privacy update 04.29.2010
DESCRIPTION
Privacy Update Slide deckTRANSCRIPT
![Page 1: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/1.jpg)
Privacy Law Update: Red Flags, HITECH & the New
Massachusetts Data Privacy Regulations
Stephen E. Meltzer, Esquire, CIPP
![Page 2: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/2.jpg)
Privacy Law:
![Page 3: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/3.jpg)
1. HIPAA, ARRA and HITECH
2. Red Flags
3. 201 CMR 17.00
![Page 4: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/4.jpg)
![Page 5: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/5.jpg)
?
![Page 6: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/6.jpg)
![Page 7: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/7.jpg)
HIPAA, ARRA & HITECH
• Health Insurance Portability & Accountability Act of 1996
– Not HIPPA (Health Insurance Portability Prevention Act)
• American Recovery & Reinvestment Act
• Health Information Technology for Economic and Clinical Health
![Page 8: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/8.jpg)
HITECH Requirements• Expands the definitions of “business associates.”
• Mandates that HIPAA security standards that apply to health plans and health care providers will also apply directly to business associates.
• Establishes new security breach notice requirements.
• Entitles individuals to electronic copies of health information.
• Calls for regulations regarding the sale of electronic health records and protected health information by mid-August, 2010.
![Page 9: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/9.jpg)
Business Associates
“Business associates” are persons and organizations (typically
subcontractors) that perform activities involving the use or
disclosure of individually identifiable health information, such as
claims processing, data analysis, quality assurance, billing, and
benefit management, as well as those who provide legal,
accounting, or administrative functions. 45 CFR §160.103. The
HITECH Act adds as “business associates” organizations that
transmit protected health information and require access on a
routine basis to such information. See 42 USC §17938.
![Page 10: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/10.jpg)
Business Associates
Subject to the administrative, physical, and technical security
requirements of HIPAA, must implement appropriate policies and
procedures, and must document their security activities. Penalties
for violating these HIPAA procedures will apply to business
associates, just as they now do to health plans and health care
providers. 42 USC §17931.
![Page 11: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/11.jpg)
Breach Notification
a health plan or health care provider that accesses, maintains, retains, modifies, records,
stores, destroys, or otherwise holds, uses, or discloses unsecured protected health
information and discovers a breach of the information to notify each individual whose
health information has been, or is reasonably believed to have been, accessed,
acquired, or disclosed as a result of the breach. 42 USC §17932(a). Business
associates will also be required to give notice of such a data breach to the health plan
or health care provider, and will need to identify each individual whose unsecured
protected health information was illegally accessed, acquired, or disclosed. 42 USC
§17932(b). The health plan, health care provider, or business associate will be
required to give notice of the breach without unreasonable delay, and no later than 60
calendar days after its discovery. 42 USC §17932(d). Notice must be provided by
first-class mail to individuals at their last known address, or, if specified by the
individual, via e-mail. 42 USC §17932(e)(1).
![Page 12: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/12.jpg)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
![Page 13: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/13.jpg)
Individual Patient Rights
Individuals are entitled to copies of their health information in electronic
format from any health plan or health care provider that uses or
maintains electronic health records. An individual will be able to
direct the health plan or health care provider to transmit the copy
directly to anyone he or she designates. Fees for providing this
service must not be greater than the entity’s labor costs. 42 USC
17935(e).
![Page 14: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/14.jpg)
Authorization
The HITECH Act will prohibit a health plan, health care provider, or
business associate from receiving payment for an individual’s
protected health information without authorization from the
individual. 42 USC §17935(d).
![Page 15: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/15.jpg)
New Penalties
Increased Civil Penalties• ARRA creates the following "tiers" of penalties:
– A violation without knowledge of the violation - $100 per violation, with an annual maximum amount of $25,000 in penalties.
– A violation that is due to reasonable cause - $1,000 per violation, with an annual maximum amount of $100,000 in penalties.
– A violation that is due to willful neglect - $10,000 per violation, with an annual maximum amount of $1,500,000 in penalties.
