Download - The new massachusetts privacy rules v5.35.1
![Page 1: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/1.jpg)
The MassachusettsData Privacy Rules
Stephen E. Meltzer, Esquire, CIPP
![Page 2: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/2.jpg)
The [New] MassachusettsData Security Rules
![Page 3: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/3.jpg)
Agenda
• Introduction• Scope of Rules• Comprehensive Written Information Security
Program (cWISP)• [Computer System Security Requirements]• Breach Reporting Requirements• What To Do Now• Questions and Answers
![Page 4: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/4.jpg)
The MassachusettsData Security Rules
New Mandate:
PI = PIPersonal Information = Privacy Infrastructure
![Page 5: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/5.jpg)
![Page 6: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/6.jpg)
What Prompted the Rules?
High-profile data breach casesBreach notification alone insufficientReflection of states’ interest in protecting
personal informationData in transit or on portable devices most
at risk
![Page 7: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/7.jpg)
Who Cares?Consequences for non-compliance:
AT LEAST:
Increased risk of government enforcement or private litigation
93H § 6 incorporates 93A, § 493A, § 4
• $5,000 per occurrence• Attorneys fees• Cost of Investigation/Enforcement
AT WORST:
Enforcement PLUS Bad PR then Compliance and oversight
![Page 8: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/8.jpg)
Enforcement
• Litigation and enforcement by the Massachusetts Attorney General
• Massachusetts law requires notice to Attorney General of any breach, in addition to affected consumers
• Attorney General likely to investigate based on breach reports
• No explicit private right of action or penalties
![Page 9: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/9.jpg)
Looking Ahead
Massachusetts is one of the first, but is likely not the last
Federal Legislation:HITECH (ARRA)Red FlagsH.2221 (prospect of preemption)
![Page 10: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/10.jpg)
Scope of Rules
![Page 11: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/11.jpg)
Scope of Rules
• Covers ALL PERSONS that own or license personal information about a Massachusetts resident
• Need not have operations in Massachusetts
• Financial institutions, health care and other regulated entities not exempt
![Page 12: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/12.jpg)
Scope of Rules“Personal information”Resident’s first and last name or first initial and last name in combination with• SSN• Driver’s license or State ID, or • Financial account number or credit/debit
card that would permit access to a financial account
![Page 13: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/13.jpg)
Three Requirements1.Develop, implement, maintain and maintain a
comprehensive, written information security program that meets very specific requirements (cWISP)
2.Heightened information security meeting specific computer information security requirements
3.Vendor Compliance
(Phase-in)
![Page 14: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/14.jpg)
Evaluating Compliance(not Evaluating Applicability)
• Appropriate– Size of business– Scope of business– Type of business– Resources available– Amount of data stored– Need for security and confidentiality
• Consumer and employee information
![Page 15: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/15.jpg)
Evaluating Compliance(not Evaluating Applicability)
“The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”
![Page 16: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/16.jpg)
Comprehensive WrittenInformation SecurityProgram
201 CMR 17.03
![Page 17: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/17.jpg)
Information SecurityProgram
“[D]evelop, implement, and maintain a comprehensive information security
program that is written in one or more readily accessible parts and contains administrative, technical, and physical
safeguards”
![Page 18: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/18.jpg)
Comprehensive Information Security Program 201 CMR 17.03 (2)(a) through (j)
a. Designate
b. Identify
c. Develop
d. Impose
e. Prevent
f. Oversee
g. Restrict
h. Monitor
i. Review
j. Document
![Page 19: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/19.jpg)
Comprehensive Information Security Program(a) Designate an employee to maintain the WISP.
(b) Identify and assess reasonably foreseeable risks (Internal and external).
(c) Develop security policies for keeping, accessing and transporting records.
(d) Impose disciplinary measures for violations of the program.
(e) Prevent access by terminated employees.
(f) Oversee service providers and contractually ensure compliance.
(g) Restrict physical access to records.
(h) Monitor security practices to ensure effectiveness and make changes if warranted.
(i) Review the program at least annually.
