massachusetts new data security laws presentation
DESCRIPTION
Secure Your Data. It\'s now the Law. Massachusetts has issued new regulations that will soon go into effect mandating that “all persons that own, license, store or maintain personal information about a resident of the Commonwealth” comply with strict requirements for safeguarding and disposing of personal information. Don\'t miss this opportunity to understand how 201 CMR 17.00 et seq. will affect your business. If your company accepts credit cards or stores any customer information, you need to attend this important seminar to understand what will now be required of your company under Massachusetts law. Our experts will detail the regulations and how they impact Massachusetts-based companies. We will discuss the compliance structure as well as outline the steps you will need to take to be in compliance with these new regulations. WARNING Failure to comply with the new law exposes a company to substantial monetary penalties. Attorney advertising. Prior results do not guarantee a similar outcome. http://events.anetworks.netTRANSCRIPT
Massachusetts New Data assac usetts e ataSecurity Law
Presented by
Bill MinahanN t k I
Mark Rogers, Esq.Th R L FiaNetworks, Inc.
Hingham, MAThe Rogers Law Firm
Braintree, MA
RogersThe
Law Firm
Massachusetts New Data Security Lawy
Goals of Today’s PresentationGoals of Today s Presentation
Overview of Massachusetts new data security– Overview of Massachusetts new data security law and associated regulations
– Overview of the Federal Red Flags Rule
– Guidance on complying with these new laws
RogersThe
Law Firm
Massachusetts New Data Security LawMassachusetts New Data Security Law
Two Questions
1. Why Massachusetts?
2. Why now?
RogersThe
Law Firm
Massachusetts New Data Security LawMassachusetts New Data Security Law
Answer
TJXTJX
RogersThe
Law Firm
Massachusetts New Data Security LawMassachusetts New Data Security Law
TJX Data BreachTJX Data Breach
“ U th i d i t i ” ff t– “ Unauthorized intrusion” affects over 100 million accounts
– TJX set aside $256 million for costs i t d ith th b hassociated with the breach
RogersThe
Law Firm
Massachusetts New Data Security LawMassachusetts New Data Security Law
Massachusetts respondsMassachusetts responds– “An Act Relative to Security Freezes and
Notification of Data Breaches”Notification of Data Breaches (Effective: February 3, 2008)
– “Standards for the Protection of Personal Information of Residents of the Commonwealth”(Effective: January 1, 2010)
RogersThe
Law Firm
An Act Relative to Security Freezes and Notification of Data BreachesNotification of Data Breaches
3 dd d b th l3 areas addressed by the law
1. Security Freezes
2. Notice of a Security Breach (M.G.L. c. 93H)
3. Data Destruction (M.G.L. c. 93I)
RogersThe
Law Firm
An Act Relative to Security Freezes and Notification of Data BreachesNotification of Data Breaches
“Personal Information”Personal InformationResident’s first name + last name
or
first initial + last name with 1 or more
of the following:• Social Security #
• Driver’s license # or state-issued ID card #
• Financial account # or credit or debit card #
RogersThe
Law Firm
An Act Relative to Security Freezes and Notification of Data BreachesNotification of Data Breaches
NoticeA person or business that maintains or storespersonal information about a resident of the CommonwealthCommonwealth.
→ must provide notice to the owner or licensor of such information, if they know or have reason to believe , ythat:
1. There is a breach of security; or2. the personal information was acquired or used by an
unauthorized person or used for an unauthorized purpose
RogersThe
Law Firm
An Act Relative to Security Freezes and Notification of Data BreachesNotification of Data Breaches
Notice
A person or business that owns or licenses personal information about a resident of the Commonwealth.information about a resident of the Commonwealth.→ must provide notice to the resident, the Attorney General,
Director of Consumer Affairs and Business Regulation if the person knows or has reason to know that there was:person knows or has reason to know that there was:
1. a breach of security; or
2. the personal information was acquired or used by an2. the personal information was acquired or used by an unauthorized person, or used for an unauthorized purpose
RogersThe
Law Firm
An Act Relative to Security Freezes and Notification of Data Breaches
2 Important Definitions
Notification of Data Breaches
1. “Breach of Security”
The unauthorized use of unencrypted data or, encrypted electronic
data and the confidential process or key that is capable of
compromising the security confidentiality or integrity of personalcompromising the security, confidentiality, or integrity of personal
information, maintained by a person or business that creates a
substantial risk of identity theft or fraud against a resident of the
commonwealth.
