Presentation is loading. Please wait.

Presentation is loading. Please wait.

April 23, 20101 Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts 617.526.9658.

Published byRosalyn McCoy Modified over 8 years ago

Similar presentations

Presentation on theme: "April 23, 20101 Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts 617.526.9658."— Presentation transcript:

1 April 23, 20101 Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts acrafts@proskauer.com acrafts@proskauer.com 617.526.9658 April 23, 2010

2 2 1. Determine Whether You Own Or License Personal Information And Where It Is Located The regulations apply to all persons – including natural persons, corporations, associations, partnerships or other legal entities – that own or license personal information of MA residents. Personal information is defined by the regulations as a Massachusetts resident’s first and last name, or first initial and last name, in combination with any of the following information:  the resident’s Social Security number;  the resident’s driver’s license number or state-issued identification card number; or  the resident’s financial account number, or credit or debit card number.

3 April 23, 20103 2. Develop A Written Information Security Program (WISP) Massachusetts requires that all covered entities must develop, implement and maintain a comprehensive WISP. WISP must be risk-based, and must contain administrative, technical and physical safeguards that are appropriate to: ­ the size, scope and type of business; ­ the amount of resources available to the business; ­ the amount of stored data; and ­ the need for security and confidentiality of both consumer and employee information.

4 April 23, 20104 3. Designate Employee(s) Responsible For Implementing And Maintaining WISP Responsibilities should include: Regular monitoring to ensure that the WISP is operating in a manner intended to prevent unauthorized access to or use of personal information. Upgrading information safeguards as necessary to decrease risk. Reviewing scope of security measures at least annually, or whenever there is a material change in business practice that may implicate security or integrity of personal information. Following a security breach, conducting and documenting a post- incident review of events and actions taken.

5 April 23, 20105 4. Identify And Assess Reasonably Foreseeable Internal And External Risks To Security And Integrity Of Personal Information Efforts should include: Ongoing employee (including temporary and contract employee) training on the proper use of the computer security system and the importance of personal information security. Employee compliance with policies and procedures – and imposition of disciplinary measures for noncompliance. Means for detecting and preventing security system failures.

6 April 23, 20106 5. Identify Paper Records That Contain Personal Information Restrict access only to those employees who need information to perform their employment responsibilities. Require that terminated employees return copies of any documents containing personal information. Store in locked facilities, storage areas or containers. Develop a security policy for storage, access and transportation of such records outside of business premises.

7 April 23, 20107 6. Implement Secure User IDs/Passwords And Access Control Measures Develop a secure method of assigning passwords, preferably unique identification-plus passwords, and consider using identifier technologies, such as biometrics or token devices. Ensure that user IDs and passwords are kept in a locked or encrypted file. Block access after multiple unsuccessful attempts to gain access. Restrict access to active users and active user accounts, and those who need such information to perform their job duties.

8 April 23, 20108 7. Ensure Security Of Computer Systems Requires reasonably up-to-date firewall protection and operating security system patches, designed to maintain integrity of personal information. Requires reasonably up-to-date versions of system security agent software, including malware protection, patches and virus definitions.

9 April 23, 20109 8. Encrypt Electronic Files, To The Extent “Technically Feasible” All transmitted files containing personal information that will travel across public networks (i.e. the Internet), and all data that will be transmitted wirelessly, should be encrypted. All personal information stored on laptops or other portable devices should be encrypted.

10 April 23, 201010 9. Oversee Third-Party Service Providers Take reasonable steps to select and retain third-party service providers that are capable of maintaining security measures to protect personal information. Require third-party service providers by contract to implement and maintain appropriate security measures for personal information, with a carve-out: ­ Contracts in existence prior to March 1, 2010 do not have to contain such a representation until March 1, 2012.

11 April 23, 201011 10. When Discarded, Completely Destroy Paper And Electronic Documents Paper documents must be either: ­ Redacted ­ Burned ­ Pulverized ­ Shredded Electronic documents and other non-paper media must be either: ­ Destroyed ­ Erased

12 April 23, 201012 What Are The Penalties For Non-Compliance With The Regulations? Massachusetts provides for civil penalties in cases of non- compliance, pursuant to its consumer protection statute, M.G.L. 93A. A civil penalty of $5,000 may be awarded for each deceptive act or practice, in addition to injunctive relief and attorneys’ fees.

13 April 23, 201013 What Does All Of This Mean? Let’s discuss some hypothetical or frequently asked questions.

14 April 23, 201014 How Do I Store And Destroy Old Tapes/CDs? Old tapes and CDs (which are portable devices) should be encrypted, or at least stored in a locked file or room. Destruction must completely erase the content of the tapes and CDs. ­ Be careful – after data is erased, residue may remain which could lead to inadvertent disclosure. ­ Overwriting the storage data is a popular low-cost option (also called “wiping” or “shredding”). ­ Work with your IT staff to ensure the tapes and CDs have been completely erased.

15 April 23, 201015 How Should Businesses Protect E-mails Containing Personal Information? If technically feasible, e-mails should be encrypted. If not technically feasible, implement best practices by not sending personal information via e-mail. ­ There are alternative methods to communicate personal information other than through e-mail, such as establishing a secure Website that requires safeguards including username and password to conduct transactions involving personal information.

16 April 23, 201016 Is There A Maximum Period Of Time To Keep Records Containing Personal Information? As good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected, and limit the time such information is retained to that reasonably necessary to accomplish such purpose. Access should be limited to those persons who are reasonably required to know such information.

17 April 23, 201017 How Much Employee Training Is Required? The regulations do not articulate what specifically is required. We suggest that you: ­ Provide enough training to ensure that employees who will have access to personal information know what their obligations are regarding the protection of that information. ­ Train both temporary and permanent employees. ­ Convey to your employees that data security is taken seriously by your business. ­ Require trained employees to sign an acknowledgement of training.

18 April 23, 201018 What Is The Extent Of The Monitoring Obligation? Depends on the nature of your business, your business practices, and the amount of personal information you own or license. Also depends on the form in which the information is kept and stored. In the end, the monitoring you put in place must be such that it is reasonably likely to reveal unauthorized access or use.

19 April 23, 201019 What If I Use Laptops? Assess whether your laptop(s) contain personal information. If they do, consider encryption. ­ The regulations make clear that, to be encrypted, data must be altered into an unreadable form: encryption must bring about a “transformation of data into a form in which meaning cannot be assigned.” ­ Password protection is not enough.

20 April 23, 201020 What Should You Do Now? Develop a plan to work towards compliance. Evaluate protection mechanisms you have in place, and determine how they must be revised. Talk to your colleagues – lawyers, IT, etc. – to determine what makes sense for your business.

21 April 23, 201021 Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts acrafts@proskauer.com acrafts@proskauer.com 617.526.9658 April 23, 2010

Download ppt "April 23, 20101 Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts 617.526.9658."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.

PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Information Security Awareness April 13, 2003. Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Information Security Policies and Standards

Information Security Policies and Standards
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Similar presentations

Ads by Google