(j) Document responsive actions to breaches.
![Page 20: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/20.jpg)
Comprehensive Information Security ProgramThird Party Compliance
1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and
2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information
![Page 21: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/21.jpg)
Comprehensive Information Security ProgramThird Party Compliance
Contracts entered “no later than” March 1, 2010:
Two – year phase-in.
Contracts entered into “later than” March 1, 2010:
Immediate compliance.
![Page 22: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/22.jpg)
Comprehensive Information Security Program
“INDUSTRY STANDARDS”
![Page 23: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/23.jpg)
Breach Reporting
G.L. c. 93H § 3
![Page 24: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/24.jpg)
Breach Reporting
Breach of security –
“the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”
![Page 25: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/25.jpg)
Breach Reporting
• Possessor must give notice of– Breach of Security– Unauthorized Use or Acquisition
• To Owner/Licensor of Information
• Owner/Licensor must give notice of – Breach of Security– Unauthorized Use or Acquisition
• To – – Attorney General– Office of Consumer Affairs– Resident
![Page 26: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/26.jpg)
Breach Reporting
“The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to:
(1) the nature of the breach of security or the unauthorized acquisition or use;
(2) the number of Massachusetts residents affected by such incident at the time of notification; and
(3) any steps the person or agency has taken or plans to take relating to the incident.”
![Page 27: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/27.jpg)
Sample Breach Notification Letter
• http://www.mass.gov/Cago/docs/Consumer/93h_sampleletter_ago.pdf
![Page 28: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/28.jpg)
Breach Reporting
• Stop
• Be afraid
• Call for help
![Page 29: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/29.jpg)
Computer System SecurityRequirements
201 CMR 17.04
![Page 30: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/30.jpg)
Electronic Requirements201 CMR 17.04• Use
authentication protocols
• Secure access controls
• Encryption of transmittable records
• Mentoring systems
• Laptop and mobile device encryption
• Security patches and firewalls
• System security agents
• IT Security user awareness
![Page 31: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/31.jpg)
User Authentication Protocols
• Control of user IDs• Secure password
selection• Secure or
encrypted password files
• User accounts blocked for unusual logon attempts
Examples:
Passwords should be at least 9 characters, alpha numeric with special characters
After 3 attempts to login users are blocked access
![Page 32: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/32.jpg)
Secure Access Control Measures
• Permit “access” on a need to know basis
• Password protect account and login to determine level of access
Example:
Network Access Control Software/Hardware
Consentry
Sophos
Audit control who is accessing what and when?
![Page 33: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/33.jpg)
Encryption of Transmitted Records
• Encryption of personal information accessed over a public network– Tunneling options
(VPN)– Faxes, VOIP, phone
calls• Encryption of PI on
wireless– Bluetooth, WEP, Wifi
• Encryption definition if very broad
Examples:
PGP and Utimaco are encryption technologies
![Page 34: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/34.jpg)
Monitoring of Systems
• Require systems to detect unauthorized use of, access to personal information
• Some existing user account based on systems will already comply
Examples:
Again, Network Access Control
Audit controls
![Page 35: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/35.jpg)
Laptop and Mobile Device Encryption
• Encryption of PI stored on laptops– Applies regardless
of laptop location• Encryption of PI
stored on “mobile” devices– Does incoming
email become a problem?
This applies only if you have data in motion of personal information.
Email is clear text. So anyone can read any ones email on the internet.
![Page 36: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/36.jpg)
Security Patches and Firewalls
• “Reasonably up-to-date firewall protection and operating systems patches” for Internet connected computers
• Date on operating systems
All organizations should have a firewall in place (not a router a firewall)
Can hire an organization to update and manage the security infrastructure:
Firewall
Anti-virus
Patches…
![Page 37: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/37.jpg)
Systems Security Agent Software
• Anti-malware technology required– Are certain
products better?
– What about MACs or Linux?
• Set to receive auto-updates
Malware is what is infecting most enviroments. HTTP and HTTPS traffic.
