Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Published byGrant Ross Sherman Modified over 9 years ago

Similar presentations

Presentation on theme: "Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance."— Presentation transcript:

1 Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance

2 Overview of Laws M.G.L. 93H – Defines Personal Information – Requirement to notify the state and affected parties in the event of a security breach or unauthorized usage of personal information. M.G.L. 93I – Requires that personal information be destroyed in a manner that leaves it unrecoverable.

3 Overview of Laws 201 CMR 17.00 – Requires an individual be appointed to maintain a program to protect personal information within your organization. – Take reasonable steps to verify that third party vendors with access to personal information do not introduce risk. – Requirements to limit the amount of personal information collected.

4 Definition of Sensitive Data M.G.L. Ch. 93H defines Personal Information as: – An individual’s name in combination with any of the following: Social Security Number Driver’s License Number State Identification Card Number Financial Account Number, credit or debit card number

5 Day to Day Impact As faculty or staff, how does this impact you? – Protect the Information! – Look for and report suspicious activity!

6 Protecting the Information Do you have access to personal information? – Select secure passwords and do not use shared accounts. – Make sure that you have a valid business requirement for accessing the information; if not, work with your FSP to remove the access. – Work with your FSP to ensure that you have up-to-date Anti-Virus and security software on your desktop or laptop computers. – If you store personal information on a laptop, work with your FSP to install Whole Disk Laptop encryption – it’s the law! Install reasonably up-to-date Anti-Virus software & Security Agent software System must be up to date on patches A firewall must be used (host or network based) Reasonable monitoring for unauthorized use or access to personal information

7 Day to Day Impact Look for Suspicious Behavior – The state requires notification in the event of a Data Breach – When data is accessed by an unauthorized individual; including Tufts employees! Unauthorized Usage – When individuals use data in ways that it was not intended, such as when doctors look at celebrity medical records. Don’t send e-mails that contain personal information!

8 Data Retention If data exists, is it required? – Yes? Then it must be protected – No? Then it must be securely destroyed UIT can provide assistance with identifying tools or resources to securely destroy paper, electronic files, tapes or hard drives.

9 Protecting the Data Is the data stored on a P: or Q: drive? – Limit access to only those who have a legitimate business requirement to have access – Install reasonably up-to-date Anti-Virus software & Security Agent software – System must be up to date on patches

10 Protecting the Data Internet or Wireless Access to Application? – Needs to be encrypted Work with UIT to find a solution if the application does not support native encryption.

11 Protecting the Data Accessing this data from a home computer? – Is it required? No – Legal responsibility to securely remove any sensitive data from that machine. Yes – Requires approval – All system requirements pertain to that computer: Up to date on patches Anti-Virus Firewall Strong authentication Secure passwords

12 Recommendations

13 Approach 1.Understand what constitutes sensitive data 2.Identify sensitive data used within your organization 3.Identify what is necessary, securely destroy what is not. 4.Identify laptops, desktops & servers that contain sensitive data

14 Identify Sensitive Data within your Environment Staff – Read the Tufts University Written Information Security Plan (WISP) – Designate an individual to be responsible for this within your school or department. – Hold discussions with staff to determine if sensitive data exists within your organization and how it is used. Technology – UIT provides tools to install on computers to scan for potential sensitive data

15 Protecting the Data Physical paper work? – Keep it locked up. Limit access to those who have a legitimate business requirement. – Securely Destroy it when no longer required Electronic Data – Stored on a laptop? It must be encrypted. UIT provides whole disk laptop protection for Windows PCs and recommendations for those running alternative operating systems.

16 Vendor Management Organizations have a legal responsibility to ensure that third party vendors meet the following obligations: – Select and retain vendors that are capable of maintaining safeguards for personal information – Contractually require service providers to maintain such safeguards – Effective March 1, 2010 for new contracts – Effective March 1, 2012 for existing contracts created before March 1, 2010

17 Unauthorized Usage In the event of a security breach or identified unauthorized usage, Tufts has a legal requirement to notify the Attorney General and impacted users. If you suspect a security breach or have identified unauthorized usage of sensitive data, contact Tufts University Legal Counsel immediately.

18 Additional Resources Laws: – MGL 93H MGL 93H – MGL 93I MGL 93I – 201 CMR 17.00 201 CMR 17.00

Download ppt "Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.

Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Security Training Lunch ‘n Learn. Agenda  Threat Analysis  Legal Issues  Threat Mitigation  User Security  Mobile Security  Policy Enforcement.

Security Training Lunch ‘n Learn. Agenda  Threat Analysis  Legal Issues  Threat Mitigation  User Security  Mobile Security  Policy Enforcement.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Information Security Awareness April 13, 2003. Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.

Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.

9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.
Security Controls – What Works

Security Controls – What Works
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University

Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Similar presentations

Ads by Google