The New Massachusetts Privacy Rules (February 2, 2010)


Published on

Presentation on the new Massachusetts Data Privacy Regulations

Published in: Technology
  • Be the first to comment

The New Massachusetts Privacy Rules (February 2, 2010)

  1. 1. The Massachusetts Data Privacy Rules Stephen E. Meltzer, Esquire, CIPP
  2. 2. The New Massachusetts Data Security Rules
  3. 4. New Mandate: PI = PI Personal Information = Privacy Infrastructure
  4. 6. Agenda <ul><li>Introduction </li></ul><ul><li>Scope of Rules </li></ul><ul><li>Comprehensive Written Information Security Program (cWISP) </li></ul><ul><li>[Computer System Security Requirements] </li></ul><ul><li>Breach Reporting Requirements </li></ul><ul><li>What To Do Now </li></ul><ul><li>Questions and Answers </li></ul>
  5. 7. Summary <ul><li>Statute enacted in 2007 </li></ul><ul><li>Rules issued on September 19, 2008 (and subsequently amended) </li></ul><ul><li>• March 1, 2010 (as of August 2009) (originally scheduled to take effect January 1, 2009, then May 1, 2009, then January 1, 2010) </li></ul>
  6. 8. Summary <ul><li>Consequences for non-compliance: </li></ul><ul><li>AT LEAST : </li></ul><ul><li>Increased risk of government enforcement or private litigation </li></ul><ul><li>93H § 6 incorporates 93A, § 4 </li></ul><ul><li>93A, § 4 </li></ul><ul><li>$5,000 per occurrence </li></ul><ul><li>Attorneys fees </li></ul><ul><li>Cost of Investigation/Enforcement </li></ul><ul><li>AT WORST : </li></ul><ul><li>Enforcement PLUS Bad PR then Compliance and oversight </li></ul>
  7. 9. What Prompted the Rules? <ul><li>High-profile data breach cases </li></ul><ul><li>Breach notification alone insufficient </li></ul><ul><li>Reflection of states’ interest in protecting personal information </li></ul><ul><li>Data in transit or on portable devices most at risk </li></ul>
  8. 10. Looking Ahead <ul><li>Massachusetts is one of the first, but is likely not the last </li></ul><ul><li>Federal Legislation: </li></ul><ul><ul><li>HITECH (ARRA) </li></ul></ul><ul><ul><li>Red Flags </li></ul></ul><ul><ul><li>H.2221 (prospect of preemption) </li></ul></ul>
  9. 11. Scope of Rules
  10. 12. Scope of Rules <ul><li>Covers ALL PERSONS that own or license personal information about a Massachusetts resident </li></ul><ul><li>Need not have operations in Massachusetts </li></ul><ul><li>Financial institutions, health care and other regulated entities not exempt </li></ul>
  11. 13. Scope of Rules <ul><li>“ Personal information” </li></ul><ul><li>Resident’s first and last name or first initial and last name in combination with </li></ul><ul><li>SSN </li></ul><ul><li>Driver’s license or State ID, or </li></ul><ul><li>Financial account number or credit/debit card that would permit access to a financial account </li></ul>
  12. 14. Scope of Rules <ul><li>Examples: </li></ul><ul><ul><li>Employee records </li></ul></ul><ul><ul><li>Payroll or 401(k) information </li></ul></ul><ul><ul><li>Real Estate Practice </li></ul></ul><ul><ul><li>Family Practice </li></ul></ul><ul><ul><li>Business Practice </li></ul></ul><ul><ul><li>Bankruptcy Practice </li></ul></ul><ul><ul><li>Personal Injury Practice </li></ul></ul>
  13. 15. Three Requirements <ul><li>1.Develop, implement, maintain and maintain a comprehensive, written information security program that meets very specific requirements (cWISP) </li></ul><ul><li>2.Heightened information security meeting specific computer information security requirements </li></ul><ul><li>3.Vendor Compliance </li></ul><ul><li>(Phase-in) </li></ul>
  14. 16. Evaluating Compliance ( not Evaluating Applicability ) <ul><li>Appropriate </li></ul><ul><ul><li>Size of business </li></ul></ul><ul><ul><li>Scope of business </li></ul></ul><ul><ul><li>Type of business </li></ul></ul><ul><ul><li>Resources available </li></ul></ul><ul><ul><li>Amount of data stored </li></ul></ul><ul><ul><li>Need for security and confidentiality </li></ul></ul><ul><ul><ul><li>Consumer and employee information </li></ul></ul></ul>
  15. 17. Evaluating Compliance ( not Evaluating Applicability ) <ul><li>“ The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.” </li></ul>
  16. 18. Enforcement <ul><li>Litigation and enforcement by the Massachusetts Attorney General </li></ul><ul><li>Massachusetts law requires notice to Attorney General of any breach, in addition to affected consumers </li></ul><ul><li>Attorney General likely to investigate based on breach reports </li></ul><ul><li>No explicit private right of action or penalties </li></ul>
  17. 19. Comprehensive Written Information Security Program 201 CMR 17.03
