The purpose of this paper is to review the topic of data breach from two perspectives: first, an overview of the trends in data breach litigation, and second, a more granular perspective of practical data protection processes that may serve as a guidepost to help reduce the risk of likelihood of data breach. Taken together the reader will understand why a measured approach to data protection can reduce the risk of financial liability from a data breach lawsuit.
The purpose of this paper is to review the topic of data breach from two perspectives: first, an overview of the trends in data breach litigation, and second, a more granular perspective of practical data protection processes that may serve as a guidepost to help reduce the risk of likelihood of data breach. Taken together the reader will understand why a measured approach to data protection can reduce the risk of financial liability from a data breach lawsuit.
This course provides an overview of whistleblower protections for employees who blow the whistle on cybersecurity or data privacy concerns. And it offers practical tips and insights for practitioners on how to evaluate potential cybersecurity whistleblower claims and overlapping remedies to maximize damages. In addition, the course addresses the challenging issues that arise when a whistleblower simultaneously prosecutes both whistleblower retaliation and whistleblower rewards claims.
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-regulations-and-requirements-2021/
Privacy rules matter—make sure your firm stays compliant.
While every lawyer knows the basic rules behind confidentiality and attorney-client privilege, the significance of privacy law is less well-known—and that lack of knowledge can impact your law firm. Emerging privacy rights and rights of action are impacting businesses of all types—including those in the legal profession. Local, national, and even international laws are making privacy the next frontier in data management for lawyers.
Are you prepared to adjust to the new demands of privacy for law firms, and move beyond confidentiality?
Join Joshua Lenon—an IAPP Certified Information Privacy Professional and Clio’s Lawyer in Residence and Data Protection Officer—as he explains how these privacy laws can impact law firms and what your firm should do to ensure compliance.
In this free 1-hour CLE-eligible webinar, you’ll learn:
Why law firm data must conform with emerging privacy regulations
The impact of clients’ compliance with privacy law on firm operations
Future privacy laws that may affect your law firm—no matter where you operate
https://www.clio.com/events/webinar-law-firm-privacy/
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Financial Poise
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2019/
IIAC Young Agents - Protecting Your Insureds\' Private InformationJason Hoeppner
Personal information security and breach notification requirements are topics that all independent insurance agencies need to be aware of and be prepared for operationally in the event of a loss of clients\' information.
A presentation on insurance coverage for cyber security given by Victor Ulrich of Arthur J. Gallagher & Co. at the Association of Hospitality Professionals' June 30th, 2017 meeting.
In the last several years, substantial data breaches or hacker attacks in the U.S. have shown no signs of abating. Neither have the class actions that typically follow in their wake. Bradley Arant discusses litigation trends in data breach class actions. The video will touch on evolving issues in these cases, including recent loosening of consumer standing requirements (in cases after the Supreme Court’s Clapper decision), class certification and other issues raised in the Target litigation. We will also provide an overview of recent settlements of data breach class actions and what they might mean for later cases. The webinar will address several issues pending before the Supreme Court this term that could have significant impact, including whether a statutory violation without other injury confers Article III standing, and the extent to which statistical evidence can be used to justify class certification.
Bradley's panel reacts to and addresses a hypothetical cyber incident involving a widespread compromise of consumer healthcare and financial information. Amy Leopard (Healthcare), Mike Pennington (Litigation), John Goodman (Litigation), Elena Lovoy (Financial Services), and moderator Paige Boshell (Intellectual Property, Financial Services) will offer legal and practical strategies to proactively respond to and resolve a specified data breach. Highlights will include customer notice strategies, attorney-client privilege and litigation avoidance strategies, and coordination with third parties, including external PR and forensic investigators, vendors, regulators, and law enforcement.
The Federal Trade Commission (FTC or Commission) is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy. The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. The FTC also has authority to enforce a variety of sector specific laws, including the Truth in Lending Act, the CAN-SPAM Act, the Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act. This broad authority allows the Commission
to address a wide array of practices affecting consumers, including those that emerge with the development of new technologies and business models.
Cognizant business consulting the impacts of gdpraudrey miguel
In May 2018, GDPR (Global Data Protection Regulation) will come into force in Europe. Conventional wisdom is that GDPR will cause significant legal changes for many organizations and result in yet another regulatory-driven upheaval in technology. But is this an accurate assessment of the likely impact?
