February 16, 20101

Massachusetts’ New Data Security Regulations And Their Impact On Businesses

Amy Crafts

February 16, 2009

February 16, 20102

Identity Theft Is A Serious Problem

• Identity theft occurs when someone uses your personally identifying information – your name, Social Security number or credit card number – without your permission to commit fraud or other crimes.

• The FTC estimates that over 9 million Americans have their identities stolen each year.

• Massachusetts has become one of the most aggressive states in the country in terms of protecting personal data following a number of recent scandals.

February 16, 20103

Boston Globe – 2006

• Credit and bank card numbers of as many as 240,000 subscribers of the Boston Globe and Worcester Telegram & Gazette were distributed with bundles of T&G newspapers.

­ Confidential information on the back of paper slated for recycling was used to wrap newspaper bundles.

­ Underscores need for companies to focus on more than just online security to protect sensitive information.

February 16, 20104

TJX – 2007

• Hackers breached TJX’s wireless network and gained access to servers at the Framingham headquarters.

• TJX lacked appropriate firewalls to protect its servers.

• Allowed hackers to quickly export data.

• Affected more than 94 million accounts.

February 16, 20105

Hannaford Brothers – 2008

• Exposed 4.2 million debit and credit card numbers over period from December 7, 2007 – March 10, 2008.

• Occurred even though Hannaford had met the payment card industry standard and were not using wireless technology to transmit unencrypted data.

­ Both of these factors contributed to the TJX breach.

February 16, 20106

In Response To These Scandals, The State Legislature Passed And Governor Patrick Signed A New Data Breach Law

The law, “An Act Relative to Security Freezes and Notification of Data Breaches,” creates two new chapters in the Massachusetts General Laws:

Chapter 93I (Disposition and Destruction of Records) Chapter 93H (Security Breaches)

February 16, 20107

Each Chapter Concerns The “Personal Information” Of Massachusetts Residents

Personal information is defined as a Massachusetts resident’s first and last name, or first initial and last name in combination with any of the following information:

the resident’s social security number;

the resident’s driver’s license number or state issued identification card number; or

the resident’s financial account number, or credit or debit card number.

February 16, 20108

The Broad Definition Of Personal Information Will Have A Far-Reaching Effect

Any company that employs Massachusetts residents will have to comply.

And it could change the way that many companies conduct their day to day business.

February 16, 20109

The Law Applies To Your Business

It applies to all persons that own or license personal information of Massachusetts residents.

“Persons” includes:

A natural person Corporation Association Partnership Other legal entity

There is a carve out for certain government entities, including an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches or political subdivisions.

February 16, 201010

Compliance With Chapter 93I (Disposition and Destruction of Records) Is Straightforward

• Sets forth minimum standards for destruction of paper and electronic records containing personal information to ensure that they cannot be read or reconstructed.

• Paper documents must be either:­ Redacted­ Burned­ Pulverized­ Shredded

• Electronic documents and other non-paper media must be either:­ Destroyed­ Erased

February 16, 201011

Entity Disposing Of Documents May Contract With A Third Party

• The third party is required to implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation and disposal of personal information.

• Violations are subject to a civil fine of not more than $100 per data subject affected, and each fine shall not exceed $50,000 for each instance of improper disposal.­ Attorney General may file a civil action in superior or district

court to recover penalties.

February 16, 201012

Compliance With Chapter 93H (Security Breaches) Is More Complicated

• Imposes notice obligations on employers that know or have reason to know of a “breach of security” concerning the personal information of any of its current or former employees, or job applicants, who reside in Massachusetts.

• “Breach of security” is defined as the unauthorized acquisition or use of unencrypted personal information (or encrypted personal information plus theft of the decryption process or key), whether in paper or electronic form, that creates a substantial risk of identity theft or fraud.

February 16, 201013

Employees Must Be Notified Of Breach

• The employer must notify the affected employees, in writing, “as soon as practicable and without unreasonable delay.”

• The notice must include the following information:

­ How employees may obtain a police report;­ How employees may ask consumer reporting agencies

(Equifax, Experian and Transunion) to impose a security freeze; and

­ Any fees required to be paid to the consumer reporting agencies.

