© copyright 2010 hemenway & barnes llp h&b 641682 1

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

1

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

2

Massachusetts Data Security Regulations

Teresa A. Belmonte, EsquireHemenway & Barnes LLP60 State StreetBoston, MA 02109(617) 227-7940

March 23, 2010

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

3

What Are They?

Regulations enacted by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) pursuant to M.G.L. ch. 93H

Effective March 1, 2010

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

4

Overview of Requirements

Every “person” who “owns or licenses” “personal information” of a Massachusetts resident must have a comprehensive written information security program (WISP) to protect personal information

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

5

Overview of Requirements

● Risk-based approach to what is required--not a one-size fits all requirement

● It depends on the size of your organization, financial resources available, and how much personal information your organization has

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

6

Personal Information

● A Massachusetts resident’s first name or first initial and last name together with one of the following:• social security number, or• driver’s license number or state

issued identification number, or• financial account number, or credit

or debit card number

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

7

“Person”

● Defined as a natural person or any private legal entity

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

8

“Owns or Licenses”

● Stores, receives, maintains or otherwise has access to personal information in connection with the provision of goods or services

orin connection with employment

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

9

If your organization has employees who are Massachusetts residents,

you have personal information, and you must comply with these

regulations

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

10

How to Comply with 201 CMR 17

● Determine

• what personal information you have and where it is located

• what form it is in--paper or electronic

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

11

How to Comply with 201 CMR 17

● Determine

• what are the risks to the security of personal information

• what you can do to protect it● Create and implement a WISP

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

12

What should your WISP contain?

● Designating one of your employees as a data security coordinator to maintain the WISP

● Requiring employee training ● Imposing disciplinary measures on

employees for violations of your WISP

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

13

What should your WISP contain?

● Limiting access to personal information to those employees who need access to it

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

14

WISP Requirements

● Preventing terminated employees from accessing personal information

● Storing records containing personal information in locked facilities, storage areas, or containers

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

15

WISP Requirements

● Regular monitoring of the WISP to ensure compliance

● Imposing reasonable restrictions on access to records containing personal information

● Annually reviewing your WISP● Reporting any suspicious or

unauthorized use of personal information to the data security coordinator

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

16

WISP Requirements

● Documenting responsive actions taken in connection with a breach of security, including mandatory post-incident review of events and actions taken

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

17

What this means for paper documents containing personal information

● Don’t leave documents with personal information on your desk if you’re not there

● Place personal information in locked cabinets at the end of the day

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

18

What this means for paper documents containing personal information

● If discarding paper documents containing personal information, you must shred them--M.G.L. ch. 93I requires that

● Limit access to personal information

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

19

Computer System Requirements

● If you electronically store or transmit personal information, to the extent “technically feasible”, defined as “if there is a reasonable means through technology to accomplish a desired result,” you must ensure that your computer system

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

20

Computer System Requirements

• has reasonably up-to-date firewall protection, malware, patches and virus protection

• requires unique user IDs plus passwords, which are not vendor supplied default passwords

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

21

Computer System Requirements

• blocks access after multiple unsuccessful attempts to log in

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

22

Encryption

Encryption means “the transformation of data into a form

in which meaning cannot be assigned without the use of a confidential process or key”

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

23

Encryption

● To the extent “technically feasible”, you must encrypt

• all transmitted records and files containing personal information that travel across a public network or are transmitted wirelessly

• all personal information stored on laptops or other portable devices--such as a blackberry

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

24

Third Party Service Providers

● If you give personal information to any of your service providers, you must • take reasonable steps to select

third party service providers capable of maintaining personal information in accordance with 201 CMR 17

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

25

Third Party Service Providers

• contractually require third party service providers to maintain personal information in accordance with 201 CMR 17–for all new contracts–for contracts entered into before

March 1, 2010, you have until March 1, 2012 to amend those contracts to require that third party service providers comply with 201 CMR 17

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

26

Penalties for failing to comply with 201 CMR 17

● Massachusetts Attorney General may bring an action under M.G.L. ch. 93A §4

• civil penalties of up to $5,000 per violation

• reasonable cost of investigation and litigation

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

27

Penalties for failing to comply with 201 CMR 17

● Under M.G.L. ch. 93I--which regulates destruction of records containing personal information, you could be fined $100 per data subject affected, up to $50,000

● Possible common law claims and private right of action under Chapter 93A

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

28

Breach Notification Requirements

Under M.G.L. ch. 93H, if someone in your organization knows or has reason to know of the unauthorized use or acquisition of personal information or data that is capable of compromising the security of personal information, you are required to notify, “as soon as practicable, and without unreasonable delay”

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

29

Breach Notification Requirements

• the person affected

• the AG• the OCABR

© Copyright 2010 Hemenway & Barnes LLPH&B 641682

30

Massachusetts OCABR Website -

www.mass.gov/consumer

Contains helpful information to prepare a WISP

• a small business guide to formulating a WISP

• FAQs about 201 CMR 17

• 201 CMR 17 Compliance Checklist

• the regulations themselves