Presentation is loading. Please wait.

Presentation is loading. Please wait.

February 16, 20101 Massachusetts’ New Data Security Regulations And Their Impact On Businesses Amy Crafts February 16, 2009.

Published byBaldric McKenzie Modified over 8 years ago

Similar presentations

Presentation on theme: "February 16, 20101 Massachusetts’ New Data Security Regulations And Their Impact On Businesses Amy Crafts February 16, 2009."— Presentation transcript:

1 February 16, 20101 Massachusetts’ New Data Security Regulations And Their Impact On Businesses Amy Crafts February 16, 2009

2 February 16, 20102 Identity Theft Is A Serious Problem Identity theft occurs when someone uses your personally identifying information – your name, Social Security number or credit card number – without your permission to commit fraud or other crimes. The FTC estimates that over 9 million Americans have their identities stolen each year. Massachusetts has become one of the most aggressive states in the country in terms of protecting personal data following a number of recent scandals.

3 February 16, 20103 Boston Globe – 2006 Credit and bank card numbers of as many as 240,000 subscribers of the Boston Globe and Worcester Telegram & Gazette were distributed with bundles of T&G newspapers. ­ Confidential information on the back of paper slated for recycling was used to wrap newspaper bundles. ­ Underscores need for companies to focus on more than just online security to protect sensitive information.

4 February 16, 20104 TJX – 2007 Hackers breached TJX’s wireless network and gained access to servers at the Framingham headquarters. TJX lacked appropriate firewalls to protect its servers. Allowed hackers to quickly export data. Affected more than 94 million accounts.

5 February 16, 20105 Hannaford Brothers – 2008 Exposed 4.2 million debit and credit card numbers over period from December 7, 2007 – March 10, 2008. Occurred even though Hannaford had met the payment card industry standard and were not using wireless technology to transmit unencrypted data. ­ Both of these factors contributed to the TJX breach.

6 February 16, 20106 In Response To These Scandals, The State Legislature Passed And Governor Patrick Signed A New Data Breach Law The law, “An Act Relative to Security Freezes and Notification of Data Breaches,” creates two new chapters in the Massachusetts General Laws:  Chapter 93I (Disposition and Destruction of Records)  Chapter 93H (Security Breaches)

7 February 16, 20107 Each Chapter Concerns The “Personal Information” Of Massachusetts Residents Personal information is defined as a Massachusetts resident’s first and last name, or first initial and last name in combination with any of the following information:  the resident’s social security number;  the resident’s driver’s license number or state issued identification card number; or  the resident’s financial account number, or credit or debit card number.

8 February 16, 20108 The Broad Definition Of Personal Information Will Have A Far-Reaching Effect  Any company that employs Massachusetts residents will have to comply.  And it could change the way that many companies conduct their day to day business.

9 February 16, 20109 The Law Applies To Your Business It applies to all persons that own or license personal information of Massachusetts residents. “Persons” includes:  A natural person  Corporation  Association  Partnership  Other legal entity There is a carve out for certain government entities, including an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches or political subdivisions.

10 February 16, 201010 Compliance With Chapter 93I (Disposition and Destruction of Records) Is Straightforward Sets forth minimum standards for destruction of paper and electronic records containing personal information to ensure that they cannot be read or reconstructed. Paper documents must be either: ­ Redacted ­ Burned ­ Pulverized ­ Shredded Electronic documents and other non-paper media must be either: ­ Destroyed ­ Erased

11 February 16, 201011 Entity Disposing Of Documents May Contract With A Third Party The third party is required to implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation and disposal of personal information. Violations are subject to a civil fine of not more than $100 per data subject affected, and each fine shall not exceed $50,000 for each instance of improper disposal. ­ Attorney General may file a civil action in superior or district court to recover penalties.

12 February 16, 201012 Compliance With Chapter 93H (Security Breaches) Is More Complicated Imposes notice obligations on employers that know or have reason to know of a “breach of security” concerning the personal information of any of its current or former employees, or job applicants, who reside in Massachusetts. “Breach of security” is defined as the unauthorized acquisition or use of unencrypted personal information (or encrypted personal information plus theft of the decryption process or key), whether in paper or electronic form, that creates a substantial risk of identity theft or fraud.

13 February 16, 201013 Employees Must Be Notified Of Breach The employer must notify the affected employees, in writing, “as soon as practicable and without unreasonable delay.” The notice must include the following information: ­ How employees may obtain a police report; ­ How employees may ask consumer reporting agencies (Equifax, Experian and Transunion) to impose a security freeze; and ­ Any fees required to be paid to the consumer reporting agencies.