Pending legislation in Congress wuold protect whistleblowing about cybersecurity and data privacy. In the interim, some existing federal and state whistleblower protection laws provide limited protection for cybersecuriity and data privacy whistleblowing.
Get the insights you need to elevate your legal practice.
The annual Legal Trends Report sheds light on the most important issues faced within the legal profession. This year’s report features a multi-year analysis of 2,000 law firms’ revenue growth, as well as a survey of 2,000 legal consumers, and a test of 1,000 law firms’ responses to client inquiries. Informed with this research, the report examines:
What differentiates growing law firms from stagnating practices.
What potential clients want when they look for a lawyer.
How today’s law firms fare at interacting with potential clients—and where they can improve.
In this 60 minute webinar, join George Psiharis, Clio’s Chief Operating Officer, and Joshua Lenon, Clio’s Lawyer in Residence, as they explore the 2019 Legal Trends Report in detail to identify the report’s most important findings and contextualize what the data means for legal professionals and firms.
By watching this Legal Trends Report webinar, you will learn:
The biggest takeaways from Clio’s research into 2019 legal trends.
Our top recommended actions for legal professionals based on the report.
Additional insights on how to take a more data-driven approach at your firm.
https://landing.clio.com/2019-Legal-Trends-Report.html
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
Reports of data security breaches conjure up images of anonymous computer hackers sitting in a darkened room,
fingers flying over a key board in an effort to hack into a computer system to find valuable information to exploit.
Not long ago, most of us considered these breaches to be infrequent and likely targeted at information much more
commercially unique than the average consumer data stored by most businesses.
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
This course provides an overview of whistleblower protections for employees who blow the whistle on cybersecurity or data privacy concerns. And it offers practical tips and insights for practitioners on how to evaluate potential cybersecurity whistleblower claims and overlapping remedies to maximize damages. In addition, the course addresses the challenging issues that arise when a whistleblower simultaneously prosecutes both whistleblower retaliation and whistleblower rewards claims.
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-regulations-and-requirements-2021/
Privacy rules matter—make sure your firm stays compliant.
While every lawyer knows the basic rules behind confidentiality and attorney-client privilege, the significance of privacy law is less well-known—and that lack of knowledge can impact your law firm. Emerging privacy rights and rights of action are impacting businesses of all types—including those in the legal profession. Local, national, and even international laws are making privacy the next frontier in data management for lawyers.
Are you prepared to adjust to the new demands of privacy for law firms, and move beyond confidentiality?
Join Joshua Lenon—an IAPP Certified Information Privacy Professional and Clio’s Lawyer in Residence and Data Protection Officer—as he explains how these privacy laws can impact law firms and what your firm should do to ensure compliance.
In this free 1-hour CLE-eligible webinar, you’ll learn:
Why law firm data must conform with emerging privacy regulations
The impact of clients’ compliance with privacy law on firm operations
Future privacy laws that may affect your law firm—no matter where you operate
https://www.clio.com/events/webinar-law-firm-privacy/
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Financial Poise
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2019/
IIAC Young Agents - Protecting Your Insureds\' Private InformationJason Hoeppner
Personal information security and breach notification requirements are topics that all independent insurance agencies need to be aware of and be prepared for operationally in the event of a loss of clients\' information.
A presentation on insurance coverage for cyber security given by Victor Ulrich of Arthur J. Gallagher & Co. at the Association of Hospitality Professionals' June 30th, 2017 meeting.
In the last several years, substantial data breaches or hacker attacks in the U.S. have shown no signs of abating. Neither have the class actions that typically follow in their wake. Bradley Arant discusses litigation trends in data breach class actions. The video will touch on evolving issues in these cases, including recent loosening of consumer standing requirements (in cases after the Supreme Court’s Clapper decision), class certification and other issues raised in the Target litigation. We will also provide an overview of recent settlements of data breach class actions and what they might mean for later cases. The webinar will address several issues pending before the Supreme Court this term that could have significant impact, including whether a statutory violation without other injury confers Article III standing, and the extent to which statistical evidence can be used to justify class certification.
Bradley's panel reacts to and addresses a hypothetical cyber incident involving a widespread compromise of consumer healthcare and financial information. Amy Leopard (Healthcare), Mike Pennington (Litigation), John Goodman (Litigation), Elena Lovoy (Financial Services), and moderator Paige Boshell (Intellectual Property, Financial Services) will offer legal and practical strategies to proactively respond to and resolve a specified data breach. Highlights will include customer notice strategies, attorney-client privilege and litigation avoidance strategies, and coordination with third parties, including external PR and forensic investigators, vendors, regulators, and law enforcement.