  18. 20. Information Security Program <ul><li>“ [D]evelop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards” </li></ul>
  19. 21. Comprehensive Information Security Program 201 CMR 17.03 (2)(a) through (j) <ul><li>a. Designate </li></ul><ul><li>b. Identify </li></ul><ul><li>c. Develop </li></ul><ul><li>d. Impose </li></ul><ul><li>e. Prevent </li></ul><ul><li>Oversee </li></ul><ul><li>Restrict </li></ul><ul><li>Monitor </li></ul><ul><li>Review </li></ul><ul><li>Document </li></ul>
  20. 22. Comprehensive Information Security Program <ul><li>(a) Designate an employee to maintain the WISP. </li></ul><ul><li>(b) Identify and assess reasonably foreseeable risks (Internal and external). </li></ul><ul><li>(c) Develop security policies for keeping, accessing and transporting records. </li></ul><ul><li>(d) Impose disciplinary measures for violations of the program. </li></ul><ul><li>(e) Prevent access by terminated employees. </li></ul><ul><li>(f) Oversee service providers and contractually ensure compliance. </li></ul><ul><li>(g) Restrict physical access to records. </li></ul><ul><li>(h) Monitor security practices to ensure effectiveness and make changes if warranted. </li></ul><ul><li>(i) Review the program at least annually. </li></ul><ul><li>(j) Document responsive actions to breaches. </li></ul>
  21. 23. Comprehensive Information Security Program <ul><li>Third Party Compliance </li></ul><ul><li>1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and </li></ul><ul><li>2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information </li></ul>
  22. 24. Comprehensive Information Security Program <ul><li>Third Party Compliance </li></ul><ul><li>Contracts entered “no later than” March 1, 2010: </li></ul><ul><li>Two – year phase-in. </li></ul><ul><li>Contracts entered into “later than” March 1, 2010: </li></ul><ul><li>Immediate compliance. </li></ul>
  23. 25. Comprehensive Information Security Program <ul><li>“ INDUSTRY STANDARDS” </li></ul>
  24. 26. Breach Reporting G.L. c. 93H § 3
  25. 27. Breach Reporting <ul><li>Breach of security – </li></ul><ul><li>“ the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.” </li></ul>
  26. 28. Breach Reporting <ul><li>Possessor must give notice of </li></ul><ul><ul><li>Breach of Security </li></ul></ul><ul><ul><li>Unauthorized Use or Acquisition </li></ul></ul><ul><ul><ul><li>To Owner/Licensor of Information </li></ul></ul></ul><ul><li>Owner/Licensor must give notice of </li></ul><ul><ul><li>Breach of Security </li></ul></ul><ul><ul><li>Unauthorized Use or Acquisition </li></ul></ul><ul><ul><ul><li>To – </li></ul></ul></ul><ul><ul><ul><ul><li>Attorney General </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Office of Consumer Affairs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Resident </li></ul></ul></ul></ul>
  27. 29. Breach Reporting <ul><li>“ The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to: </li></ul><ul><li>the nature of the breach of security or the unauthorized acquisition or use; </li></ul><ul><li>the number of Massachusetts residents affected by such incident at the time of notification; and </li></ul><ul><li>any steps the person or agency has taken or plans to take relating to the incident.” </li></ul>
  28. 30. Sample Breach Notification Letter <ul><li> </li></ul>
  29. 31. Breach Reporting <ul><li>Stop </li></ul><ul><li>Be afraid </li></ul><ul><li>Call for help </li></ul>
  30. 32. Computer System Security Requirements 201 CMR 17.04
  31. 33. Electronic Requirements 201 CMR 17.04 <ul><li>Use authentication protocols </li></ul><ul><li>Secure access controls </li></ul><ul><li>Encryption of transmittable records </li></ul><ul><li>Mentoring systems </li></ul><ul><li>Laptop and mobile device encryption </li></ul><ul><li>Security patches and firewalls </li></ul><ul><li>System security agents </li></ul><ul><li>IT Security user awareness </li></ul>
  32. 34. User Authentication Protocols <ul><li>Control of user IDs </li></ul><ul><li>Secure password selection </li></ul><ul><li>Secure or encrypted password files </li></ul><ul><li>User accounts blocked for unusual logon attempts </li></ul>Examples: Passwords should be at least 9 characters, alpha numeric with special characters After 3 attempts to login users are blocked access
  33. 35. Secure Access Control Measures <ul><li>Permit “access” on a need to know basis </li></ul><ul><li>Password protect account and login to determine level of access </li></ul>Example: Network Access Control Software/Hardware Consentry Sophos Audit control who is accessing what and when?