14 February 16, 201014 Attorney General and Director Of OCABR Must Also Be Notified Of Breach The employer must also provide written notice to the Attorney General and the Director of Consumer Affairs and Business Regulation. The notice must state: ­ The nature of the breach; ­ The number of affected employees who are residents of Massachusetts; and ­ Any remedial steps the employer has taken or plans to take. If your business experiences a breach, make sure to work with your attorney to assist you with the notification process.

15 February 16, 201015 Regulations Have Been Issued to Implement M.G.L. 93H (Security Breaches) Data Security Regulations – 201 C.M.R. 17.00 As required by M.G.L. 93H, the regulations were issued by the Office of Consumer Affairs and Business Regulation to implement the new law. The regulations have evolved considerably since they were first issued, and were finalized recently.

16 February 16, 201016 The Regulations Go Into Effect On March 1, 2010 Will be enforced by the Attorney General’s Office. Sets forth minimum standards to be met by those who own or license personal information of Massachusetts residents in connection with the safeguarding of personal information contained in both paper and electronic forms. ­ You may not have to start from scratch – your Operations and Training Manual includes some data security protections. ­ Gather what you have and work with IT and legal professionals to update as necessary.

17 February 16, 201017 The Regulations Have Three Objectives 1.To ensure the security and confidentiality of employee information; 2.To protect against anticipated threats or hazards to the security or integrity of such information; 3.To protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any employee.

18 February 16, 201018 The Regulations Have Been Revised A Number Of Times  In response to pressure from businesses of all sizes, but particularly small businesses, for which compliance would be most onerous – i.e. mom and pop shops.  The most recent iteration of the regulations are a “risk-based” approach that allows for companies of different sizes and resources to comply with the regulations in different ways. ­ How this will be interpreted by regulators remains to be seen.

19 February 16, 201019 The Regulations Contain Two Major Components 1. A comprehensive written security program – every business must have its own policy, tailored to its specific business. 2.Extensive requirements for electronic data – which must be implemented to the extent technically feasible.

20 February 16, 201020 1. The Law Requires a Comprehensive Information Security Program  Every covered entity must develop, implement and maintain a comprehensive information security program.  Must be written.  Must contain administrative, technical and physical safeguards.

21 February 16, 201021 The Safeguards Should be “Risk Based” They should be appropriate to  the size, scope and type of business handling the information;  the amount of resources available to the business;  the amount of stored data; and  the need for security and confidentiality of both consumer and employee information. This is an effort by Massachusetts to balance consumer protections and business realities.

22 February 16, 201022 The Information Security Program Must Meet Certain Requirements Set Forth In The Regulations  Provide for a designated employee to maintain the program.  Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the information.

23 February 16, 201023  Ongoing employee training, for permanent and contract employees  Employee compliance with policies and procedures  Means for detecting and preventing security system failures The Information Security Program Must Evaluate And Improve The Effectiveness Of The Safeguards In Place

24 February 16, 201024  Develop security policies for employees relating to the storage, access and transportation of records outside of business premises  Impose disciplinary measures for violations of the program rules  Prevent terminated employees from accessing records The Information Security Program Must Contain Requirements For Employees

25 February 16, 201025  Take reasonable steps to select and retain third party service providers who also comply with the regulations  Require third party service providers by contract to implement and maintain appropriate security measures for personal information ­ This applies to any third party that works with you ­ Reach out to them and ask about their plans to comply The Information Security Program Must Provide For Oversight Of Service Providers And Vendors

26 February 16, 201026  If a contract is already in place as of the effective date, March 1, 2010, there is a two year grace period for compliance.  But any contract entered into after March 1, 2010 must ensure that the third party service provider is also protecting personal information in compliance with the regulations. An Important Carve Out For Existing Vendor Contracts

27 February 16, 201027  Storage of paper records must be in locked facilities, storage areas or containers.  The program must be regularly monitored.  The security measures must be reviewed at least annually, or if there is a material change in business practice that may implicate the security or integrity of records. The Information Security Program Applies To Paper Records, Too

28 February 16, 201028  The covered entity must document responsive actions taken in connection with any incident involving a breach of security.  In the event of a breach, there is a mandatory post-incident review of events and actions taken, if any, to make any necessary changes in business practices.  Again, if you experience a breach, make sure to consult with your attorney. The Information Security Program Requires Certain Steps Following A Breach

29 February 16, 201029 2. There Are Additional Requirements For Electronically Stored Information  Covered entities that electronically store or transmit personal information must establish and maintain a security system covering its computers and any wireless system.  Compliance is required to the extent technically feasible: – “technically feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.”  Some of the requirements are technical, so make sure to involve your IT staff.