The Federal Trade Commission (FTC or Commission) is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy. The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. The FTC also has authority to enforce a variety of sector specific laws, including the Truth in Lending Act, the CAN-SPAM Act, the Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act. This broad authority allows the Commission
to address a wide array of practices affecting consumers, including those that emerge with the development of new technologies and business models.
Cognizant business consulting the impacts of gdpraudrey miguel
In May 2018, GDPR (Global Data Protection Regulation) will come into force in Europe. Conventional wisdom is that GDPR will cause significant legal changes for many organizations and result in yet another regulatory-driven upheaval in technology. But is this an accurate assessment of the likely impact?
Pending legislation in Congress wuold protect whistleblowing about cybersecurity and data privacy. In the interim, some existing federal and state whistleblower protection laws provide limited protection for cybersecuriity and data privacy whistleblowing.
Get the insights you need to elevate your legal practice.
The annual Legal Trends Report sheds light on the most important issues faced within the legal profession. This year’s report features a multi-year analysis of 2,000 law firms’ revenue growth, as well as a survey of 2,000 legal consumers, and a test of 1,000 law firms’ responses to client inquiries. Informed with this research, the report examines:
What differentiates growing law firms from stagnating practices.
What potential clients want when they look for a lawyer.
How today’s law firms fare at interacting with potential clients—and where they can improve.
In this 60 minute webinar, join George Psiharis, Clio’s Chief Operating Officer, and Joshua Lenon, Clio’s Lawyer in Residence, as they explore the 2019 Legal Trends Report in detail to identify the report’s most important findings and contextualize what the data means for legal professionals and firms.
By watching this Legal Trends Report webinar, you will learn:
The biggest takeaways from Clio’s research into 2019 legal trends.
Our top recommended actions for legal professionals based on the report.
Additional insights on how to take a more data-driven approach at your firm.
https://landing.clio.com/2019-Legal-Trends-Report.html
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
Reports of data security breaches conjure up images of anonymous computer hackers sitting in a darkened room,
fingers flying over a key board in an effort to hack into a computer system to find valuable information to exploit.
Not long ago, most of us considered these breaches to be infrequent and likely targeted at information much more
commercially unique than the average consumer data stored by most businesses.
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
Rarely does a week go by without the announcement of another major data breach that has put thousands, or even millions of consumers at risk of fraud. From malicious use of compromised credit and debit cards, to increased identity theft risk to drained bank accounts, the threats are real and impact millions of consumers. . A key challenge for the incoming 114th Congress will be to implement long-needed reforms that will protect American consumers personal data from malicious use by criminal hackers.
This presentation covers the FACTA Identity Theft Red Flags Rule and other legislation in the compliance for business in preventing and reducing Identity Theft in the workplace.
Consumer protections exist to prevent fraud, usury, extortion and other financial crimes. Since individuals are not always aware of commercial and legal details surrounding transactions and business communications, undesirable and underhanded access to the wallets and bank accounts of unsuspecting people becomes possible.
A summarized version of the 60 page Rule broken down by Kirk J. Nahra, a partner with Wiley Rein & Fielding LLP in Washington, D.C. He specializes in privacy and information security litigation and counseling for companies facing compliance obligations in these areas. He is the Chair of the firm’s Privacy Practice. He serves on the Board of Directors of the International Association of Privacy Professionals, and edits IAPP’s monthly newsletter, Privacy Officers Advisor. He is a Certified Information Privacy Professional, and is the Chair of the ABA Health Law Section’s Interest Group on eHealth, Privacy & Security.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to:
https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2020/
Cyber risk related to information security is growing. A potentially huge exposure for transportation companies is the personal data of their current and prospective drivers.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
Part of the webinar series: CYBERSECURITY & DATA PRIVACY 2022
See more at https://www.financialpoise.com/webinars/
Cyber security legal and regulatory environment - Executive DiscussionJoe Nathans
What will you do when a breach occurs, and critical, confidential information has been publicly disclosed?
• FBI, Law Enforcement or Reporter Calls
• You become the Top News Story
• Investors need answers
• Regulatory Agencies are asking questions
• Your Customers, Suppliers, and Employees are affected, concerned, and need information
• The Breach becomes your only priority and you don’t know:
o What happened and what was disclosed?
o Who is responsible for resolution and who is on our team?
o What are our legal responsibilities?
o How will we manage the surge volume of communications, discovery and analysis?
o Who will pay?
