The Massachusetts Breach Law

A legal, policy, and technical analysis(c) 2009 Alina J. Johnson

Overview Rationale: the development of information law Public interests and other stakeholders Competing frameworks Information rights Ownership and Control Expectations in the digital age Rights, roles, and responsibilities Limited government interference Suggested approaches, amendments, revisions, and

reform

Rationale

Historical significance: SB 1386 (CA) The evolution of cybercrime: impact and

effects Current MA legislation: 201 CMR 17.00:

M.G.L. c93H Move towards security

– Away from privacy: need for balance

Identity theft, Data breach, and Information security

Two statutes Chapter 266: Section 37E

Chapter 266: Crimes Against PropertySection 37E: Use of personal identification of another; identity fraud; penalty; restitution

Chapter 82 of the Acts of 2007

An Act Relative to Security Freezes and Notification of Data Breaches

Two regulations 201 CMR 16.00 Placing, Lifting and Removal of Security Freezes

201 CMR 17.00 Standards for the Protection of Personal Information of Residents of the Commonwealth

Executive order 504 Order Regarding the Security and Confidentiality of Personal Information

MassachusettsMassachusetts

Computer Incident laws of the commonwealth of Massachusetts

Public Interests and OtherStakeholders

National/Federal law Statutory law Ordinances, rules, regulations, guidelines,

and best practices in both private and public sector organizations

Roles and responsibilities: the role of “YOU” in InfoSec

Competing Frameworks

Technical: Security is left to the IT department... until there is a problem

Legal: Compliance and enforcement is confusing as proliferation increases the number of players

Economic: Demand increases for accountability, oversight, and transparency while viable supply options wanes

Social: Networking sites draft their own policies; no uniformity or guidelines to follow

Information Rights

Currently, organizations follow the law... but then there is the third-party (affiliate)

The third-party typically plays the role of the “elephant in the room”: no one knows what to expect when an emergency occurs

Legally, there is no expectation of privacy with third-parties

Ownership and Control

Information rights of the user should be defined

Information usage should be defined by the user, not the organization

Accountability, oversight, and transparency should be employed throughout

Privacy and security should be weighed carefully so that one does not imbalance the other

Expectations

• Consumers– Any and all

agreements (licenses or contracts) should reflect an awareness of information rights and usage to protect the consumer at all times - under any and all circumstances

• Organizations– Terms of use, terms

of service, and end user license agreements should form a barrier protection against the risk of the third-party affiliate

Rights, Roles, and Responsibilities

The three R's should be evenly distributedamong the stakeholders with an emphasis onindividual rights of the consumer and the rightto control the flow of information in offline andonline environments

Rights, roles, and responsibilities

• Consumer: as owner of the information, the right of control must be protected

• Organization: as data steward, must be accountable, responsible, and compliant to the law. Holds accountability, responsibility, and obligation to the consumer as it has been entrusted with sensitive information; it must protect itself from harm by explicit written agreements that do no harm to the consumer

• Government: as public steward, it must protect the interests of both industry and consumer in the broadest means possible

Limited government interference

• The government should not interfere with the rights of consumers or companies in developing appropriate best practices with respect to information rights and usage

• Voluntarily submitted information is especially sensitive so should incur special enhanced protections

Suggestions

• Limitations of information usage should be imposed on terms of use, terms of service, and end user license agreements to protect the consumer

• Consumers should be granted enhanced rights to protect their personally identifiable information (PII), as well as voluntarily submitted information as there is an expectation of privacy and security in that submission

(c) 2009 – Alina J. Johnson

Final Thoughts

• The “new” ROI:– RESULTS

– OUTCOMES

– IMPACT

Final Thought

The status quo is no longer acceptable in the digital age as consumers,

organizations, and governments are more informed than ever before

(c) 2009 Alina J. Johnson, MSI

- Alina J. Johnson