February 16, 201014

Attorney General and Director Of OCABR Must Also Be Notified Of Breach

• The employer must also provide written notice to the Attorney General and the Director of Consumer Affairs and Business Regulation. The notice must state:

­ The nature of the breach;­ The number of affected employees who are residents of

Massachusetts; and­ Any remedial steps the employer has taken or plans to

take.

• If your business experiences a breach, make sure to work with your attorney to assist you with the notification process.

February 16, 201015

Regulations Have Been Issued to Implement M.G.L. 93H (Security Breaches)

Data Security Regulations – 201 C.M.R. 17.00

• As required by M.G.L. 93H, the regulations were issued by the Office of Consumer Affairs and Business Regulation to implement the new law.

• The regulations have evolved considerably since they were first issued, and were finalized recently.

February 16, 201016

The Regulations Go Into Effect On March 1, 2010

• Will be enforced by the Attorney General’s Office.

• Sets forth minimum standards to be met by those who own or license personal information of Massachusetts residents in connection with the safeguarding of personal information contained in both paper and electronic forms.

­ You may not have to start from scratch – your Operations and Training Manual includes some data security protections.

­ Gather what you have and work with IT and legal professionals to update as necessary.

February 16, 201017

The Regulations Have Three Objectives

1. To ensure the security and confidentiality of employee information;

2. To protect against anticipated threats or hazards to the security or integrity of such information;

3. To protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any employee.

February 16, 201018

The Regulations Have Been Revised A Number Of Times

In response to pressure from businesses of all sizes, but particularly small businesses, for which compliance would be most onerous – i.e. mom and pop shops.

The most recent iteration of the regulations are a “risk-based” approach that allows for companies of different sizes and resources to comply with the regulations in different ways.­ How this will be interpreted by regulators remains to be

seen.

February 16, 201019

The Regulations Contain Two Major Components

1. A comprehensive written security program – every business must have its own policy, tailored to its specific business.

2. Extensive requirements for electronic data – which must be implemented to the extent technically feasible.

February 16, 201020

1. The Law Requires a Comprehensive Information Security Program

Every covered entity must develop, implement and maintain a comprehensive information security program.

Must be written.

Must contain administrative, technical and physical safeguards.

February 16, 201021

The Safeguards Should be “Risk Based”

They should be appropriate to

the size, scope and type of business handling the information;

the amount of resources available to the business;

the amount of stored data; and

the need for security and confidentiality of both consumer and employee information.

This is an effort by Massachusetts to balance consumer protections and business realities.

February 16, 201022

The Information Security Program Must Meet Certain Requirements Set Forth In The Regulations

Provide for a designated employee to maintain the program.

Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the information.

February 16, 201023

Ongoing employee training, for permanent and contract employees

Employee compliance with policies and procedures

Means for detecting and preventing security system failures

The Information Security Program Must Evaluate And Improve The Effectiveness Of The Safeguards In Place

February 16, 201024

Develop security policies for employees relating to the storage, access and transportation of records outside of business premises

Impose disciplinary measures for violations of the program rules

Prevent terminated employees from accessing records

The Information Security Program Must Contain Requirements For Employees

February 16, 201025

Take reasonable steps to select and retain third party service providers who also comply with the regulations

Require third party service providers by contract to implement and maintain appropriate security measures for personal information­ This applies to any third party that works with you­ Reach out to them and ask about their plans to comply

The Information Security Program Must Provide For Oversight Of Service Providers And Vendors

February 16, 201026

If a contract is already in place as of the effective date, March 1, 2010, there is a two year grace period for compliance.

But any contract entered into after March 1, 2010 must ensure that the third party service provider is also protecting personal information in compliance with the regulations.

An Important Carve Out For Existing Vendor Contracts

February 16, 201027

Storage of paper records must be in locked facilities, storage areas or containers.

The program must be regularly monitored.

The security measures must be reviewed at least annually, or if there is a material change in business practice that may implicate the security or integrity of records.

The Information Security Program Applies To Paper Records, Too

February 16, 201028

The covered entity must document responsive actions taken in connection with any incident involving a breach of security.

In the event of a breach, there is a mandatory post-incident review of events and actions taken, if any, to make any necessary changes in business practices.

Again, if you experience a breach, make sure to consult with your attorney.

The Information Security Program Requires Certain Steps Following A Breach

February 16, 201029

2. There Are Additional Requirements For Electronically Stored Information

Covered entities that electronically store or transmit personal information must establish and maintain a security system covering its computers and any wireless system.