30 February 16, 201030 User Passwords And Authorizations Are Required  Control of user IDs and other identifiers  A reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies  Control of data security passwords so security is not compromised  Restrict access to active users and active user accounts only  Block access to user identification after multiple unsuccessful attempts

31 February 16, 201031 Secure Access Control Measures Are Required  Restrict access to records and files containing personal information to those who need such information to perform their job duties.  Assign unique identifications plus passwords, which are not vendor supplied default passwords, that are reasonably designed to maintain the integrity of the security of the access controls.

32 February 16, 201032 All Records And Files Containing Personal Information Must Be Encrypted, Where Technically Feasible  Any records that will travel across public networks  Any records that will be transmitted wirelessly  Or that will be stored on laptops or other portable devices

33 February 16, 201033 Reasonable Monitoring For Unauthorized Use Or Access Is Required  Up-to-date firewall protection and operating system security patches  Up-to-date system security agent software, which must include malware, patches and virus protection  Education and training of employees on the proper use of the computer security system and the importance of personal information security  Any questions should be directed to your regional IT staff

34 February 16, 201034 What Are The Penalties For Non-Compliance? Massachusetts provides for civil penalties in cases of non- compliance with its data breach notification statute. A civil penalty of $5,000 may be awarded for each violation. In addition, the Attorney General may bring a civil action under its consumer protection statue, Chapter 93A, which permits imposition of significant fines, injunctive relief and attorneys’ fees.

35 February 16, 201035 What Does All of this Mean? Let’s discuss some hypothetical or frequently asked questions.

36 February 16, 201036 What About My In-Store Processing System? Answer is available from the IT department on a store-by-store basis. If your ISP is not on a recent release, work with your Restaurant Store Systems Manager, who can help you determine the proper release and the path to get there.

37 February 16, 201037 How Do I Store And Destroy Old Tapes/CDs? Unless they are leaving your business premises, old tapes and CDs should be stored in a locked file or room. Destruction must completely erase the content of the tapes and CDs. ­ Be careful – after data is erased, residue may remain which could lead to inadvertent disclosure. ­ Overwriting the storage data is a popular low cost option. (Also called “wiping” or “shredding.”) Methods are implemented in software. ­ Work with your IT staff to ensure the tapes and CDs have been completely erased.

38 February 16, 201038 How Should Businesses Protect Emails Containing Personal Information? If technically feasible, emails should be encrypted. If not technically feasible, implement best practices by not sending personal information via email. ­ There are alternative methods to communicate personal information other than through email, such as establishing a secure website that requires safeguards including username and password to conduct transactions involving personal information.

39 February 16, 201039 Is There A Maximum Period Of Time To Keep Records Containing Personal Information? No, but be aware of minimum state and federal law requirements. ­ For example, MA law requires retention of personnel files for three years after termination of employment As good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected, and limit the time such information is retained to that reasonably necessary to accomplish such purpose. Access should be limited to those persons who are reasonably required to know such information.

40 February 16, 201040 How Much Employee Training Is Required? The regulations do not articulate what specifically is required. We suggest that you: ­ Provide enough training to ensure that employees who will have access to personal information know what their obligations are regarding the protection of that information. ­ Train both temporary and permanent employees. ­ Convey to your employees that data security is taken seriously by your business. ­ Require trained employees to sign an acknowledgement of training.

41 February 16, 201041 What Is The Extent Of The Monitoring Obligation? Depends on the nature of your business, your business practices, and the amount of personal information you own or license. Also depends on the form in which the information is kept and stored. In the end, the monitoring you put in place must be such that it is reasonably likely to reveal unauthorized access or use.

42 February 16, 201042 What If I Use Laptops? Assess whether your laptop(s) contain personal information. If they do, consider encryption. ­ The regulations make clear that encryption must bring about a “transformation of data into a form in which meaning cannot be assigned.” ­ Data must be altered into an unreadable form. ­ Password protection is not enough.

43 February 16, 201043 What Should You Do Now? Develop a plan to work towards compliance. Evaluate protection mechanisms you have in place, and determine how they must be revised. Talk to your colleagues – lawyers, IT, etc. to determine what makes sense for your business.

Download ppt "February 16, 20101 Massachusetts’ New Data Security Regulations And Their Impact On Businesses Amy Crafts February 16, 2009."

Similar presentations

Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Similar presentations

Ads by Google