The following presentation begins to address some of the legal and regulatory issues that are involved. The presentation is for discussion purposes only and should not be considered legal advice.
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfProtected Harbor
Protected Harbor's 2022 Legal Services Data Breach Trend Report is a comprehensive analysis of the evolving cybersecurity landscape in the legal industry. This report offers valuable insights into emerging trends, challenges, and opportunities that legal professionals and firms may encounter in the year ahead. Through in-depth research and expert analysis, it sheds light on the impact of technological advancements, changing regulations, and client expectations on legal services. Stay ahead of the curve with this indispensable guide to the future of legal services.
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
Invited speaker: "Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches ”
with Mark W. Ishman, J.D., Masters in Law in Information Technology and Privacy Law
Similar to TBG Security Mgl93 H 201 CMR17.00 Compliance Service (20)
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
1. How M.G.L. c. 93H and 201 CMR 17.00 Will Impact Your Business
2. Enhance awareness of new Mass “Data Security Breach Laws and Regulations” Legal perspectives Practical Tools Technical Issues surrounding compliance Provide up to the minute updates on 201 CMR 17.00 2 Session Objectives
4. $60 billion was lost and 35.6 million consumer records were exposed in 2008 due to data breaches and identity theft, a 47% increase over 2007, according to the Identity Theft Resource Center. The U.S. Department of Justice reports that identity theft has surpassed the illegal drug trade as the number one crime in the nation. 4 Identity Theft & Data Breach
5. Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s (ITRC) 2008 breach report includes 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached data was unprotected by either encryption or even passwords. 5 Data Breaches 2008 – Global View
11. Personal Information is defined as a Massachusetts resident's first and last name, or first initial and last name, along with one or more of the following: Social Security Number, driver's license number or state-issued identification card number, financial account number, or credit or debit card number. Therefore, Personal Information will frequently be included in financial records, employee and possibly candidate HR files, benefits files and certain consumer-related files. 11 What Is Personal Information?
12. By statute a breach of security means: Unauthorized acquisition of unencrypted data, or encrypted electronic data along with confidential process or key, that may compromise the security, confidentiality, or integrity of personal information by a person or entity that creates a material risk of identity theft. What triggers a “notice requirement”? When an entity knows or has reason to know that personal information was acquired or used by an unauthorized person or for an unauthorized purpose. 12 What Is A Security Breach M.G.L. c 93H
13. Notice must be provided to: Resident or residents affected Attorney General & Director of Consumer Affairs If so instructed, consumer reporting agencies and/or identified state agencies 13 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
14. Notice to the resident shall include: Consumer’s right to obtain police report How to request a security freeze from consumer reporting agencies Necessary information to provide when requesting security freeze Any fees required to be paid to the consumer reporting agencies 14 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
15. Notice to the Attorney General & Director of Consumer Affairs shall include: Nature of breach or unauthorized acquisition Number of residents affected Any steps taken by entity relating to the incident 15 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
16. Method of notice: Notify by regular or electronic mail Substitute notice if electronic notice cost exceeds $250,000 Substitute notice is website, newspaper publication, or electronic mail blast Time of notice: As soon as practicable without delay No language about terms of days (although you cannot delay to benefit the company) 16 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
17. Additional provisions: Firms that use personal information for benefit of another firm, must inform corporate clients Corporate clients who “own” the data must inform residents MA firms who suffer a breach affecting residents of other states must comply with that states’ law Firms outside MA who suffer a breach of MA residents must comply with MA notice laws 17 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
19. Minimum standards for proper disposal of records containing personal information are: Paper documents must be redacted, burned, pulverized or shredded Electronic media are to be destroyed or erased 19 How To Dispose Of Records M.G.L. c 93I
21. In the twelve months following the enactment of M.G.L. 93H, the OCABR received reports of over 300 incidents that have compromised or threatened to compromise the personal information of over 600,000 Massachusetts residents. Sixty percent of the cases involved criminal and/or unauthorized acts, with a high frequency of laptops or hard-drives being stolen. The remainder of the breaches resulted from employee error or poor internal handling of sensitive information. Approximately 75% of the reported incidents involved data that was not encrypted or password-protected. 21 Background – OCABR Findings
22. In October of 2008, The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued 2008 a comprehensive set of final regulations establishing standards for how ALL businesses protect and store Massachusetts personal information about a resident of Massachusetts whether or not that business is based in Massachusetts or not. The original regulations were set to take effect on January 1, 2009; however the deadline was extended to January 1, 2010 and on August 17th was extended to March 1, 2010. 22 201 CMR 17.00 Summary
23. Complying with 201 CMR 17.00 Who must comply and penalties for not doing so…. 23
24. Every person that owns or licenses personal information about a resident of the Commonwealth of Massachusetts. OCABR defines “Owns or Licenses” to be: receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. Federally regulated financial and other entities are not exempt from MA law. 24 Who Must Comply With 201?
