massachusetts new data security laws presentation

Massachusetts New Data assac usetts e ataSecurity Law

Presented by

Bill MinahanN t k I

Mark Rogers, Esq.Th R L FiaNetworks, Inc.

Hingham, MAThe Rogers Law Firm

Braintree, MA

RogersThe

Law Firm

Massachusetts New Data Security Lawy

Goals of Today’s PresentationGoals of Today s Presentation

Overview of Massachusetts new data security– Overview of Massachusetts new data security law and associated regulations

– Overview of the Federal Red Flags Rule

– Guidance on complying with these new laws

RogersThe

Law Firm

Massachusetts New Data Security LawMassachusetts New Data Security Law

Two Questions

1. Why Massachusetts?

2. Why now?

RogersThe

Law Firm


Answer

TJXTJX

RogersThe

Law Firm


TJX Data BreachTJX Data Breach

“ U th i d i t i ” ff t– “ Unauthorized intrusion” affects over 100 million accounts

– TJX set aside $256 million for costs i t d ith th b hassociated with the breach

RogersThe

Law Firm


Massachusetts respondsMassachusetts responds– “An Act Relative to Security Freezes and

Notification of Data Breaches”Notification of Data Breaches (Effective: February 3, 2008)

– “Standards for the Protection of Personal Information of Residents of the Commonwealth”(Effective: January 1, 2010)

RogersThe

Law Firm

An Act Relative to Security Freezes and Notification of Data BreachesNotification of Data Breaches

3 dd d b th l3 areas addressed by the law

1. Security Freezes

2. Notice of a Security Breach (M.G.L. c. 93H)

3. Data Destruction (M.G.L. c. 93I)

RogersThe

Law Firm


“Personal Information”Personal InformationResident’s first name + last name

or

first initial + last name with 1 or more

of the following:• Social Security #

• Driver’s license # or state-issued ID card #

• Financial account # or credit or debit card #

RogersThe

Law Firm


NoticeA person or business that maintains or storespersonal information about a resident of the CommonwealthCommonwealth.

→ must provide notice to the owner or licensor of such information, if they know or have reason to believe , ythat:

1. There is a breach of security; or2. the personal information was acquired or used by an

unauthorized person or used for an unauthorized purpose

RogersThe

Law Firm


Notice

A person or business that owns or licenses personal information about a resident of the Commonwealth.information about a resident of the Commonwealth.→ must provide notice to the resident, the Attorney General,

Director of Consumer Affairs and Business Regulation if the person knows or has reason to know that there was:person knows or has reason to know that there was:

1. a breach of security; or

2. the personal information was acquired or used by an2. the personal information was acquired or used by an unauthorized person, or used for an unauthorized purpose

RogersThe

Law Firm

An Act Relative to Security Freezes and Notification of Data Breaches

2 Important Definitions

Notification of Data Breaches

1. “Breach of Security”

The unauthorized use of unencrypted data or, encrypted electronic

data and the confidential process or key that is capable of

compromising the security confidentiality or integrity of personalcompromising the security, confidentiality, or integrity of personal

information, maintained by a person or business that creates a

substantial risk of identity theft or fraud against a resident of the

commonwealth.

RogersThe

Law Firm


2. “Notice”

Written notice

Electronic notice

“Substitute notice”

RogersThe

Law Firm

An Act Relative to Security Freezes and Notification of Data Breaches

What should be in the “Notice”?

Notification of Data Breaches

What should be in the Notice ?

– Consumer’s right to obtain a police reportConsumer s right to obtain a police report– How a consumer requests a security freeze and the

necessary information to be provided when ti th it frequesting the security freeze

– Any fees to be paid to any of the consumer reporting agenciesagencies

RogersThe

Law Firm


D t D t tiData Destruction

– When disposing of recordsWhen disposing of records…(a) Paper documents containing personal information shall

be either redacted, burned, pulverized or shredded so , , pthat personal data cannot be read or reconstructed

(b) Electronic media and other non-paper media containing l i f ti h ll b d t d dpersonal information shall be destroyed or erased so

that personal information cannot practicably be read or reconstructed

RogersThe

Law Firm


Penalties =

RogersThe

Law Firm


• Notice Violation• Notice Violation→ Chapter 93A liability (triple damages, costs, and

attorneys fees)attorneys fees)

• Data Destruction Violation• Data Destruction Violation→ Chapter 93A liability and a civil fine of not more than

$100 per data subject with a maximum fine of $50 000$100 per data subject with a maximum fine of $50,000 for each instance of improper disposal

RogersThe

Law Firm

Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth

Massachusetts Data Security LawMassachusetts Data Security Law

↓↓Requires the Massachusetts Office of ConsumerRequires the Massachusetts Office of Consumer

