The document discusses new Massachusetts data security laws and regulations. It notes that $60 billion was lost and over 35 million consumer records were exposed in 2008 due to data breaches and identity theft. The laws, M.G.L. c 93H and 201 CMR 17.00, require businesses that store personal information on Massachusetts residents to implement security measures, notify residents of breaches, and properly dispose of records. Failure to comply can result in fines up to $50,000 per violation.

1. How M.G.L. c. 93H and 201 CMR 17.00 Will Impact Your Business

2. Enhance awareness of new Mass “Data Security Breach Laws and Regulations”Legal perspectivesPractical ToolsTechnical Issues surrounding complianceProvide up to the minute updates on 201 CMR 17.002Session Objectives

3. Identity TheftGlobal View3

4. $60 billion was lost and 35.6 million consumer records were exposed in 2008 due to data breaches and identity theft, a 47% increase over 2007, according to the Identity Theft Resource Center. The U.S. Department of Justice reports that identity theft has surpassed the illegal drug trade as the number one crime in the nation.4Identity Theft & Data Breach

5. Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s (ITRC) 2008 breach report includes 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446.According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached data was unprotected by either encryption or even passwords.5Data Breaches 2008 – Global View

6. 6Identity Theft

7. Care to share?7Has Anyone Been A Victim Of Identity Theft?

8. The LawsM.G.L. c 93HM.G.L c 93I8

9. M.G.L. c 93HSecurity BreachesM.G.L. c 93IDisposition & destruction of recordsEffective 2/3/089The Laws

10. M.G.L. 93HSecurity Breach10

11. Personal Information is defined as a Massachusetts resident's first and last name, or first initial and last name, along with one or more of the following: Social Security Number, driver's license number or state-issued identification card number, financial account number, or credit or debit card number.Therefore, Personal Information will frequently be included in financial records, employee and possibly candidate HR files, benefits files and certain consumer-related files. 11What Is Personal Information?

12. By statute a breach of security means:Unauthorized acquisition of unencrypted data, or encrypted electronic data along with confidential process or key, that may compromise the security, confidentiality, or integrity of personal information by a person or entity that creates a material risk of identity theft.What triggers a “notice requirement”?When an entity knows or has reason to know that personal information was acquired or used by an unauthorized person or for an unauthorized purpose.12What Is A Security BreachM.G.L. c 93H

13. Notice must be provided to:Resident or residents affectedAttorney General & Director of Consumer AffairsIf so instructed, consumer reporting agencies and/or identified state agencies13What Actions Are Necessary After A Security Breach? M.G.L. c 93H

14. Notice to the resident shall include:Consumer’s right to obtain police reportHow to request a security freeze from consumer reporting agenciesNecessary information to provide when requesting security freezeAny fees required to be paid to the consumer reporting agencies14What Actions Are Necessary After A Security Breach? M.G.L. c 93H

15. Notice to the Attorney General & Director of Consumer Affairs shall include:Nature of breach or unauthorized acquisitionNumber of residents affectedAny steps taken by entity relating to the incident15What Actions Are Necessary After A Security Breach? M.G.L. c 93H

16. Method of notice:Notify by regular or electronic mailSubstitute notice if electronic notice cost exceeds $250,000Substitute notice is website, newspaper publication, or electronic mail blastTime of notice:As soon as practicable without delayNo language about terms of days (although you cannot delay to benefit the company)16What Actions Are Necessary After A Security Breach? M.G.L. c 93H

17. Additional provisions:Firms that use personal information for benefit of another firm, must inform corporate clientsCorporate clients who “own” the data must inform residentsMA firms who suffer a breach affecting residents of other states must comply with that states’ lawFirms outside MA who suffer a breach of MA residents must comply with MA notice laws17What Actions Are Necessary After A Security Breach? M.G.L. c 93H

18. M.G.L. 93IDisposal Of Personal Information18

19. Minimum standards for proper disposal of records containing personal information are:Paper documents must be redacted, burned, pulverized or shreddedElectronic media are to be destroyed or erased19How To Dispose Of RecordsM.G.L. c 93I

20. The Regulation201 CMR 17.0020

21. In the twelve months following the enactment of M.G.L. 93H, the OCABR received reports of over 300 incidents that have compromised or threatened to compromise the personal information of over 600,000 Massachusetts residents.Sixty percent of the cases involved criminal and/or unauthorized acts, with a high frequency of laptops or hard-drives being stolen. The remainder of the breaches resulted from employee error or poor internal handling of sensitive information. Approximately 75% of the reported incidents involved data that was not encrypted or password-protected.21Background – OCABR Findings