25. 45 states, District of Columbia, Puerto Rico and the US Virgin Islands have similar legislation but Mass is most rigid 25 Is Massachusetts the Only State with such a law
26. A civil penalty of $5,000 may be levied for each violation of M.G.L. 93H 201 CMR 17.00. In addition, under the portion of M.G.L. 93I concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal. Failure to comply with Chapter 93H or 93I may subject the offender to a suit by the Attorney General under Chapter 93A, the consumer protection law. Violations may mean triple damages, as well as attorneys’ fees and legal costs. Penalties for Non-Compliance
27. There are many additional business impacts, including: Costs associated with legal actions: Legal battles with issuing banks Lawsuits from states and the FTC Class-action lawsuits from consumers Brand impact resulting in loss of consumer and stockholder confidence Impact to customer relationships, possibly resulting in a loss of business Increased oversight internally and from external entities Costs of a public relations 27 Consequences of Compromise
28. In addition to the penalties levied by the state you must also consider the actual costs of a data breach. The following items should be considered in calculating costs. Costs
29. Companies experiencing a data breach spent an average of $14 million on recovery costs, including unbudgeted spending for outside legal counsel, mail notification letters, calls to individual customers, increased call center support and discounted product offers. Even more significantly, businesses that experience a data breach lose an average of 2.6% of their total customer base. Costs
30. In 2007 lost business was 54 percent of data breach costs. A poll of more than 2,000 North American and European consumers conducted by Opinion Research Corporation found that 59% of consumers would either strongly consider or definitely take their business elsewhere if their personal information was compromised. The real punishment is brand diminishment Costs to Brand Integrity
31. Media coverage of security breaches is also affecting brand integrity. According to Factiva, media coverage of companies that suffered a security breach accounted for more than half the stories written about those companies. Brand Diminishment
32. Most significantly, an Emory University study recently confirmed that security breach events directly affect stock performance. When such events are reported, companies lose an average of 0.63% to 2.1% value in stock price – equivalent to a loss in market capitalization of $860 million to $1.65 billion per incident!(7) Brand Diminishment
33. Most business owners are unaware of how Information Security lapses can negate their coverage entirely. This gap in coverage has the ability to put your company out of business. Failure to follow or document due care and due diligence is evidence of negligent behavior. Will my Business Insurance cover this?
34. Your ability to show documentation that your business is doing what is required will mean the difference between having insurance cover the costs or a data breach and going bankrupt from having to pay out of pocket costs. Will my Business Insurance cover this?
