Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Copyright 2010 Hemenway & Barnes LLP H&B 641682 1.

Published byRandolph McCarthy Modified over 8 years ago

Similar presentations

Presentation on theme: "© Copyright 2010 Hemenway & Barnes LLP H&B 641682 1."— Presentation transcript:

1 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 1

2 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 2 Massachusetts Data Security Regulations Teresa A. Belmonte, Esquire Hemenway & Barnes LLP 60 State Street Boston, MA 02109 (617) 227-7940 March 23, 2010

3 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 3 What Are They?  Regulations enacted by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) pursuant to M.G.L. ch. 93H  Effective March 1, 2010

4 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 4 Overview of Requirements  Every “person” who “owns or licenses” “personal information” of a Massachusetts resident must have a comprehensive written information security program (WISP) to protect personal information

5 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 5 Overview of Requirements ● Risk-based approach to what is required--not a one-size fits all requirement ● It depends on the size of your organization, financial resources available, and how much personal information your organization has

6 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 6 Personal Information ● A Massachusetts resident’s first name or first initial and last name together with one of the following: social security number, or driver’s license number or state issued identification number, or financial account number, or credit or debit card number

7 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 7 “Person” ● Defined as a natural person or any private legal entity

8 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 8 “Owns or Licenses” ● Stores, receives, maintains or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment

9 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 9 If your organization has employees who are Massachusetts residents, you have personal information, and you must comply with these regulations

10 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 10 How to Comply with 201 CMR 17 ● Determine what personal information you have and where it is located what form it is in--paper or electronic

11 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 11 How to Comply with 201 CMR 17 ● Determine what are the risks to the security of personal information what you can do to protect it ● Create and implement a WISP

12 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 12 What should your WISP contain? ● Designating one of your employees as a data security coordinator to maintain the WISP ● Requiring employee training ● Imposing disciplinary measures on employees for violations of your WISP

13 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 13 What should your WISP contain? ● Limiting access to personal information to those employees who need access to it

14 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 14 WISP Requirements ● Preventing terminated employees from accessing personal information ● Storing records containing personal information in locked facilities, storage areas, or containers

15 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 15 WISP Requirements ● Regular monitoring of the WISP to ensure compliance ● Imposing reasonable restrictions on access to records containing personal information ● Annually reviewing your WISP ● Reporting any suspicious or unauthorized use of personal information to the data security coordinator

16 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 16 WISP Requirements ● Documenting responsive actions taken in connection with a breach of security, including mandatory post-incident review of events and actions taken

17 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 17 What this means for paper documents containing personal information ● Don’t leave documents with personal information on your desk if you’re not there ● Place personal information in locked cabinets at the end of the day

18 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 18 What this means for paper documents containing personal information ● If discarding paper documents containing personal information, you must shred them--M.G.L. ch. 93I requires that ● Limit access to personal information

19 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 19 Computer System Requirements ● If you electronically store or transmit personal information, to the extent “technically feasible”, defined as “if there is a reasonable means through technology to accomplish a desired result,” you must ensure that your computer system

20 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 20 Computer System Requirements has reasonably up-to-date firewall protection, malware, patches and virus protection requires unique user IDs plus passwords, which are not vendor supplied default passwords

21 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 21 Computer System Requirements blocks access after multiple unsuccessful attempts to log in

22 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 22 Encryption Encryption means “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key”

23 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 23 Encryption ● To the extent “technically feasible”, you must encrypt all transmitted records and files containing personal information that travel across a public network or are transmitted wirelessly all personal information stored on laptops or other portable devices--such as a blackberry

24 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 24 Third Party Service Providers ● If you give personal information to any of your service providers, you must take reasonable steps to select third party service providers capable of maintaining personal information in accordance with 201 CMR 17

25 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 25 Third Party Service Providers contractually require third party service providers to maintain personal information in accordance with 201 CMR 17 –for all new contracts –for contracts entered into before March 1, 2010, you have until March 1, 2012 to amend those contracts to require that third party service providers comply with 201 CMR 17

26 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 26 Penalties for failing to comply with 201 CMR 17 ● Massachusetts Attorney General may bring an action under M.G.L. ch. 93A §4 civil penalties of up to $5,000 per violation reasonable cost of investigation and litigation

27 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 27 Penalties for failing to comply with 201 CMR 17 ● Under M.G.L. ch. 93I--which regulates destruction of records containing personal information, you could be fined $100 per data subject affected, up to $50,000 ● Possible common law claims and private right of action under Chapter 93A

28 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 28 Breach Notification Requirements Under M.G.L. ch. 93H, if someone in your organization knows or has reason to know of the unauthorized use or acquisition of personal information or data that is capable of compromising the security of personal information, you are required to notify, “as soon as practicable, and without unreasonable delay”

29 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 29 Breach Notification Requirements the person affected the AG the OCABR

30 © Copyright 2010 Hemenway & Barnes LLP H&B 641682 30 Massachusetts OCABR Website - www.mass.gov/consumer Contains helpful information to prepare a WISP a small business guide to formulating a WISP FAQs about 201 CMR 17 201 CMR 17 Compliance Checklist the regulations themselves

Download ppt "© Copyright 2010 Hemenway & Barnes LLP H&B 641682 1."

Similar presentations

Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.

Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.

Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.
SC Identity Theft Act and Red Flag Rules Stephanie O’Cain, CPA Municipal Association of SC October 6, 2009.

SC Identity Theft Act and Red Flag Rules Stephanie O’Cain, CPA Municipal Association of SC October 6, 2009.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.

Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
An Act Relative to Security Freezes and Notification of Data Breaches Chapter 82 of the Acts of 2007 Massachusetts Digital Government Summit Securing Private.

An Act Relative to Security Freezes and Notification of Data Breaches Chapter 82 of the Acts of 2007 Massachusetts Digital Government Summit Securing Private.

Similar presentations

Ads by Google