![Page 16: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/16.jpg)
New Enforcement
State Attorneys General now have the authority to file suit in federal
court against any person or entity that is accused of violating HIPAA
in a manner that the Attorney General has reason to believe
adversely affected any resident of that Attorney General's respective
state.
![Page 17: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/17.jpg)
RED FLAGS
June 1, 2010
![Page 18: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/18.jpg)
Red Flags – Who Must Comply?
The Red Flags Rules apply to “financial
institutions” and “creditors” with “covered
accounts.”
![Page 19: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/19.jpg)
Red Flags – Financial InstitutionsState or national bank, a state or federal savings and loan association,
a mutual savings bank, a state or federal credit union, or any other
entity that holds a “transaction account” belonging to a consumer.
Most of these institutions are regulated by the Federal bank
regulatory agencies and the NCUA. Financial institutions under the
FTC’s jurisdiction include state-chartered credit unions and certain
other entities that hold consumer transaction accounts.
![Page 20: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/20.jpg)
Red Flags – Transaction AccountA transaction account is a deposit or other account from which the
owner makes payments or transfers. Transaction accounts include
checking accounts, negotiable order of withdrawal accounts,
savings deposits subject to automatic transfers, and share draft
accounts.
![Page 21: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/21.jpg)
Red Flags - Creditor
Any entity that regularly extends, renews, or continues credit; any entity
that regularly arranges for the extension, renewal, or continuation of
credit; or any assignee of an original creditor who is involved in the
decision to extend, renew, or continue credit. Accepting credit cards
as a form of payment does not in and of itself make an entity a
creditor. Creditors include finance companies, automobile dealers,
mortgage brokers, utility companies, and telecommunications
companies. Where non-profit and government entities defer
payment for goods or services, they, too, are to be considered
creditors.
![Page 22: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/22.jpg)
Red Flags – Covered AccountAn account used mostly for personal, family, or household purposes,
and that involves multiple payments or transactions. Covered
accounts include credit card accounts, mortgage loans, automobile
loans, margin accounts, cell phone accounts, utility accounts,
checking accounts, and savings accounts. A covered account is
also an account for which there is a foreseeable risk of identity theft
– for example, small business or sole proprietorship accounts
![Page 23: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/23.jpg)
Red Flags – Exempt?
Only Lawyers
– FTC has filed a Notice of Appeal
• Judge Walton is reported to have questioned whether the term could be interpreted so broadly as to render a plumber who bills a customer after performing his work a "creditor" within the meaning of the Rule.
– CPA’s have filed a lawsuit
![Page 24: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/24.jpg)
Red Flags - RequirementsDevelop a written program that identifies and detects the relevant
warning signs – or “red flags” – of identity theft. These may include,
for example, unusual account activity, fraud alerts on a consumer
report, or attempted use of suspicious account application
documents. The program must also describe appropriate responses
that would prevent and mitigate the crime and detail a plan to
update the program. The program must be managed by the Board
of Directors or senior employees of the financial institution or
creditor, include appropriate staff training, and provide for oversight
of any service providers.
![Page 25: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/25.jpg)
Red Flags – Requirements – suggested “Starting Points”
• alerts, notifications, or warnings from a consumer reporting agency;
• suspicious documents;
• suspicious personally identifying information, such as a suspicious
address;
• unusual use of – or suspicious activity relating to – a covered
account; and
• notices from customers, victims of identity theft, law enforcement
authorities, or other businesses about possible identity theft in
connection with covered accounts.
![Page 26: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/26.jpg)
Red Flags - Penalties
• $3,500 per violation
• No private right of action
![Page 27: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/27.jpg)
http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml
![Page 28: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/28.jpg)
201 CMR 17.00
• Massachusetts Data Privacy Regulations
• Effective March 1, 2010.