35. According to Joel Winston of the FTC, the commission is currently filing cases against companies that do not utilize reasonable measures to secure privacy data. The FTC is employing numerous strategies to get the message to the business community about the importance of protecting consumers from privacy information and identity theft. 35 FTC and Privacy Protection
37. The Massachusetts regulation imposes a duty to protect personal information and provides administrative standards as well as computer security requirements. Administratively, each entity holding personal information is required to enact a Comprehensive Information Security Program (CISP) compliant with the regulations. 37 201 CMR 17.00
38. The minimum requirements for an information security program are broken down into two main categories: requirements applicable to personal information generally and requirements applicable to personal information in electronic form. 38 201 CMR 17.00 - Overview
39. All comprehensive information security programs must include the following: Designated employee. Identify risks. Off-premises access practice. Disciplinary measures. Terminated employee policy. Third-party service providers policy. Limited access. Physical access. Review of information security program. Addressing data incidents. 39 Requirements Applicable To Personal Information Generally
40. All information security programs must include the following, as it relates to electronic personal information: User authentication protocols. Authentication must involve: the control of user IDs, use of passwords, control of password data, restricting access to active users on active accounts. blocking access after multiple incorrect login attempts. Secure access control measures. Encryption of transmitted records. Monitoring of systems. Laptop encryption. Security patches and firewall protection. Anti-virus software. Education and training. 40 Requirements Applicable To Personal Information In Electronic Form
41. Develop a security program, designate an employee to manage it, and discipline employee violators; Assess internal and external security risks and the effectiveness of current safeguards, upgrading as necessary; Train employees regarding security; Institute security policies for employees that meet certain specified standards; Prevent terminated employees from gaining access to personal information; 41 Comprehensive Information Security Program Requirements (CISP)
42. Ensure that service providers are capable of protecting personal information. Limit the amount of personal information collected, how long it is kept, and restrict access on a need-to-know basis; Identify records containing personal information, or treat all records as if they did; Regularly monitor employee access to personal information; Review security measures annually, take corrective action when necessary and document action taken in response to security breaches; and Restrict physical access to records containing personal information. 42 Comprehensive Information Security Program Requirements (CISP)
43. Establish user authentication protocols that include control of user IDs and a secure method of assigning passwords (including prohibiting use of vendor-supplied default passwords) or other unique identifiers such as token devices; Make sure password location does not compromise the security of the data it protects, restrict access to active users only and block access after multiple unsuccessful attempts; Restrict access to personal information on a need-to-know basis; Periodic system monitoring for signs of unauthorized use or access; Reasonably up-to-date malware protection and virus definitions. 43 Additional Elements for Electronic Records
45. Every comprehensive information security program shall include, but shall not be limited to: Designating one or more employees to maintain the comprehensive information security program; Identifying and assessing reasonably foreseeable internal and external risks to the security. Developing security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records. Imposing disciplinary measures for violations of the comprehensive information security program rules. Preventing terminated employees from accessing records containing personal information. Taking all reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information. 45 M.G.L. c. 93H 201 CMR 17.00 Details
46. Limiting the amount of personal information collected. Reasonable restrictions upon physical access to records containing personal information,. Regular monitoring to ensure that the comprehensive information security program is operating. Reviewing the scope of the security measures at least annually. Documenting responsive actions taken in connection with any incident involving a breach of security. 46 M.G.L. c. 93H 201 CMR 17.00 Details
47. Computer System Security Requirements: Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements: Secure user authentication protocols including: control of user IDs and other identifiers; a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; restricting access to active users and active user accounts only; and blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system; 47 M.G.L. c. 93H 201 CMR 17.00 Details
48. Secure access control measures that: restrict access to records and files containing personal information to those who need such information to perform their job duties; and assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls; Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. Reasonable monitoring of systems, for unauthorized use of or access to personal information. Encryption of all personal information stored on laptops or other portable devices. 48 M.G.L. c. 93H 201 CMR 17.00 Details
49. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. Education and training of employees on the proper use of the computer security system and the importance of personal information security. 49 M.G.L. c. 93H 201 CMR 17.00 Details
50. Under the new deadline structure: The general compliance deadline for 201 CMR 17.00 has been extended to March 1, 2010. 50 Compliance Deadline
51. It is not yet clear how the state will approach enforcement initially, although in similar circumstances (including the passage of Chapter 93H itself), government officials have expressed a willingness to become increasingly stringent about enforcement with the passage of time. Businesses that miss the deadline or otherwise fall short of the standard set by the regulations will run a considerable and steadily increasing risk. 51 201 CMR 17.00: Enforcement
53. TBG Security consultants have years of experience helping customers comply with State and Federal business and privacy regulations. We are able to assist your organization with all aspects of compliance with these and other information security-related business regulations. 53 Your Partner For Success
54. Performing an audit to determine your current level of compliance with these new business regulations Creating a Comprehensive Information Security Policy Advising you on specific steps needed to achieve compliance Deploying and supporting security infrastructure to automatically encrypt email messages. Perform initial setup and training on software to encrypt your laptops and other mobile devices Update and support your primary security infrastructure, including firewalls, VPN access, anti-phishing, and tools to protect against malicious code Identify and recommend remediation for vulnerabilities present in your systems. 54 TBG Security Will Help By..
57. Kevin Gorsline VP Business Development O: 877.223.6651 X 707 C: 781.820.9032 E: kgorsline@tbgsec.com TBG Security 31 Hayward Rd Franklin, MA 02038 www.tbgsec.com Contact Info 57