Analysis: Massachusetts Breach Law
Click here to load reader
description
Transcript of Analysis: Massachusetts Breach Law
The Massachusetts Breach Law
A legal, policy, and technical analysis(c) 2009 Alina J. Johnson
Overview Rationale: the development of information law Public interests and other stakeholders Competing frameworks Information rights Ownership and Control Expectations in the digital age Rights, roles, and responsibilities Limited government interference Suggested approaches, amendments, revisions, and
reform
Rationale
Historical significance: SB 1386 (CA) The evolution of cybercrime: impact and
effects Current MA legislation: 201 CMR 17.00:
M.G.L. c93H Move towards security
– Away from privacy: need for balance
Identity theft, Data breach, and Information security
Two statutes Chapter 266: Section 37E
Chapter 266: Crimes Against PropertySection 37E: Use of personal identification of another; identity fraud; penalty; restitution
Chapter 82 of the Acts of 2007
An Act Relative to Security Freezes and Notification of Data Breaches
Two regulations 201 CMR 16.00 Placing, Lifting and Removal of Security Freezes
201 CMR 17.00 Standards for the Protection of Personal Information of Residents of the Commonwealth
Executive order 504 Order Regarding the Security and Confidentiality of Personal Information
MassachusettsMassachusetts
Computer Incident laws of the commonwealth of Massachusetts
Public Interests and OtherStakeholders
National/Federal law Statutory law Ordinances, rules, regulations, guidelines,
and best practices in both private and public sector organizations
Roles and responsibilities: the role of “YOU” in InfoSec
Competing Frameworks
Technical: Security is left to the IT department... until there is a problem
Legal: Compliance and enforcement is confusing as proliferation increases the number of players
Economic: Demand increases for accountability, oversight, and transparency while viable supply options wanes
Social: Networking sites draft their own policies; no uniformity or guidelines to follow
Information Rights
Currently, organizations follow the law... but then there is the third-party (affiliate)
The third-party typically plays the role of the “elephant in the room”: no one knows what to expect when an emergency occurs
Legally, there is no expectation of privacy with third-parties
Ownership and Control
Information rights of the user should be defined
Information usage should be defined by the user, not the organization
Accountability, oversight, and transparency should be employed throughout
Privacy and security should be weighed carefully so that one does not imbalance the other
Expectations
• Consumers– Any and all
agreements (licenses or contracts) should reflect an awareness of information rights and usage to protect the consumer at all times - under any and all circumstances
• Organizations– Terms of use, terms
of service, and end user license agreements should form a barrier protection against the risk of the third-party affiliate
Rights, Roles, and Responsibilities
The three R's should be evenly distributedamong the stakeholders with an emphasis onindividual rights of the consumer and the rightto control the flow of information in offline andonline environments
Rights, roles, and responsibilities
• Consumer: as owner of the information, the right of control must be protected
• Organization: as data steward, must be accountable, responsible, and compliant to the law. Holds accountability, responsibility, and obligation to the consumer as it has been entrusted with sensitive information; it must protect itself from harm by explicit written agreements that do no harm to the consumer
• Government: as public steward, it must protect the interests of both industry and consumer in the broadest means possible
Limited government interference
• The government should not interfere with the rights of consumers or companies in developing appropriate best practices with respect to information rights and usage
• Voluntarily submitted information is especially sensitive so should incur special enhanced protections
Suggestions
• Limitations of information usage should be imposed on terms of use, terms of service, and end user license agreements to protect the consumer
• Consumers should be granted enhanced rights to protect their personally identifiable information (PII), as well as voluntarily submitted information as there is an expectation of privacy and security in that submission
(c) 2009 – Alina J. Johnson
Final Thoughts
• The “new” ROI:– RESULTS
– OUTCOMES
– IMPACT
Final Thought
The status quo is no longer acceptable in the digital age as consumers,
organizations, and governments are more informed than ever before
(c) 2009 Alina J. Johnson, MSI
- Alina J. Johnson