![Page 29: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/29.jpg)
New Mandate:
PI = PI
Personal Information = Privacy Infrastructure
![Page 30: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/30.jpg)
![Page 31: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/31.jpg)
Scope of Rules
![Page 32: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/32.jpg)
Scope of Rules
• Covers ALL PERSONS that own or license personal information about a Massachusetts resident
• Need not have operations in Massachusetts
• Financial institutions, health care and other regulated entities not exempt
![Page 33: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/33.jpg)
Scope of Rules“Personal information”Resident’s first and last name or first initial and last name in combination with• SSN• Driver’s license or State ID, or • Financial account number or credit/debit
card that would permit access to a financial account
![Page 34: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/34.jpg)
Three Requirements1.Develop, implement, maintain and maintain a
comprehensive, written information security program that meets very specific requirements (cWISP)
2.Heightened information security meeting specific computer information security requirements
3.Vendor Compliance
(Phase-in)
![Page 35: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/35.jpg)
Evaluating Compliance(not Evaluating Applicability)
• Appropriate– Size of business– Scope of business– Type of business– Resources available– Amount of data stored– Need for security and confidentiality
• Consumer and employee information
![Page 36: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/36.jpg)
Evaluating Compliance(not Evaluating Applicability)
“The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”
![Page 37: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/37.jpg)
Enforcement
• Litigation and enforcement by the Massachusetts Attorney General
• Massachusetts law requires notice to Attorney General of any breach, in addition to affected consumers
• Attorney General likely to investigate based on breach reports
• No explicit private right of action or penalties
![Page 38: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/38.jpg)
Comprehensive WrittenInformation SecurityProgram
201 CMR 17.03
![Page 39: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/39.jpg)
Information SecurityProgram
“[D]evelop, implement, and maintain a comprehensive information security
program that is written in one or more readily accessible parts and contains administrative, technical, and physical
safeguards”
![Page 40: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/40.jpg)
Comprehensive Information Security Program 201 CMR 17.03 (2)(a) through (j)
a. Designate
b. Identify
c. Develop
d. Impose
e. Prevent
f. Oversee
g. Restrict
h. Monitor
i. Review
j. Document
![Page 41: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/41.jpg)
Comprehensive Information Security Program(a) Designate an employee to maintain the WISP.
(b) Identify and assess reasonably foreseeable risks (Internal and external).
(c) Develop security policies for keeping, accessing and transporting records.
(d) Impose disciplinary measures for violations of the program.
(e) Prevent access by terminated employees.
(f) Oversee service providers and contractually ensure compliance.
(g) Restrict physical access to records.
(h) Monitor security practices to ensure effectiveness and make changes if warranted.
(i) Review the program at least annually.
(j) Document responsive actions to breaches.
![Page 42: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/42.jpg)
Comprehensive Information Security ProgramThird Party Compliance
1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and
2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information
![Page 43: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/43.jpg)
Comprehensive Information Security ProgramThird Party Compliance
Contracts entered “no later than” March 1, 2010:
Two – year phase-in.
Contracts entered into “later than” March 1, 2010:
Immediate compliance.
![Page 44: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/44.jpg)
Comprehensive Information Security Program
“INDUSTRY STANDARDS”
![Page 45: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/45.jpg)
Breach Reporting
G.L. c. 93H § 3
![Page 46: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/46.jpg)
Breach Reporting
Breach of security –
“the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”
![Page 47: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/47.jpg)
Breach Reporting
• Possessor must give notice of– Breach of Security– Unauthorized Use or Acquisition
• To Owner/Licensor of Information
• Owner/Licensor must give notice of – Breach of Security– Unauthorized Use or Acquisition
• To – – Attorney General– Office of Consumer Affairs– Resident
![Page 48: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/48.jpg)
Breach Reporting
“The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to:
(1) the nature of the breach of security or the unauthorized acquisition or use;
(2) the number of Massachusetts residents affected by such incident at the time of notification; and
(3) any steps the person or agency has taken or plans to take relating to the incident.”