  34. 36. Encryption of Transmitted Records <ul><li>Encryption of personal information accessed over a public network </li></ul><ul><ul><li>Tunneling options (VPN) </li></ul></ul><ul><ul><li>Faxes, VOIP, phone calls </li></ul></ul><ul><li>Encryption of PI on wireless </li></ul><ul><ul><li>Bluetooth, WEP, Wifi </li></ul></ul><ul><li>Encryption definition if very broad </li></ul>Examples: PGP and Utimaco are encryption technologies
  35. 37. Monitoring of Systems <ul><li>Require systems to detect unauthorized use of, access to personal information </li></ul><ul><li>Some existing user account based on systems will already comply </li></ul>Examples: Again, Network Access Control Audit controls
  36. 38. Laptop and Mobile Device Encryption <ul><li>Encryption of PI stored on laptops </li></ul><ul><ul><li>Applies regardless of laptop location </li></ul></ul><ul><li>Encryption of PI stored on “mobile” devices </li></ul><ul><ul><li>Does incoming email become a problem? </li></ul></ul>This applies only if you have data in motion of personal information. Email is clear text. So anyone can read any ones email on the internet.
  37. 39. Security Patches and Firewalls <ul><li>“ Reasonably up-to-date firewall protection and operating systems patches” for Internet connected computers </li></ul><ul><li>Date on operating systems </li></ul>All organizations should have a firewall in place (not a router a firewall) Can hire an organization to update and manage the security infrastructure: Firewall Anti-virus Patches…
  38. 40. Systems Security Agent Software <ul><li>Anti-malware technology required </li></ul><ul><ul><li>Are certain products better? </li></ul></ul><ul><ul><li>What about MACs or Linux? </li></ul></ul><ul><li>Set to receive auto-updates </li></ul>Malware is what is infecting most enviroments. HTTP and HTTPS traffic. Your users are your worst enemy Products to look at for Malware TrendMicro Websense Webwasher
  39. 41. Employee Education and IT Security Training <ul><li>Proper training on all IT security policies </li></ul><ul><li>User awareness </li></ul><ul><ul><li>Importance of PI security </li></ul></ul><ul><ul><li>Proper use of the computer </li></ul></ul><ul><ul><li>Everyone is involved </li></ul></ul>Your employees are your weakest link to any IT security program. They need to know the rules. Suggestions: Stand up training News Letters Programs Online training
  40. 42. The Approach <ul><li>Inventory type of personal information is being kept </li></ul><ul><ul><li>Assess risk </li></ul></ul><ul><li>Plan information security strategy </li></ul><ul><ul><li>Data </li></ul></ul><ul><ul><ul><li>Security, Confidentially, Integrity </li></ul></ul></ul><ul><ul><ul><li>IT infrastructure and information change processes </li></ul></ul></ul><ul><li>Implement, plan and policies </li></ul><ul><ul><li>Technology deployment </li></ul></ul><ul><ul><li>Policy implementation </li></ul></ul><ul><ul><li>User awareness </li></ul></ul><ul><ul><li>Continual review </li></ul></ul>Security is all about vigilance… Compliance is knowing what you need to protect and building a fortress around it and testing it on a frequent basis!