Affairs and Business Regulation (OCABR) to adopt regulations designed to safeguard the personal g g g p

information about residents of the Commonwealth

RogersThe

Law Firm


• Issued: September, 2008

Eff ti J 1 2009• Effective: January 1, 2009

• Delayed to: May 1 2009• Delayed to: May 1, 2009

• Delayed to: January 1, 2010Delayed to: January 1, 2010

RogersThe

Law Firm


Two Primary Components:Two Primary Components:

1 Development of a comprehensive written1. Development of a comprehensive written information security program

2 F th t l t i ll t t it2. For persons that electronically store or transmit personal information, the establishment and maintenance of a security system covering it’s

t i l di i l tcomputers, including a wireless system

RogersThe

Law Firm


Comprehensive Written Information Security ProgramComprehensive Written Information Security Program

• Every person that owns licenses stores or• Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement,

i t i d it h i ittmaintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.g p

RogersThe

Law Firm


• Every comprehensive written information security program shall include, at least, the following:

– Designating 1 or more employees to maintain the program

– Identifying and assessing reasonably foreseeable internal and external risks to security, confidentiality and integrity of records, to include:

• ongoing employee training

• employee compliance with policies

• means of detecting and preventing system failures

• developing security policies for employees

RogersThe

Law Firm


– Imposing disciplinary measures

– Preventing terminated employees from accessing records

– Verifying your vendors’ providers have the capacity toVerifying your vendors providers have the capacity to protect personal information

– Limiting the amount of personal information collectedg p

– Identify records and devices which contain personal information

– Reasonable restrictions upon physical access to records containing personal information

RogersThe

Law Firm


Regular monitoring to ensure the program operates in a– Regular monitoring to ensure the program operates in a manner calculated to prevent unauthorized access to or use of personal information

– Review of the scope of security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information

– Documentation of responsive actions taken in connection with any incident involving a breach of security

RogersThe

Law Firm


Computer System Security Requirements

– Every person that electronically stores or transmits personal information shall include in its written comprehensive information security program thecomprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless

t i l di t i i th f ll isystem, including, at a minimum, the following elements:

RogersThe

Law Firm


Secure user authenticationSecure user authentication protocols, including:

– Control of user IDs and other identifiers

– Secure method of assigning and selecting passwords (or use of unique identifier technologies)

RogersThe

Law Firm


If you recognize your password here, you may as well hand overIf you recognize your password here, you may as well hand over your wallet or purse to the first person you see on the street.

• password • 123456123456 • qwerty • abc123 • letmein• monkey • myspace1 • password1 • blink182 • (your first name)

http://www.pctools.com/guides/password/

RogersThe

Law Firm


• Control data security passwords toControl data security passwords to ensure that such passwords are kept in a location and/or format that does

t i th it f thnot compromise the security of the data they protect

– Memorize your Password

Do NOT Share your password– Do NOT Share your password

– If you must write it down, Record It SafelIt Safely

RogersThe

Law Firm


– Restrict access to active users and active user accounts only; and

– Blocking access to user identification after multiple unsuccessful attempts to gain access;

RogersThe

Law Firm


Sec re access controlSecure access control measures that

• Restrict access to records and files containing personal information to those who need information to perform their job duties

• Assign unique identifications plus d t h ithpasswords to each person with

computer access

RogersThe

Law Firm

Standards for the Protection of Personal I f ti f R id t f th C lthInformation of Residents of the Commonwealth

Encryption

All transmitted records and files containing personal information that will travel acrosspersonal information that will travel across public networks

All data containing personal information toAll data containing personal information to be transmitted wirelessly

RogersThe

Law Firm


Reasonable monitoring of systems forReasonable monitoring of systems forunauthorized use of, or access to personalinformation

Encryption of all personal informationstored on laptops or other portable devicesstored on laptops or other portable devices

RogersThe

Law Firm


Example #1Example #1

Bob is a SMB Executive. He forgets his laptop in a cab.

Laptop has ‘BIOS’ password before bootingp p p gIt also has username and ‘strong password’Bob is annoyed at loss of laptop, but feels safe about privacy of his data is he right?about privacy of his data… is he right?

RogersThe

Law Firm


Bob is Wrong!Bob is Wrong!Physical access to a computer almost guarantees any hacker will get to your unencrypted data.

Does not require a highly sophisticated attacker.

RogersThe

Law Firm


Up-to-date firewall protection and operating system security patches for systems connected to the internet

RogersThe

Law Firm


U t d t i f tUp-to-date versions of system security agent software

• with malware protection

• reasonably up-to-date patches and virus definitionsand virus definitions

RogersThe

Law Firm


Example #2p

Senior Executive for CPA Firm ‘does not like the Antivirus program’Antivirus program

Removes it and installs one of his preference

SE is happy, company is unaware

New program fails to update

User’s PC is infectedUser’s PC is infected

Main company server is hacked

RogersThe

Law Firm


Example #3A company with an active e-commerce site

Server is behind a firewallWebsite uses SSL encryption for all data transmissionsSSL, and ONLY SSL, is allowed from the Internet into this serverBob feels good about his serverBob feels good about his server

RogersThe

Law Firm


Bob is Wrong Again!