![Page 49: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/49.jpg)
Sample Breach Notification Letter
• http://www.mass.gov/Cago/docs/Consumer/93h_sampleletter_ago.pdf
![Page 50: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/50.jpg)
Breach Reporting
• Stop
• Be afraid
• Call for help
![Page 51: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/51.jpg)
Computer System SecurityRequirements
201 CMR 17.04
![Page 52: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/52.jpg)
Electronic Requirements201 CMR 17.04• Use
authentication protocols
• Secure access controls
• Encryption of transmittable records
• Mentoring systems
• Laptop and mobile device encryption
• Security patches and firewalls
• System security agents
• IT Security user awareness
![Page 53: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/53.jpg)
User Authentication Protocols
• Control of user IDs• Secure password
selection• Secure or
encrypted password files
• User accounts blocked for unusual logon attempts
Examples:
Passwords should be at least 9 characters, alpha numeric with special characters
After 3 attempts to login users are blocked access
![Page 54: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/54.jpg)
Secure Access Control Measures
• Permit “access” on a need to know basis
• Password protect account and login to determine level of access
Example:
Network Access Control Software/Hardware
Consentry
Sophos
Audit control who is accessing what and when?
![Page 55: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/55.jpg)
Encryption of Transmitted Records
• Encryption of personal information accessed over a public network– Tunneling options
(VPN)– Faxes, VOIP, phone
calls• Encryption of PI on
wireless– Bluetooth, WEP, Wifi
• Encryption definition if very broad
Examples:
PGP and Utimaco are encryption technologies
![Page 56: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/56.jpg)
Monitoring of Systems
• Require systems to detect unauthorized use of, access to personal information
• Some existing user account based on systems will already comply
Examples:
Again, Network Access Control
Audit controls
![Page 57: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/57.jpg)
Laptop and Mobile Device Encryption
• Encryption of PI stored on laptops– Applies regardless
of laptop location• Encryption of PI
stored on “mobile” devices– Does incoming
email become a problem?
This applies only if you have data in motion of personal information.
Email is clear text. So anyone can read any ones email on the internet.
![Page 58: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/58.jpg)
Security Patches and Firewalls
• “Reasonably up-to-date firewall protection and operating systems patches” for Internet connected computers
• Date on operating systems
All organizations should have a firewall in place (not a router a firewall)
Can hire an organization to update and manage the security infrastructure:
Firewall
Anti-virus
Patches…
![Page 59: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/59.jpg)
Systems Security Agent Software
• Anti-malware technology required– Are certain
products better?
– What about MACs or Linux?
• Set to receive auto-updates
Malware is what is infecting most enviroments. HTTP and HTTPS traffic.
Your users are your worst enemy
Products to look at for Malware
TrendMicro
Websense
Webwasher
![Page 60: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/60.jpg)
Employee Education and IT Security Training
• Proper training on all IT security policies
• User awareness– Importance of PI
security– Proper use of the
computer– Everyone is
involved
Your employees are your weakest link to any IT security program.
They need to know the rules.
Suggestions:
Stand up training
News Letters
Programs
Online training
![Page 61: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/61.jpg)
The Approach• Inventory type of personal
information is being kept– Assess risk
• Plan information security strategy– Data
• Security, Confidentially, Integrity• IT infrastructure and information
change processes• Implement, plan and policies
– Technology deployment– Policy implementation – User awareness– Continual review
Security is all about vigilance…
Compliance is knowing what you need to protect and building a fortress around it and testing it on a frequent basis!
![Page 62: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/62.jpg)
Data Destruction
G.L. c. 93I
![Page 63: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/63.jpg)
Data Destruction (93I)
Paper documents/ electronic Media:
Redact, Burn, Pulverize, Shred
So that Personal Information cannot be read or reconstructed
![Page 64: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/64.jpg)
Data Destruction (93I)
– Violations:
• Attorney General: Unfair and Deceptive Practices remedies - 93H
• Civil Fine-$100/data subject not to exceed $50,000/instance – 93I
![Page 65: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/65.jpg)
What To Do Now
![Page 66: Privacy update 04.29.2010](https://reader034.vdocuments.net/reader034/viewer/2022051612/54bf31864a7959c94e8b45a8/html5/thumbnails/66.jpg)
Thank You
Meltzer Law Offices
http://www.meltzerlaw.com
508.872-0000