The new massachusetts privacy rules v5.35.1

The MassachusettsData Privacy RulesStephen E. Meltzer, Esquire, CIPP

The [New] MassachusettsData Security Rules

AgendaIntroductionScope of RulesComprehensive Written Information Security Program (cWISP)[Computer System Security Requirements]Breach Reporting RequirementsWhat To Do NowQuestions and Answers

The MassachusettsData Security RulesNew Mandate:PI = PIPersonal Information = Privacy Infrastructure

What Prompted the Rules?High-profile data breach cases

Breach notification alone insufficient

Reflection of states’ interest in protecting personal information

Data in transit or on portable devices most at riskWho Cares?Consequences for non-compliance:AT LEAST: Increased risk of government enforcement or private litigation93H § 6 incorporates 93A, § 493A, § 4$5,000 per occurrenceAttorneys feesCost of Investigation/EnforcementAT WORST:Enforcement PLUS Bad PR then Compliance and oversight

EnforcementLitigation and enforcement by the Massachusetts Attorney GeneralMassachusetts law requires notice to Attorney General of any breach, in addition to affected consumersAttorney General likely to investigate based on breach reportsNo explicit private right of action or penalties

Looking AheadMassachusetts is one of the first, but is likely not the last

H.2221 (prospect of preemption)Scope of Rules

Scope of RulesCovers ALL PERSONS that own or license personal information about a Massachusetts residentNeed not have operations in MassachusettsFinancial institutions, health care and other regulated entities not exempt

Scope of Rules“Personal information”Resident’s first and last name or first initial and last name in combination withSSNDriver’s license or State ID, orFinancial account number or credit/debit card that would permit access to a financial account

Three Requirements1.Develop, implement, maintain and maintain a comprehensive, written information security program that meets very specific requirements (cWISP)2.Heightened information security meeting specific computer information security requirements3.Vendor Compliance (Phase-in)

Evaluating Compliance(not Evaluating Applicability)AppropriateSize of businessScope of businessType of businessResources availableAmount of data storedNeed for security and confidentialityConsumer and employee information

Evaluating Compliance(not Evaluating Applicability)“The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.��

Comprehensive WrittenInformation SecurityProgram201 CMR 17.03

Information SecurityProgram“[D]evelop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards”

Comprehensive Information Security Program201 CMR 17.03 (2)(a) through (j)a. Designateb. Identifyc. Developd. Imposee. PreventOverseeRestrictMonitorReviewDocument

Comprehensive Information Security Program(a) Designate an employee to maintain the WISP.(b) Identify and assess reasonably foreseeable risks (Internal and external).(c) Develop security policies for keeping, accessing and transporting records.(d) Impose disciplinary measures for violations of the program.(e) Prevent access by terminated employees.(f) Oversee service providers and contractually ensure compliance.(g) Restrict physical access to records.(h) Monitor security practices to ensure effectiveness and make changes if warranted.(i) Review the program at least annually.(j) Document responsive actions to breaches.

Comprehensive Information Security ProgramThird Party Compliance1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and 2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information

Comprehensive Information Security ProgramThird Party ComplianceContracts entered “no later than” March 1, 2010: Two – year phase-in.Contracts entered into “later than” March 1, 2010: Immediate compliance.

Comprehensive Information Security Program“INDUSTRY STANDARDS”

Breach ReportingG.L. c. 93H § 3

Breach ReportingBreach of security –“the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”

Breach ReportingPossessor must give notice ofBreach of SecurityUnauthorized Use or AcquisitionTo Owner/Licensor of InformationOwner/Licensor must give notice of Breach of SecurityUnauthorized Use or AcquisitionTo – Attorney GeneralOffice of Consumer AffairsResident

Breach Reporting“The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to: the nature of the breach of security or the unauthorized acquisition or use; the number of Massachusetts residents affected by such incident at the time of notification; and any steps the person or agency has taken or plans to take relating to the incident.”

Sample Breach Notification Letterhttp://www.mass.gov/Cago/docs/Consumer/93h_sampleletter_ago.pdf

Breach ReportingStopBe afraidCall for help

Computer System SecurityRequirements201 CMR 17.04

Electronic Requirements201 CMR 17.04Laptop and mobile device encryption

Security patches and firewalls

IT Security user awarenessUse authentication protocolsSecure access controlsEncryption of transmittable recordsMentoring systems

User Authentication ProtocolsControl of user IDsSecure password selectionSecure or encrypted password filesUser accounts blocked for unusual logon attemptsExamples: Passwords should be at least 9 characters, alpha numeric with special charactersAfter 3 attempts to login users are blocked access

Secure Access Control MeasuresPermit “access” on a need to know basisPassword protect account and login to determine level of accessExample: Network Access Control Software/Hardware Consentry SophosAudit control who is accessing what and when?

Encryption of Transmitted RecordsEncryption of personal information accessed over a public networkTunneling options (VPN)Faxes, VOIP, phone callsEncryption of PI on wirelessBluetooth, WEP, WifiEncryption definition if very broadExamples:PGP and Utimaco are encryption technologies

Monitoring of SystemsRequire systems to detect unauthorized use of, access to personal informationSome existing user account based on systems will already complyExamples:Again, Network Access ControlAudit controls

Laptop and Mobile Device EncryptionEncryption of PI stored on laptopsApplies regardless of laptop locationEncryption of PI stored on “mobile” devicesDoes incoming email become a problem?This applies only if you have data in motion of personal information.Email is clear text. So anyone can read any ones email on the internet.

Security Patches and Firewalls“Reasonably up-to-date firewall protection and operating systems patches” for Internet connected computersDate on operating systemsAll organizations should have a firewall in place (not a router a firewall)Can hire an organization to update and manage the security infrastructure: Firewall Anti-virus Patches…

Systems Security Agent SoftwareMalware is what is infecting most enviroments. HTTP and HTTPS traffic.Your users are your worst enemyProducts to look at for MalwareTrendMicroWebsenseWebwasherAnti-malware technology requiredAre certain products better?What about MACs or Linux?Set to receive auto-updates

Employee Education and IT Security TrainingProper training on all IT security policiesUser awarenessImportance of PI securityProper use of the computerEveryone is involvedYour employees are your weakest link to any IT security program.They need to know the rules.Suggestions: Stand up training News Letters Programs Online training

The ApproachInventory type of personal information is being keptAssess riskPlan information security strategyDataSecurity, Confidentially, IntegrityIT infrastructure and information change processesImplement, plan and policiesTechnology deploymentPolicy implementation User awarenessContinual reviewSecurity is all about vigilance…Compliance is knowing what you need to protect and building a fortress around it and testing it on a frequent basis!

Data Destruction (93I)Paper documents/ electronic Media: Redact, Burn, Pulverize, ShredSo that Personal Information cannot be read or reconstructed

Data Destruction (93I) Violations:Attorney General: Unfair and Deceptive Practices remedies - 93HCivil Fine-$100/data subject not to exceed $50,000/instance – 93I

Compliance DeadlinesMarch 1, 2010Take all reasonable steps to ensure vendors apply protections as stringent as these (written certification not necessary)Encrypt other (nonlaptop) portable devicesImplement internal policies and practicesEncrypt company laptopsAmend contracts with service providers to incorporate the data security requirements

TasksForm a team – Include necessary Management, IT, HR, Legal and Compliance personnelReview existing policies – Do your current data security policies and procedures create barriers to compliance.Map data flows that include personal information – Consider limiting collection of personal information and restrict access to those with a need to know

The new massachusetts privacy rules v5.35.1

More Related Content

The new massachusetts privacy rules v5.35.1