The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010

8/14/2019 The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010

http://slidepdf.com/reader/full/the-new-standard-massachusetts-sweeping-new-data-protection-rules-march-2010 1/44



Effective October 2007

Notification in event of data breach

Consistent with other states’ laws

Reactive



Issued October 2008

Plan to secure and protect residents’ personal information

Broader than anything else in the

country

Proactive



If regs apply:

must protect Personal Information

must have written informationsecurity plan (WISP) detailing

policies and procedures

must have designee(s) responsiblefor protecting Personal Information



Prior drafts accused of taking one-

size-fits-all-approachComputer security requirementsmuch be “technically feasible”

Several factors now go to compliance,not enforcement



Several factors now go to compliance,not enforcement:

size, scope and type of businessresources available

amount of stored data

need for confidentiality and security



which

any



Governor Patrick’s executive ordermandating measures to protect PI

application to "all state agencies in the Executive Department"

including "executives offices,boards, commissions, agencies,departments, divisions, councils,bureaus and offices"



Massachusetts residents’ name +

Social Security number

Driver’s license or State IDnumber

Credit card or debit card number

Financial account number



Essentially all Massachusetts businesses

Many retailers who accept credit cards

Third-party service providersnationwide that touch Massachusetts

residents’ personal data

Many, many more...



3-person law firm in Massachusetts thatonly represents companies:

Has employees’ personal information.

No strict de minimus threshold, butamount of data is relevant

If payroll is processed by outside provider, it must also comply.



Large multi-national corporation. Tensof thousands of employees and petabytesof data in dozens of locations. Mountains

of archives and backups off-site.

Even Personal Information stored onbackup tapes is technically PI, and new

backups must be encrypted and oldbackups encrypted if transferred.



Small business in New Hampshire:

If it accepts credit cards, it may well

obtain Personal Information of Massachusetts residents.

No actual notice requirement.

But swiped, unstored data isapparently outside the regs



Medium-sized North Carolina company that provides corporate data storageservices, but has no Massachusetts

customers:

Absent contractual safeguards,customers’ stored data may contain

Massachusetts Personal Information.

No actual notice requirement.



1. Develop a comprehensive, writteninformation security plan

2. Designate someone to be in chargeof it

3. Implement, maintain and monitor it



(201 CMR 17.03)

Requirements for protecting all PersonalInformation, in

whatever form

(201 CMR 17.04)

Requirements thatapply to electronicPersonal Informationrecords



Risk assessment

Off-premises access

Disciplinary measures

Terminated employees

3rd-party service providers

Physical access

WISP monitoring

WISP reviews

Post-hoc incident

review



Security Confidentiality Integrity

InternalRisks

ExternalRisks



Develop policies “relating to the storage,access and transportation of recordscontaining personal information outside of

business premises.”

Telecommuting

Use of messenger and delivery services Ability to maintain files at home



State wants to know that WISP is taken seriously.

Discipline must be imposed forbreach.

Flexibility can be preserved.



Access to Personal Information prohibited for terminated employees.

Email

Network accounts

Physical access



Select 3rd-party providers “capable of maintaining appropriate security measures”consistent with Mass and federal regs

Contractually require compliance

1. In all contracts executed after effectivedate (March 1, 2010)

2. In all contracts, after March 1, 2012

Changed yet again



No more requirement of datainventory

No more limitation on duration oramount of collection to that“reasonably necessary”



Physically restrict access toPersonal Information

Personal Information mustbe kept in locked facilitiesor containers



WISP must provide for ongoingmonitoring of plan effectiveness

At least annual review of WISP toaccommodate new and unanticipatedrisks



After a “breach of security”:

subsequent review of response and

necessary changes to preventrecurrence

documentation of event and

response



User authentication protocols

Secure access controlmeasures

Encryption of

transmitted records

Monitoring of systems

Laptop and mobiledevice encryption

Security patches andfirewalls

System security agent

software

Employee educationand training



Control use of user IDs

Secure password selection

Secure or encrypt password files

User accounts

Blocks for unsuccessful login attempts



Permit access to records on “need toknow” basis

Password-protected account logins to determine level of access



Encryption of PI across the Internet

Faxes and VOIP phone calls?

Encryption of PI over wireless

Bluetooth, WEP, WPA?

Encryption definition is broad



Encryption of PI stored on laptops

Applies regardless of laptop location

or use

Encryption of PI stored on “mobiledevices”

Encryption may not be “feasible”

How is incoming email treated?



Requires system to detectunauthorized use of, or access to,Personal Information

Some existing user account-basedsystems will already comply



“Reasonably up-to-date firewall protection and operating systemsecurity patches” for Internet-connected computers

Legacy systems?

Dated OSs?



Requires use of anti-malwaresoftware

Macs and Linux boxes? Are certain products “better” fromcompliance standpoint?

“Set to receive…updates on aregular basis.”



Proper use of computer systems

Importance of Personal

Information security What about employees withoutaccess to PI?



AG’s office enforces Chapter 93H and201 CMR 17.00

No private right of actionBut regs may become de facto standard in civil suits.



Agencies not all the same

OCABR promulgates the regs

AG’s office enforces them



In the event of breach:

Governmental risk

Contractual risk

Insurance coverage at risk



Originally, Jan 1, 2009

Then, pushed to May 1, 2009

Then, deadline became Jan 1, 2010

Now, effective as of March 1, 2010



Audit and assess

Inventory type of PI kept

Review 3rd-party contracts

Assess risks

Plan information and data strategy

IT infrastructure and information process

changes

Implement plan and policies

Contract changes, employee policies, etc.



40 Broad Street

Boston, MA 02109(617) 350-6800

gesmer.com

[email protected]

Boston (Somerville), MA • Bedford, NH •

Manchester, NH • Marlborough, MA •

Rockland, MA • Waltham, MA

(888) 583-9200

colospace.com

The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010

Documents

Transcript of The New Standard - Massachusetts Sweeping New Data Protection Rules March 2010