22. In October of 2008, The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued 2008 a comprehensive set of final regulations establishing standards for how ALL businesses protect and store Massachusetts personal information about a resident of Massachusetts whether or not that business is based in Massachusetts or not. The original regulations were set to take effect on January 1, 2009; however the deadline was extended to January 1, 2010 and on August 17th was extended to March 1, 2010. 22201 CMR 17.00 Summary

23. Complying with 201 CMR 17.00Who must comply and penalties for not doing so….23

24. Every person that owns or licenses personal information about a resident of the Commonwealth of Massachusetts.OCABR defines “Owns or Licenses” to be:receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.Federally regulated financial and other entities are not exempt from MA law.24Who Must Comply With 201?

25. 45 states, District of Columbia, Puerto Rico and the US Virgin Islands have similar legislation but Mass is most rigid25Is Massachusetts the Only State with such a law

26. A civil penalty of $5,000 may be levied for each violation of M.G.L. 93H 201 CMR 17.00. In addition, under the portion of M.G.L. 93I concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal.Failure to comply with Chapter 93H or 93I may subject the offender to a suit by the Attorney General under Chapter 93A, the consumer protection law. Violations may mean triple damages, as well as attorneys’ fees and legal costs. Penalties for Non-Compliance

27. There are many additional business impacts, including: Costs associated with legal actions:Legal battles with issuing banks Lawsuits from states and the FTC Class-action lawsuits from consumers Brand impact resulting in loss of consumer and stockholder confidenceImpact to customer relationships, possibly resulting in a loss of businessIncreased oversight internally and from external entities Costs of a public relations 27Consequences of Compromise

28. In addition to the penalties levied by the state you must also consider the actual costs of a data breach. The following items should be considered in calculating costs. Costs

29. Companies experiencing a data breach spent an average of $14 million on recovery costs, including unbudgeted spending for outside legal counsel, mail notification letters, calls to individual customers, increased call center support and discounted product offers. Even more significantly, businesses that experience a data breach lose an average of 2.6% of their total customer base.Costs

30. In 2007 lost business was 54 percent of data breach costs.A poll of more than 2,000 North American and European consumers conducted by Opinion Research Corporation found that 59% of consumers would either strongly consider or definitely take their business elsewhere if their personal information was compromised.The real punishment is brand diminishmentCosts to Brand Integrity

31. Media coverage of security breaches is also affecting brand integrity. According to Factiva, media coverage of companies that suffered a security breach accounted for more than half the stories written about those companies. Brand Diminishment

32. Most significantly, an Emory University study recently confirmed that security breach events directly affect stock performance. When such events are reported, companies lose an average of 0.63% to 2.1% value in stock price – equivalent to a loss in market capitalization of $860 million to $1.65 billion per incident!(7)Brand Diminishment

33. Most business owners are unaware of how Information Security lapses can negate their coverage entirely. This gap in coverage has the ability to put your company out of business. Failure to follow or document due care and due diligence is evidence of negligent behavior. Will my Business Insurance cover this?

34. Your ability to show documentation that your business is doing what is required will mean the difference between having insurance cover the costs or a data breach and going bankrupt from having to pay out of pocket costs. Will my Business Insurance cover this?

35. According to Joel Winston of the FTC, the commission is currently filing cases against companies that do not utilize reasonable measures to secure privacy data. The FTC is employing numerous strategies to get the message to the business community about the importance of protecting consumers from privacy information and identity theft. 35FTC and Privacy Protection

36. 201 CMR 17.00The Regulation 36

37. The Massachusetts regulation imposes a duty to protect personal information and provides administrative standards as well as computer security requirements. Administratively, each entity holding personal information is required to enact a Comprehensive Information Security Program (CISP) compliant with the regulations.37201 CMR 17.00

38. The minimum requirements for an information security program are broken down into two main categories: requirements applicable to personal information generallyand requirements applicable to personal information in electronic form.38201 CMR 17.00 - Overview

39. All comprehensive information security programs must include the following:Designated employee. Identify risks. Off-premises access practice. Disciplinary measures. Terminated employee policy. Third-party service providers policy. Limited access. Physical access. Review of information security program. Addressing data incidents. 39Requirements Applicable To Personal Information Generally

40. All information security programs must include the following, as it relates to electronic personal information:User authentication protocols. Authentication must involve: the control of user IDs, use of passwords, control of password data, restricting access to active users on active accounts. blocking access after multiple incorrect login attempts. Secure access control measures. Encryption of transmitted records. Monitoring of systems. Laptop encryption. Security patches and firewall protection. Anti-virus software. Education and training. 40Requirements Applicable To Personal Information In Electronic Form