  41. 43. Data Destruction G.L. c. 93I
  42. 44. Data Destruction (93I) <ul><ul><li>Paper documents/ electronic Media: </li></ul></ul><ul><ul><li>Redact, Burn, Pulverize, Shred </li></ul></ul><ul><ul><li>So that Personal Information cannot be read or reconstructed </li></ul></ul>
  43. 45. Data Destruction (93I) <ul><ul><li>Violations: </li></ul></ul><ul><ul><ul><li>Attorney General: Unfair and Deceptive Practices remedies - 93H </li></ul></ul></ul><ul><ul><ul><li>Civil Fine-$100/data subject not to exceed $50,000/instance – 93I </li></ul></ul></ul>
  44. 46. What To Do Now
  45. 47. Compliance Deadlines March 1, 2010 <ul><li>Implement internal policies and practices </li></ul><ul><li>Encrypt company laptops </li></ul><ul><li>Amend contracts with service providers to incorporate the data security requirements </li></ul><ul><li>Take all reasonable steps to ensure vendors apply protections as stringent as these (written certification not necessary) </li></ul><ul><li>Encrypt other (nonlaptop) portable devices </li></ul>
  46. 48. Tasks
  47. 49. Tasks <ul><li>Form a team (“A” Team) </li></ul><ul><li>– Include necessary Management, IT, HR, Legal and Compliance personnel </li></ul><ul><li>Review existing policies </li></ul><ul><li>– Do your current data security policies and procedures create barriers to compliance. </li></ul><ul><li>Map data flows that include personal information </li></ul><ul><li>– Consider limiting collection of personal information and restrict access to those with a need to know </li></ul>
  48. 50. Tasks <ul><li>Identify internal and external risks and effectiveness of current safeguards </li></ul><ul><li>Draft comprehensive written information security program </li></ul><ul><li>Negotiate amendments to vendor agreements and audit for vendor compliance </li></ul><ul><li>Encrypt laptops, portable devices and data in transit </li></ul>
  49. 51. Tasks <ul><li>Restrict access to personal information </li></ul><ul><li>Train employees </li></ul><ul><li>Institute monitoring and self-auditing procedures </li></ul><ul><li>Update systems including firewall protection and malware and virus protection </li></ul>
  50. 52. Action Plan <ul><li>Sample WISP Please </li></ul>
  51. 53. Action Plan <ul><li>Compliance Engagement Plan </li></ul><ul><li>In-house IT/HR/Legal </li></ul><ul><li>Outsourced IT/HR/Legal </li></ul><ul><li>Combination </li></ul>
  52. 54. Action Plan <ul><li>Meeting and Implementation Plan </li></ul><ul><ul><li>Data Gathering : </li></ul></ul><ul><ul><li>Initial Meeting with Top Management </li></ul></ul><ul><ul><li>Engage IT firm or Department to audit security </li></ul></ul><ul><ul><li>Overview/assignment meeting with Implementation Staff and Consultants </li></ul></ul><ul><ul><li>Post assignment completion interviews with Implementation Staff and Consultants </li></ul></ul>
  53. 55. Action Plan <ul><li>Meeting and Implementation Plan </li></ul><ul><ul><li>Data Analysis: </li></ul></ul><ul><ul><li>Information organization and assignment meeting with Implementation Staff and Consultants </li></ul></ul><ul><ul><li>ISP data-flow meeting with IS </li></ul></ul><ul><ul><li>WISP and Security review with IS </li></ul></ul>
  54. 56. Action Plan <ul><li>Meeting and Implementation Plan </li></ul><ul><ul><li>Plan Implementation: </li></ul></ul><ul><ul><li>WISP and Security presentation to Top Management </li></ul></ul><ul><ul><li>WISP and Security presentation to RF </li></ul></ul><ul><ul><li>RF training in specific components </li></ul></ul><ul><ul><li>Employee handbook amendment </li></ul></ul><ul><ul><li>Vendor contract review and amendment </li></ul></ul>
  55. 57. Action Plan <ul><li>Meeting and Implementation Plan </li></ul><ul><ul><li>Plan Monitoring and Review: </li></ul></ul><ul><ul><li>New employee training </li></ul></ul><ul><ul><li>Periodic RF training </li></ul></ul><ul><ul><li>Plan audit and review </li></ul></ul><ul><ul><li>Plan amendment and refinement </li></ul></ul>
  56. 58. Resources <ul><li>Statute (M.G.L. c. 93H) </li></ul><ul><li>Rules (201 CMR 17.00) </li></ul><ul><li>OCABR Guidance </li></ul><ul><ul><li>Compliance Checklist </li></ul></ul><ul><ul><li>Small Business Guide </li></ul></ul><ul><ul><li>Frequently Asked Question Regarding 201 CMR 17.00 </li></ul></ul><ul><li> </li></ul>
  57. 59. Good News <ul><li>Way ahead of the curve </li></ul><ul><li>Enforcement initially in PS </li></ul><ul><li>LRA of 2009 </li></ul>
  58. 60. Thank You