RogersThe
Law Firm
An Act Relative to Security Freezes and Notification of Data BreachesNotification of Data Breaches
2. “Notice”
Written notice
Electronic notice
“Substitute notice”
RogersThe
Law Firm
An Act Relative to Security Freezes and Notification of Data Breaches
What should be in the “Notice”?
Notification of Data Breaches
What should be in the Notice ?
– Consumer’s right to obtain a police reportConsumer s right to obtain a police report– How a consumer requests a security freeze and the
necessary information to be provided when ti th it frequesting the security freeze
– Any fees to be paid to any of the consumer reporting agenciesagencies
RogersThe
Law Firm
An Act Relative to Security Freezes and Notification of Data BreachesNotification of Data Breaches
D t D t tiData Destruction
– When disposing of recordsWhen disposing of records…(a) Paper documents containing personal information shall
be either redacted, burned, pulverized or shredded so , , pthat personal data cannot be read or reconstructed
(b) Electronic media and other non-paper media containing l i f ti h ll b d t d dpersonal information shall be destroyed or erased so
that personal information cannot practicably be read or reconstructed
RogersThe
Law Firm
An Act Relative to Security Freezes and Notification of Data BreachesNotification of Data Breaches
Penalties =
RogersThe
Law Firm
An Act Relative to Security Freezes and Notification of Data BreachesNotification of Data Breaches
• Notice Violation• Notice Violation→ Chapter 93A liability (triple damages, costs, and
attorneys fees)attorneys fees)
• Data Destruction Violation• Data Destruction Violation→ Chapter 93A liability and a civil fine of not more than
$100 per data subject with a maximum fine of $50 000$100 per data subject with a maximum fine of $50,000 for each instance of improper disposal
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
Massachusetts Data Security LawMassachusetts Data Security Law
↓↓Requires the Massachusetts Office of ConsumerRequires the Massachusetts Office of Consumer
Affairs and Business Regulation (OCABR) to adopt regulations designed to safeguard the personal g g g p
information about residents of the Commonwealth
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
• Issued: September, 2008
Eff ti J 1 2009• Effective: January 1, 2009
• Delayed to: May 1 2009• Delayed to: May 1, 2009
• Delayed to: January 1, 2010Delayed to: January 1, 2010
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
Two Primary Components:Two Primary Components:
1 Development of a comprehensive written1. Development of a comprehensive written information security program
2 F th t l t i ll t t it2. For persons that electronically store or transmit personal information, the establishment and maintenance of a security system covering it’s
t i l di i l tcomputers, including a wireless system
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
Comprehensive Written Information Security ProgramComprehensive Written Information Security Program
• Every person that owns licenses stores or• Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement,
i t i d it h i ittmaintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.g p
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
• Every comprehensive written information security program shall include, at least, the following:
– Designating 1 or more employees to maintain the program
– Identifying and assessing reasonably foreseeable internal and external risks to security, confidentiality and integrity of records, to include:
• ongoing employee training
• employee compliance with policies
• means of detecting and preventing system failures
• developing security policies for employees
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
– Imposing disciplinary measures
– Preventing terminated employees from accessing records
– Verifying your vendors’ providers have the capacity toVerifying your vendors providers have the capacity to protect personal information
– Limiting the amount of personal information collectedg p
– Identify records and devices which contain personal information
– Reasonable restrictions upon physical access to records containing personal information
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
Regular monitoring to ensure the program operates in a– Regular monitoring to ensure the program operates in a manner calculated to prevent unauthorized access to or use of personal information
– Review of the scope of security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information
– Documentation of responsive actions taken in connection with any incident involving a breach of security
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
Computer System Security Requirements
– Every person that electronically stores or transmits personal information shall include in its written comprehensive information security program thecomprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless
t i l di t i i th f ll isystem, including, at a minimum, the following elements:
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
Secure user authenticationSecure user authentication protocols, including:
– Control of user IDs and other identifiers
– Secure method of assigning and selecting passwords (or use of unique identifier technologies)
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
If you recognize your password here, you may as well hand overIf you recognize your password here, you may as well hand over your wallet or purse to the first person you see on the street.