Your users are your worst enemy
Products to look at for Malware
TrendMicro
Websense
Webwasher
![Page 38: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/38.jpg)
Employee Education and IT Security Training
• Proper training on all IT security policies
• User awareness– Importance of PI
security– Proper use of the
computer– Everyone is
involved
Your employees are your weakest link to any IT security program.
They need to know the rules.
Suggestions:
Stand up training
News Letters
Programs
Online training
![Page 39: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/39.jpg)
The Approach• Inventory type of personal
information is being kept– Assess risk
• Plan information security strategy– Data
• Security, Confidentially, Integrity• IT infrastructure and information
change processes• Implement, plan and policies
– Technology deployment– Policy implementation – User awareness– Continual review
Security is all about vigilance…
Compliance is knowing what you need to protect and building a fortress around it and testing it on a frequent basis!
![Page 40: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/40.jpg)
Data Destruction
G.L. c. 93I
![Page 41: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/41.jpg)
Data Destruction (93I)
Paper documents/ electronic Media:
Redact, Burn, Pulverize, Shred
So that Personal Information cannot be read or reconstructed
![Page 42: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/42.jpg)
Data Destruction (93I)
– Violations:
• Attorney General: Unfair and Deceptive Practices remedies - 93H
• Civil Fine-$100/data subject not to exceed $50,000/instance – 93I
![Page 43: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/43.jpg)
What To Do Now
![Page 44: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/44.jpg)
Compliance DeadlinesMarch 1, 2010
• Implement internal policies and practices
• Encrypt company laptops
• Amend contracts with service providers to incorporate the data security requirements
• Take all reasonable steps to ensure vendors apply protections as stringent as these (written certification not necessary)
• Encrypt other (nonlaptop) portable devices
![Page 45: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/45.jpg)
Tasks
![Page 46: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/46.jpg)
Tasks• Form a team
– Include necessary Management, IT, HR, Legal and Compliance personnel
• Review existing policies– Do your current data security policies and procedures create barriers to compliance.
• Map data flows that include personal information– Consider limiting collection of personal information and restrict access to those with a need to know
![Page 47: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/47.jpg)
Tasks
• Identify internal and external risks and effectiveness of current safeguards
• Draft comprehensive written information security program
• Negotiate amendments to vendor agreements and audit for vendor compliance
• Encrypt laptops, portable devices and data in transit
![Page 48: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/48.jpg)
Tasks
• Restrict access to personal information• Train employees• Institute monitoring and self-auditing
procedures• Update systems including firewall
protection and malware and virus protection
![Page 49: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/49.jpg)
Sample WISP Please
![Page 50: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/50.jpg)
Sample WISP Please
Information Security Program Manual
1. Introduction2. Scope3. Documentation4. PLAN-DO-CHECK-ACT 5. Risk Management Framework6. Security policy7. Organization of information security8. Asset management9. Human resources security10.Physical and environmental security11.Communications and operations management12.Access control13.Information systems acquisition, development and maintenance14.Information security incident management15.Business continuity management16.Compliance17.Change history
![Page 51: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/51.jpg)
Sample WISP PleaseInformation Security Program
Table of ContentsInformation Security Program Overview6
Information Security Policy11
Definitions13
Security Risks Considered15
Security Risks17
Internet Policy33
Email Policy34
Privacy Policy38
Record Retention & Destruction Policy40
Acceptable Use Policy43
Data Loss Response47
Forms
Appendices
![Page 52: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/52.jpg)
Action Plan
Compliance Engagement Plan
In-house IT/HR/Legal
Outsourced IT/HR/Legal
Combination
![Page 53: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/53.jpg)
Resources• Statute (M.G.L. c. 93H)• Rules (201 CMR 17.00)• OCABR Guidance
– Compliance Checklist– Small Business Guide– Frequently Asked Question Regarding 201
CMR 17.00 • http://privacyregulation.com
![Page 54: The new massachusetts privacy rules v5.35.1](https://reader035.vdocuments.mx/reader035/viewer/2022062511/54bf317f4a7959064c8b45e8/html5/thumbnails/54.jpg)
Thank You