41. Develop a security program, designate an employee to manage it, and discipline employee violators; Assess internal and external security risks and the effectiveness of current safeguards, upgrading as necessary; Train employees regarding security; Institute security policies for employees that meet certain specified standards; Prevent terminated employees from gaining access to personal information; 41Comprehensive Information Security Program Requirements (CISP)

42. Ensure that service providers are capable of protecting personal information. Limit the amount of personal information collected, how long it is kept, and restrict access on a need-to-know basis; Identify records containing personal information, or treat all records as if they did; Regularly monitor employee access to personal information; Review security measures annually, take corrective action when necessary and document action taken in response to security breaches; and Restrict physical access to records containing personal information.42Comprehensive Information Security Program Requirements (CISP)

43. Establish user authentication protocols that include control of user IDs and a secure method of assigning passwords (including prohibiting use of vendor-supplied default passwords) or other unique identifiers such as token devices; Make sure password location does not compromise the security of the data it protects, restrict access to active users only and block access after multiple unsuccessful attempts; Restrict access to personal information on a need-to-know basis; Periodic system monitoring for signs of unauthorized use or access; Reasonably up-to-date malware protection and virus definitions.43Additional Elements for Electronic Records

44. M.G.L. c. 93H 201 CMR 17.00The Details44

45. Every comprehensive information security program shall include, but shall not be limited to:Designating one or more employees to maintain the comprehensive information security program;Identifying and assessing reasonably foreseeable internal and external risks to the security.Developing security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records.Imposing disciplinary measures for violations of the comprehensive information security program rules.Preventing terminated employees from accessing records containing personal information.Taking all reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information.45M.G.L. c. 93H 201 CMR 17.00Details

46. Limiting the amount of personal information collected.Reasonable restrictions upon physical access to records containing personal information,.Regular monitoring to ensure that the comprehensive information security program is operating.Reviewing the scope of the security measures at least annually.Documenting responsive actions taken in connection with any incident involving a breach of security.46M.G.L. c. 93H 201 CMR 17.00Details

47. Computer System Security Requirements:Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:Secure user authentication protocols including: control of user IDs and other identifiers; a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; restricting access to active users and active user accounts only; and blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system; 47M.G.L. c. 93H 201 CMR 17.00Details

48. Secure access control measures that: restrict access to records and files containing personal information to those who need such information to perform their job duties; and assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls; Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. Reasonable monitoring of systems, for unauthorized use of or access to personal information.Encryption of all personal information stored on laptops or other portable devices.48M.G.L. c. 93H 201 CMR 17.00Details

49. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.Education and training of employees on the proper use of the computer security system and the importance of personal information security.49M.G.L. c. 93H 201 CMR 17.00Details

50. Under the new deadline structure:The general compliance deadline for 201 CMR 17.00 has been extended to March 1, 2010. 50Compliance Deadline

51. It is not yet clear how the state will approach enforcement initially, although in similar circumstances (including the passage of Chapter 93H itself), government officials have expressed a willingness to become increasingly stringent about enforcement with the passage of time. Businesses that miss the deadline or otherwise fall short of the standard set by the regulations will run a considerable and steadily increasing risk. 51201 CMR 17.00: Enforcement

52. TBG ApproachNext Steps To Securing Your Business52

53. TBG Security consultants have years of experience helping customers comply with State and Federal business and privacy regulations. We are able to assist your organization with all aspects of compliance with these and other information security-related business regulations.53Your Partner For Success

54. Performing an audit to determine your current level of compliance with these new business regulationsCreating a Comprehensive Information Security Policy Advising you on specific steps needed to achieve compliance Deploying and supporting security infrastructure to automatically encrypt email messages.Perform initial setup and training on software to encrypt your laptops and other mobile devicesUpdate and support your primary security infrastructure, including firewalls, VPN access, anti-phishing, and tools to protect against malicious code Identify and recommend remediation for vulnerabilities present in your systems. 54TBG Security Will Help By..

55. 55TBG MethodologyTBG Security MethodologyAssessmentMaintenance & Ongoing Compliance MonitoringImplementationDesign3124

56. Clients56

57. Kevin GorslineVP Business DevelopmentO: 877.223.6651 X 707C: 781.820.9032E: kgorsline@tbgsec.comTBG Security31 Hayward RdFranklin, MA 02038www.tbgsec.comContact Info 57