• password • 123456123456 • qwerty • abc123 • letmein• monkey • myspace1 • password1 • blink182 • (your first name)
http://www.pctools.com/guides/password/
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
• Control data security passwords toControl data security passwords to ensure that such passwords are kept in a location and/or format that does
t i th it f thnot compromise the security of the data they protect
– Memorize your Password
Do NOT Share your password– Do NOT Share your password
– If you must write it down, Record It SafelIt Safely
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
– Restrict access to active users and active user accounts only; and
– Blocking access to user identification after multiple unsuccessful attempts to gain access;
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
Sec re access controlSecure access control measures that
• Restrict access to records and files containing personal information to those who need information to perform their job duties
• Assign unique identifications plus d t h ithpasswords to each person with
computer access
RogersThe
Law Firm
Standards for the Protection of Personal I f ti f R id t f th C lthInformation of Residents of the Commonwealth
Encryption
All transmitted records and files containing personal information that will travel acrosspersonal information that will travel across public networks
All data containing personal information toAll data containing personal information to be transmitted wirelessly
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
Reasonable monitoring of systems forReasonable monitoring of systems forunauthorized use of, or access to personalinformation
Encryption of all personal informationstored on laptops or other portable devicesstored on laptops or other portable devices
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
Example #1Example #1
Bob is a SMB Executive. He forgets his laptop in a cab.
Laptop has ‘BIOS’ password before bootingp p p gIt also has username and ‘strong password’Bob is annoyed at loss of laptop, but feels safe about privacy of his data is he right?about privacy of his data… is he right?
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
Bob is Wrong!Bob is Wrong!Physical access to a computer almost guarantees any hacker will get to your unencrypted data.
Does not require a highly sophisticated attacker.
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
Up-to-date firewall protection and operating system security patches for systems connected to the internet
RogersThe
Law Firm
Standards for the Protection of Personal I f ti f R id t f th C lthInformation of Residents of the Commonwealth
U t d t i f tUp-to-date versions of system security agent software
• with malware protection
• reasonably up-to-date patches and virus definitionsand virus definitions
RogersThe
Law Firm
Standards for the Protection of Personal I f ti f R id t f th C lthInformation of Residents of the Commonwealth
Example #2p
Senior Executive for CPA Firm ‘does not like the Antivirus program’Antivirus program
Removes it and installs one of his preference
SE is happy, company is unaware
New program fails to update
User’s PC is infectedUser’s PC is infected
Main company server is hacked
RogersThe
Law Firm
Standards for the Protection of Personal I f ti f R id t f th C lthInformation of Residents of the Commonwealth
Example #3A company with an active e-commerce site
Server is behind a firewallWebsite uses SSL encryption for all data transmissionsSSL, and ONLY SSL, is allowed from the Internet into this serverBob feels good about his serverBob feels good about his server
RogersThe
Law Firm
Standards for the Protection of Personal I f ti f R id t f th C lthInformation of Residents of the Commonwealth
Bob is Wrong Again!
Bob’s hacked computer (Example #2)Bob s hacked computer (Example #2) can serve as launch pad for attack against server; other attacks exist that exploit OS vulnerabilities directlythat exploit OS vulnerabilities directly
Data should be separated
Data should be encrypted!
RogersThe
Law Firm
Standards for the Protection of Personal I f ti f R id t f th C lthInformation of Residents of the Commonwealth
Example #4Example #4
Bob is very conscious of his company’s data, so Bob makes sure everything is backed up daily
To protect against disaster Bob diligentlyTo protect against disaster, Bob diligently manages several weeks’ worth of tape sets
Bob takes one set of tapes to his own house and stores them in his basementand stores them in his basement.
