The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
Transcript of The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 1/44
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 2/44
Effective October 2007
Notification in event of data breach
Consistent with other states’ laws
Reactive
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 3/44
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 4/44
Issued October 2008
Plan to secure and protect residents’ personal information
Broader than anything else in the
country
Proactive
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 5/44
If regs apply:
must protect Personal Information
must have written informationsecurity plan (WISP) detailing
policies and procedures
must have designee(s) responsiblefor protecting Personal Information
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 6/44
Prior drafts accused of taking one-
size-fits-all-approachComputer security requirementsmuch be “technically feasible”
Several factors now go to compliance,not enforcement
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 7/44
Several factors now go to compliance,not enforcement:
size, scope and type of businessresources available
amount of stored data
need for confidentiality and security
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 8/44
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 9/44
which
any
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 10/44
Governor Patrick’s executive ordermandating measures to protect PI
application to "all state agencies in the Executive Department"
including "executives offices,boards, commissions, agencies,departments, divisions, councils,bureaus and offices"
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 11/44
Massachusetts residents’ name +
Social Security number
Driver’s license or State IDnumber
Credit card or debit card number
Financial account number
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 12/44
Essentially all Massachusetts businesses
Many retailers who accept credit cards
Third-party service providersnationwide that touch Massachusetts
residents’ personal data
Many, many more...
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 13/44
3-person law firm in Massachusetts thatonly represents companies:
Has employees’ personal information.
No strict de minimus threshold, butamount of data is relevant
If payroll is processed by outside provider, it must also comply.
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 14/44
Large multi-national corporation. Tensof thousands of employees and petabytesof data in dozens of locations. Mountains
of archives and backups off-site.
Even Personal Information stored onbackup tapes is technically PI, and new
backups must be encrypted and oldbackups encrypted if transferred.
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 15/44
Small business in New Hampshire:
If it accepts credit cards, it may well
obtain Personal Information of Massachusetts residents.
No actual notice requirement.
But swiped, unstored data isapparently outside the regs
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 16/44
Medium-sized North Carolina company that provides corporate data storageservices, but has no Massachusetts
customers:
Absent contractual safeguards,customers’ stored data may contain
Massachusetts Personal Information.
No actual notice requirement.
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 17/44
1. Develop a comprehensive, writteninformation security plan
2. Designate someone to be in chargeof it
3. Implement, maintain and monitor it
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 18/44
(201 CMR 17.03)
Requirements for protecting all PersonalInformation, in
whatever form
(201 CMR 17.04)
Requirements thatapply to electronicPersonal Informationrecords
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 19/44
Risk assessment
Off-premises access
Disciplinary measures
Terminated employees
3rd-party service providers
Physical access
WISP monitoring
WISP reviews
Post-hoc incident
review
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 20/44
Security Confidentiality Integrity
InternalRisks
ExternalRisks
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 21/44
Develop policies “relating to the storage,access and transportation of recordscontaining personal information outside of
business premises.”
Telecommuting
Use of messenger and delivery services Ability to maintain files at home
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 22/44
State wants to know that WISP is taken seriously.
Discipline must be imposed forbreach.
Flexibility can be preserved.
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 23/44
Access to Personal Information prohibited for terminated employees.
Network accounts
Physical access
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 24/44
Select 3rd-party providers “capable of maintaining appropriate security measures”consistent with Mass and federal regs
Contractually require compliance
1. In all contracts executed after effectivedate (March 1, 2010)
2. In all contracts, after March 1, 2012
Changed yet again
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 25/44
No more requirement of datainventory
No more limitation on duration oramount of collection to that“reasonably necessary”
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 26/44
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 27/44
Physically restrict access toPersonal Information
Personal Information mustbe kept in locked facilitiesor containers
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 28/44
WISP must provide for ongoingmonitoring of plan effectiveness
At least annual review of WISP toaccommodate new and unanticipatedrisks
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 29/44
After a “breach of security”:
subsequent review of response and
necessary changes to preventrecurrence
documentation of event and
response
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 30/44
User authentication protocols
Secure access controlmeasures
Encryption of
transmitted records
Monitoring of systems
Laptop and mobiledevice encryption
Security patches andfirewalls
System security agent
software
Employee educationand training
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 31/44
Control use of user IDs
Secure password selection
Secure or encrypt password files
User accounts
Blocks for unsuccessful login attempts
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 32/44
Permit access to records on “need toknow” basis
Password-protected account logins to determine level of access
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 33/44
Encryption of PI across the Internet
Faxes and VOIP phone calls?
Encryption of PI over wireless
Bluetooth, WEP, WPA?
Encryption definition is broad
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 34/44
Encryption of PI stored on laptops
Applies regardless of laptop location
or use
Encryption of PI stored on “mobiledevices”
Encryption may not be “feasible”
How is incoming email treated?
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 35/44
Requires system to detectunauthorized use of, or access to,Personal Information
Some existing user account-basedsystems will already comply
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 36/44
“Reasonably up-to-date firewall protection and operating systemsecurity patches” for Internet-connected computers
Legacy systems?
Dated OSs?
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 37/44
Requires use of anti-malwaresoftware
Macs and Linux boxes? Are certain products “better” fromcompliance standpoint?
“Set to receive…updates on aregular basis.”
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 38/44
Proper use of computer systems
Importance of Personal
Information security What about employees withoutaccess to PI?
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 39/44
AG’s office enforces Chapter 93H and201 CMR 17.00
No private right of actionBut regs may become de facto standard in civil suits.
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 40/44
Agencies not all the same
OCABR promulgates the regs
AG’s office enforces them
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 41/44
In the event of breach:
Governmental risk
Contractual risk
Insurance coverage at risk
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 42/44
Originally, Jan 1, 2009
Then, pushed to May 1, 2009
Then, deadline became Jan 1, 2010
Now, effective as of March 1, 2010
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 43/44
Audit and assess
Inventory type of PI kept
Review 3rd-party contracts
Assess risks
Plan information and data strategy
IT infrastructure and information process
changes
Implement plan and policies
Contract changes, employee policies, etc.
8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010
http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 44/44
40 Broad Street
Boston, MA 02109(617) 350-6800
gesmer.com
Boston (Somerville), MA • Bedford, NH •
Manchester, NH • Marlborough, MA •
Rockland, MA • Waltham, MA
(888) 583-9200
colospace.com