Bob’s hacked computer (Example #2)Bob s hacked computer (Example #2) can serve as launch pad for attack against server; other attacks exist that exploit OS vulnerabilities directlythat exploit OS vulnerabilities directly

Data should be separated

Data should be encrypted!

RogersThe

Law Firm


Example #4Example #4

Bob is very conscious of his company’s data, so Bob makes sure everything is backed up daily

To protect against disaster Bob diligentlyTo protect against disaster, Bob diligently manages several weeks’ worth of tape sets

Bob takes one set of tapes to his own house and stores them in his basementand stores them in his basement.

Bob’s home is broken into…

RogersThe

Law Firm


Education and training of employeesfon the proper use of the computer security

system and the importance of personalinformation securityinformation security

RogersThe

Law Firm


A determination as to whether the comprehensive itt i f ti it i i liwritten information security program is in compliance

with the Regulations will take into account the following

– Size, scope and type of business

Amount of resources available– Amount of resources available

– Amount of stored data

– Need for security and confidentiality of both consumer and employee information

RogersThe

Law Firm


P lti• Penalties

– Chapter 93A liability• triple damages• costs• attorneys fees

RogersThe

Law Firm

Applicability of other State and Federal Lawspp y

• Still must comply with other state and federal laws regarding the protection and privacy of personal information (HIPAA, Red Flags Rule)

• However----a person is deemed to be in compliance with th NOTICE i i f th D t S it B h Lthe NOTICE provisions of the Data Security Breach Law and the Regulations if the person maintains procedures for responding to a breach of security pursuant to such “ th ” l id d“other” laws, provided…

RogersThe

Law Firm

Applicability of other State and Federal Lawspp y

Person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occursprocedures when a breach occurs

Person notifies the Massachusetts Attorney yGeneral and the Director of OCABR as soon as practicable and without unreasonable delay following the breachfollowing the breach.

RogersThe

Law Firm

Applicability of other State and Federal Lawsy

Still must comply with the Data Destruction elements of the law!Destruction elements of the law!

RogersThe

Law Firm

Applicability of other State and Federal Laws

• Example: pA Massachusetts health care provider experiences a data security breach

– Under the revised HIPAA Privacy Rule (pursuant to the Federal Stimulus Package), a Massachusetts health care provider must nowMassachusetts health care provider must now provide notice of a data breach to the patient

– Under the Massachusetts Data Security LawUnder the Massachusetts Data Security Law the Provider must also notify the AG and the Director of OCABR of the breach

RogersThe

Law Firm


• Furthermore the Massachusetts health• Furthermore, the Massachusetts health care provider must still comply with the Data Destruction requirements of theData Destruction requirements of the Massachusetts Data Security Law

RogersThe

Law Firm


• Red Flags RuleRed Flags Rule

– Requires “creditors” and “financial institutions” with “covered accounts” to implement programs to identify, detect and respond to patterns practices and specificdetect and respond to patterns, practices and specific activities that would indicate identity theft.

– Enforcement delayed until August 1 2009Enforcement delayed until August 1, 2009.

RogersThe

Law Firm


Red Flags Rule

y

g

Good News: Compliance with Massachusetts Data Security Law = compliance with Red Flags Rule

Bad News: Failure to comply with MassachusettsBad News: Failure to comply with Massachusetts Data Security Law → likely means failure to comply with Red Flags Rule

Additional Penalties: $2,500 per knowing violation

RogersThe

Law Firm

Next StepsNext Steps

Assess your organization’s current y gcompliance with the Massachusetts Data Security Law

– Do you own, license maintain, or store “Personal Information”?

– Do you have a “comprehensive written information security program”?

– Have you implemented the required technical security requirements for personal information which is electronically stored or transmitted?

RogersThe

Law Firm

Next StepsNext Steps

Consider bringing in an outside expertConsider bringing in an outside expert

– Consequences of not complying:

• Monetary Penalties• Lawsuits• Bad publicity = potential affect on revenues• Business disruption while compliance is

b t t l t ioverseen by state regulatory agencies

RogersThe

Law Firm

Questions?Questions?

• Bill Minahan aNetworksBill Minahan, aNetworks781-753-8501bill@anetworks [email protected]

M k R E Th R L Fi• Mark Rogers, Esq., The Rogers Law [email protected]

RogersThe

Law Firm

massachusetts new data security laws presentation

Documents

security breach

security confidentiality

social security

security freezes2

electronic data

data destruction

breach of security or2

act relative