Bob’s home is broken into…
RogersThe
Law Firm
Standards for the Protection of Personal I f ti f R id t f th C lthInformation of Residents of the Commonwealth
Education and training of employeesfon the proper use of the computer security
system and the importance of personalinformation securityinformation security
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
A determination as to whether the comprehensive itt i f ti it i i liwritten information security program is in compliance
with the Regulations will take into account the following
– Size, scope and type of business
Amount of resources available– Amount of resources available
– Amount of stored data
– Need for security and confidentiality of both consumer and employee information
RogersThe
Law Firm
Standards for the Protection of Personal Information of Residents of the CommonwealthInformation of Residents of the Commonwealth
P lti• Penalties
– Chapter 93A liability• triple damages• costs• attorneys fees
RogersThe
Law Firm
Applicability of other State and Federal Lawspp y
• Still must comply with other state and federal laws regarding the protection and privacy of personal information (HIPAA, Red Flags Rule)
• However----a person is deemed to be in compliance with th NOTICE i i f th D t S it B h Lthe NOTICE provisions of the Data Security Breach Law and the Regulations if the person maintains procedures for responding to a breach of security pursuant to such “ th ” l id d“other” laws, provided…
RogersThe
Law Firm
Applicability of other State and Federal Lawspp y
Person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occursprocedures when a breach occurs
Person notifies the Massachusetts Attorney yGeneral and the Director of OCABR as soon as practicable and without unreasonable delay following the breachfollowing the breach.
RogersThe
Law Firm
Applicability of other State and Federal Lawsy
Still must comply with the Data Destruction elements of the law!Destruction elements of the law!
RogersThe
Law Firm
Applicability of other State and Federal Laws
• Example: pA Massachusetts health care provider experiences a data security breach
– Under the revised HIPAA Privacy Rule (pursuant to the Federal Stimulus Package), a Massachusetts health care provider must nowMassachusetts health care provider must now provide notice of a data breach to the patient
– Under the Massachusetts Data Security LawUnder the Massachusetts Data Security Law the Provider must also notify the AG and the Director of OCABR of the breach
RogersThe
Law Firm
Applicability of other State and Federal Laws
• Furthermore the Massachusetts health• Furthermore, the Massachusetts health care provider must still comply with the Data Destruction requirements of theData Destruction requirements of the Massachusetts Data Security Law
RogersThe
Law Firm
Applicability of other State and Federal Laws
• Red Flags RuleRed Flags Rule
– Requires “creditors” and “financial institutions” with “covered accounts” to implement programs to identify, detect and respond to patterns practices and specificdetect and respond to patterns, practices and specific activities that would indicate identity theft.
– Enforcement delayed until August 1 2009Enforcement delayed until August 1, 2009.
RogersThe
Law Firm
Applicability of other State and Federal Laws
Red Flags Rule
y
g
Good News: Compliance with Massachusetts Data Security Law = compliance with Red Flags Rule
Bad News: Failure to comply with MassachusettsBad News: Failure to comply with Massachusetts Data Security Law → likely means failure to comply with Red Flags Rule
Additional Penalties: $2,500 per knowing violation
RogersThe
Law Firm
Next StepsNext Steps
Assess your organization’s current y gcompliance with the Massachusetts Data Security Law
– Do you own, license maintain, or store “Personal Information”?
– Do you have a “comprehensive written information security program”?
– Have you implemented the required technical security requirements for personal information which is electronically stored or transmitted?
RogersThe
Law Firm
Next StepsNext Steps
Consider bringing in an outside expertConsider bringing in an outside expert
– Consequences of not complying:
• Monetary Penalties• Lawsuits• Bad publicity = potential affect on revenues• Business disruption while compliance is
b t t l t ioverseen by state regulatory agencies
RogersThe
Law Firm
Questions?Questions?
• Bill Minahan aNetworksBill Minahan, aNetworks781-753-8501bill@anetworks [email protected]
M k R E Th R L Fi• Mark Rogers, Esq., The Rogers Law [email protected]
RogersThe
Law Firm