

128. Security Risks

129. Internet Policy

130. Email Policy

131. Acceptable Use Policy

132. Privacy Policy

133. Record Retention & Destruction Policy

135. Initial Notification

136. Data Breach ActionsSample cWISP

138. Information Security Policy

139. Definitions

140. Security Risks Considered

141. Security Risks

142. Internet Policy

143. Email Policy

144. Acceptable Use Policy

145. Privacy Policy

146. Record Retention & Destruction Policy

147. Data Loss Response

148. FormsSample cWISP

150. Information Security Policy

151. Definitions

152. Security Risks Considered

153. Security Risks

154. Internet Policy

155. Email Policy

156. Acceptable Use Policy

157. Privacy Policy

158. Record Retention & Destruction Policy

159. Data Loss Response

160. Forms

161. AppendicesSample cWISP

162. Breach Reporting G.L. c. 93H § 3

163. Breach Reporting Breach of security – “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”

164. Breach Reporting Possessor must give notice of Breach of Security Unauthorized Use or Acquisition To Owner/Licensor of Information Owner/Licensor must give notice of Breach of Security Unauthorized Use or Acquisition To – Attorney General Office of Consumer Affairs Resident

165. Breach Reporting “The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to: the nature of the breach of security or the unauthorized acquisition or use; the number of Massachusetts residents affected by such incident at the time of notification; and any steps the person or agency has taken or plans to take relating to the incident.”

166. Sample Breach Notification Letter http://www.mass.gov/Cago/docs/Consumer/93h_sampleletter_ago.pdf

167. Breach Reporting Stop Be afraid Call for help

168. Data Destruction G.L. c. 93I

169. Data Destruction (93I) Paper documents/ electronic Media: Redact, Burn, Pulverize, Shred So that Personal Information cannot be read or reconstructed

170. Thank You