Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
Springfield Technical Community College Security Awareness Training.
Security Training Lunch ‘n Learn. Agenda  Threat Analysis  Legal Issues  Threat Mitigation  User Security  Mobile Security  Policy Enforcement.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Critical Data Management Indiana University HR Summit April 24, 2014.
Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.
Security Controls – What Works
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Policies Group 1 - Week 8 policy for use of technology.
10 Essential Security Measures PA Turnpike Commission.
Joel Garmon, Director, Information Security Mike Rollins, Security Architect Jeff Teague, Security Analyst, Senior 1
New Data Regulation Law 201 CMR TJX Video.
Information Security Information Technology and Computing Services Information Technology and Computing Services
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
1 1 MA201 CMR John Hally January 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN, GPEN.
Protecting Sensitive Information PA Turnpike Commission.
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
General Awareness Training
What is the big idea behind the 12/3 Identity Finder scan? The system-wide scan on 12/3 is intended to permanently remove all PII and anything looking.
Arkansas State Law Which Governs Sensitive Information…… Part 3B
Florida Information Protection Act of 2014 (FIPA).
Privacy and Information Management ICT Guidelines.
General Awareness Training Security Awareness Module 3 Take Action! Where To Go for Help.
February 16, Massachusetts’ New Data Security Regulations And Their Impact On Businesses Amy Crafts February 16, 2009.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
SPH Information Security Update September 10, 2010.
Cyber Security Awareness Month Using Your Laptop Safely On the Road Off-Campus Safe Computing Part 2.
Incident Security & Confidentiality Integrity Availability.
© Copyright 2010 Hemenway & Barnes LLP H&B
Data Breach: How to Get Your Campus on the Front Page of the Chronicle?
Information Technology Acceptable Use Policy The acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree.
Incident Security & Confidentiality Integrity Availability.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
TRUENORTH TECHNOLOGY POLICIES OVERVIEW. This includes but is not limited to : – Games – Non-work related software – Streaming media applications – Mobile.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
Personal data protection in research projects
IDENTITY FINDER TRAINING. What is Identity Finder?  Identity Finder is a program that is installed on your desktop, laptop, or server to locate personally.
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
Security Issues and Ethics in Education Chapter 8 Brooke Blanscet, Morgan Chatman, Lynsey Turner, Bryan Howerton.
© 2014 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Information Technology Acceptable Use An Overview CSTMC All Staff Meeting February 10, 2014.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Information Security Awareness Training
Payment Card Industry (PCI) Rules and Standards
Protecting PHI & PII 12/30/2017 6:45 AM
Florida Information Protection Act of 2014 (FIPA)
Computer Security Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Florida Information Protection Act of 2014 (FIPA)
Things To Avoid: 1-Never your password to anyone.
Red Flags Rule An Introduction County College of Morris
Cyber Security: What the Head & Board Need to Know
Introduction to the PACS Security
Colorado “Protections For Consumer Data Privacy” Law
Comodo Dome Data Protection
Information Security in Your Office
Presentation transcript:

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance

Overview of Laws M.G.L. 93H – Defines Personal Information – Requirement to notify the state and affected parties in the event of a security breach or unauthorized usage of personal information. M.G.L. 93I – Requires that personal information be destroyed in a manner that leaves it unrecoverable.

Overview of Laws 201 CMR – Requires an individual be appointed to maintain a program to protect personal information within your organization. – Take reasonable steps to verify that third party vendors with access to personal information do not introduce risk. – Requirements to limit the amount of personal information collected.

Definition of Sensitive Data M.G.L. Ch. 93H defines Personal Information as: – An individual’s name in combination with any of the following: Social Security Number Driver’s License Number State Identification Card Number Financial Account Number, credit or debit card number

Day to Day Impact As faculty or staff, how does this impact you? – Protect the Information! – Look for and report suspicious activity!

Protecting the Information Do you have access to personal information? – Select secure passwords and do not use shared accounts. – Make sure that you have a valid business requirement for accessing the information; if not, work with your FSP to remove the access. – Work with your FSP to ensure that you have up-to-date Anti-Virus and security software on your desktop or laptop computers. – If you store personal information on a laptop, work with your FSP to install Whole Disk Laptop encryption – it’s the law! Install reasonably up-to-date Anti-Virus software & Security Agent software System must be up to date on patches A firewall must be used (host or network based) Reasonable monitoring for unauthorized use or access to personal information

Day to Day Impact Look for Suspicious Behavior – The state requires notification in the event of a Data Breach – When data is accessed by an unauthorized individual; including Tufts employees! Unauthorized Usage – When individuals use data in ways that it was not intended, such as when doctors look at celebrity medical records. Don’t send s that contain personal information!

Data Retention If data exists, is it required? – Yes? Then it must be protected – No? Then it must be securely destroyed UIT can provide assistance with identifying tools or resources to securely destroy paper, electronic files, tapes or hard drives.

Protecting the Data Is the data stored on a P: or Q: drive? – Limit access to only those who have a legitimate business requirement to have access – Install reasonably up-to-date Anti-Virus software & Security Agent software – System must be up to date on patches

Protecting the Data Internet or Wireless Access to Application? – Needs to be encrypted Work with UIT to find a solution if the application does not support native encryption.

Protecting the Data Accessing this data from a home computer? – Is it required? No – Legal responsibility to securely remove any sensitive data from that machine. Yes – Requires approval – All system requirements pertain to that computer: Up to date on patches Anti-Virus Firewall Strong authentication Secure passwords

Recommendations

Approach 1.Understand what constitutes sensitive data 2.Identify sensitive data used within your organization 3.Identify what is necessary, securely destroy what is not. 4.Identify laptops, desktops & servers that contain sensitive data

Identify Sensitive Data within your Environment Staff – Read the Tufts University Written Information Security Plan (WISP) – Designate an individual to be responsible for this within your school or department. – Hold discussions with staff to determine if sensitive data exists within your organization and how it is used. Technology – UIT provides tools to install on computers to scan for potential sensitive data

Protecting the Data Physical paper work? – Keep it locked up. Limit access to those who have a legitimate business requirement. – Securely Destroy it when no longer required Electronic Data – Stored on a laptop? It must be encrypted. UIT provides whole disk laptop protection for Windows PCs and recommendations for those running alternative operating systems.

Vendor Management Organizations have a legal responsibility to ensure that third party vendors meet the following obligations: – Select and retain vendors that are capable of maintaining safeguards for personal information – Contractually require service providers to maintain such safeguards – Effective March 1, 2010 for new contracts – Effective March 1, 2012 for existing contracts created before March 1, 2010

Unauthorized Usage In the event of a security breach or identified unauthorized usage, Tufts has a legal requirement to notify the Attorney General and impacted users. If you suspect a security breach or have identified unauthorized usage of sensitive data, contact Tufts University Legal Counsel immediately.

Additional Resources Laws: – MGL 93H MGL 93H – MGL 93I MGL 93I – 201 CMR CMR 17.00

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.