Compliance is required to the extent technically feasible:– “technically feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.”

Some of the requirements are technical, so make sure to involve your IT staff.

February 16, 201030

User Passwords And Authorizations Are Required

Control of user IDs and other identifiers

A reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies

Control of data security passwords so security is not compromised

Restrict access to active users and active user accounts only

Block access to user identification after multiple unsuccessful attempts

February 16, 201031

Secure Access Control Measures Are Required

Restrict access to records and files containing personal information to those who need such information to perform their job duties.

Assign unique identifications plus passwords, which are not vendor supplied default passwords, that are reasonably designed to maintain the integrity of the security of the access controls.

February 16, 201032

All Records And Files Containing Personal Information Must Be Encrypted, Where Technically Feasible

Any records that will travel across public networks

Any records that will be transmitted wirelessly

Or that will be stored on laptops or other portable devices

February 16, 201033

Reasonable Monitoring For Unauthorized Use Or Access Is Required

Up-to-date firewall protection and operating system security patches

Up-to-date system security agent software, which must include malware, patches and virus protection

Education and training of employees on the proper use of the computer security system and the importance of personal information security

Any questions should be directed to your regional IT staff

February 16, 201034

What Are The Penalties For Non-Compliance?

• Massachusetts provides for civil penalties in cases of non-compliance with its data breach notification statute.

• A civil penalty of $5,000 may be awarded for each violation.• In addition, the Attorney General may bring a civil action under its

consumer protection statue, Chapter 93A, which permits imposition of significant fines, injunctive relief and attorneys’ fees.

February 16, 201035

What Does All of this Mean?

Let’s discuss some hypothetical or frequently asked questions.

February 16, 201036

What About My In-Store Processing System?

• Answer is available from the IT department on a store-by-store basis.

• If your ISP is not on a recent release, work with your Restaurant Store Systems Manager, who can help you determine the proper release and the path to get there.

February 16, 201037

How Do I Store And Destroy Old Tapes/CDs?

• Unless they are leaving your business premises, old tapes and CDs should be stored in a locked file or room.

• Destruction must completely erase the content of the tapes and CDs. ­ Be careful – after data is erased, residue may remain which

could lead to inadvertent disclosure.­ Overwriting the storage data is a popular low cost option.

(Also called “wiping” or “shredding.”) Methods are implemented in software.

­ Work with your IT staff to ensure the tapes and CDs have been completely erased.

February 16, 201038

How Should Businesses Protect Emails Containing Personal Information?

• If technically feasible, emails should be encrypted.

• If not technically feasible, implement best practices by not sending personal information via email.

­ There are alternative methods to communicate personal information other than through email, such as establishing a secure website that requires safeguards including username and password to conduct transactions involving personal information.

February 16, 201039

Is There A Maximum Period Of Time To Keep Records Containing Personal Information?

• No, but be aware of minimum state and federal law requirements.

­ For example, MA law requires retention of personnel files for three years after termination of employment

• As good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected, and limit the time such information is retained to that reasonably necessary to accomplish such purpose.

• Access should be limited to those persons who are reasonably required to know such information.

February 16, 201040

How Much Employee Training Is Required?

• The regulations do not articulate what specifically is required.

• We suggest that you:­ Provide enough training to ensure that employees who will

have access to personal information know what their obligations are regarding the protection of that information.

­ Train both temporary and permanent employees.­ Convey to your employees that data security is taken seriously

by your business.­ Require trained employees to sign an acknowledgement of

training.

February 16, 201041

What Is The Extent Of The Monitoring Obligation?

• Depends on the nature of your business, your business practices, and the amount of personal information you own or license.

• Also depends on the form in which the information is kept and stored.

• In the end, the monitoring you put in place must be such that it is reasonably likely to reveal unauthorized access or use.

February 16, 201042

What If I Use Laptops?

• Assess whether your laptop(s) contain personal information.• If they do, consider encryption.

­ The regulations make clear that encryption must bring about a “transformation of data into a form in which meaning cannot be assigned.”

­ Data must be altered into an unreadable form.­ Password protection is not enough.

February 16, 201043

What Should You Do Now?

• Develop a plan to work towards compliance.• Evaluate protection mechanisms you have in place, and

determine how they must be revised.• Talk to your colleagues – lawyers, IT, etc. to determine what

makes sense for your business.