Embed Size (px)
DESCRIPTION
Citation preview
presented forMassachusetts Bar Associationat The Massachusetts DataPrivacy ConferencefromSheraton Springfield MonarchPlace HotelonWednesday, January 27, 2010
presented byJared D. Correia, Esq.Law Practice Management AdvisorLaw Office Management Assistance Program31 Milk StreetSuite 815Boston, MA 02109Email: [email protected]: (857) 383-3252
The Massachusetts Data Privacy Regime
o Response to High-Profile Data Breach Cases o Late 2007: Massachusetts Becomes 39th State to Enact Data Breach Lawo EFFECTIVE DATE: March 1, 2010
o Laws and Regulation Implicatedo MGL c. 93H: Security Breacheso MGL c. 93I: Disposition and Destruction of Recordso 201 CMR 17: Standards for the Protection of Personal
Information of Residents of the Commonwealth
o Further Guidanceo Office of Consumer Affairs and Business Regulation website
o under “For Businesses”o under “Identity Theft”
ANY Business/Business OwnerINCLUDING Law Firms and Solo Attorneys
Person: “A Natural Person, Corporation, Association, Partnershipor Other Legal Entity . . .” (MGL c. 93H, sec. 1)
INCLUDING Out-of-State BusinessesIF Those Businesses Keep Massachusetts Resident Information
First Name/Last Name OR First Initial/Last NameAND
Social Security NumberOR
Driver’s License/State-Issued Identification Card NumberOR
Financial Account Number
The Threshold Question:What Sort of Information Do You Keep?
Piecemeal Compliance versus Compliance In Toto
Regulations to Safeguard the Personal Information of Residents of the Commonwealth, in order to:
o insure the security and confidentiality of customer information in a manner fully consistent with industry standards;
o protect against anticipated threats or hazards to the security orintegrity of such information;
o protect against unauthorized access to or use of suchinformation that may result in substantial harm orinconvenience to the consumer.
o WISP (Written Information Security Program)o Control Over Electronic Informationo Computer System Security Requirementso Control Over Paper Fileso Totality of (Most of) the Circumstanceso Disposal
Think: Your Handbook for ComplianceWrite It Down, Get It Right
Sources:o Check One: 201 CMR 17.03o Check Two: Resources at the OCABR Website
Some Important Considerations:o Employee to Maintain and Supervise WISP Performanceo Review WISP Annually AND When Material Changeo Duty to Oversee Third Party Service Providers
o To be Established and Maintained “To the Extent Technically Feasible”, per 201 CMR 17.04:
o Control Over Users/Control Over Passwords (17.04, 1)o Secure Access Control Measures (17.04, 2)o Encryption of Data (17.04, 3 and 5)
o Travelling Wirelessly OR Stored on Portable Electronic Deviceso Protection of Systems (17.04, 4 and 6 and 7)
o Firewall o Security Patcheso System Security Agent Software
o Staff Education/Training (17.04, 8)o Proper Use of Computer Securityo Importance of Personal Information Security
The Threshold Question Is the Same:What Sort of Information Do You Keep?
Piecemeal Compliance versus Compliance In Toto
How To Comply
o Determine Reasonably Foreseeable Internal and External Risks to Fileso Store Paper Files in “Locked Facilities, Storage Areas or Containers”o Restrict Access to Persons Who Must Access To Perform Job Functions
o Record Physical Safeguards in WISP
Whither Paper?
Requirement of Reasonable Efforts to Comply
o Compliance Judged in Light of/WISP Contains Safeguards Appropriate to:o Size, Scope and Type of Service Providedo Amount of Resources Availableo Amount of Stored Datao Need for Security and Confidentiality of
Both Consumer and Employee Information
This is Not JUST About How to Keep DataThis is ALSO About How to Get Rid of Data
Check MGL c. 93I for guidance
o Separate Standards for Disposal of (1) Electronic Mediaand (2) Paper Documents (MGL c. 93I, sec. 2)
o Options that Would Make Information UNREADABLE or UNRECONSTRUCTABLE
*Nota BeneMGL c. 93I, sec. 1 ADDS a Fourth Category of Protected Information:
First Name/Last Name OR First Initial/Last NameAND
a Biometric Indicator
o Breach of Security
Unauthorized Acquisition/Use of
Unencrypted DataOR
Encrypted Data PLUS Confidential Process or Key
THATCreates a Substantial Risk of Identity Theft or Fraud
o Notification of Breach
o When (to Send)o (To) Whomo What (to Include)o What (Kind)
WHEN (to Send)
Knowledge of Breach of SecurityOR
Knowledge that Personal Information Acquired/Used by Unauthorized Person/for Unauthorized Purpose
“. . . as soon as practicable and without unreasonable delay . . .”(MGL c. 93H, sec. 3)
(To) WHOM
Own/License:
o to Attorney General’s Office;o to Director of OCABR;o to Consumer Reporting Agencies Identified by OCABR; and,o to Resident(s).
WHAT (to Include)
In Notice to Government:
o Nature of Breach;o Number of Residents Affected; and,o Steps Taken/To Be Taken to Respond to Incident.
In Notice to Resident:
o Right to Obtain Police Report;o Process for Requesting Security Freeze; and,o Any Fees Required to be Paid to Consumer Reporting Agencies.
BUT, DO NOT INCLUDE:o Nature of Breach; or,o Number of Residents Affected.
WHAT (Kind):Three Forms of Notice
o Written Notice;o Electronic Notice
(consistent with Sec. 7001 of Title 15 of the USCS, MGL c. 110G); or,
o Substitute Notice(IF cost of providing notice greater than $250,000OR affected class greater than 500,000 OR insufficient contact information).
Violation of MGL c. 93H
o Enforcement via MGL c. 93Ao $5,000 Fine per Violationo What is a “Violation”?
o A Breach? A Breached Record? An Individual Resident Affected?
Violation of MGL c. 93I
o Not More Than $100 per Resident Affectedo Not to Exceed $50,000 for Each Instance of Improper Disposalo What is an “Instance”?
o A Record? A Device? A Series of Disposals?
Six Questions:o What Information Do You Keep?o Are You Careful About How You Keep/Send/Transport Data?o Have You Created a WISP?o Do You Limit Access to Your Data?o Do You Oversee Your Employees and Third Party Providers?o How Do You Dispose of Your Data?
Three Problems:o Technology Regime Crafted by Lawyer-Legislatorso Lack of Specific Guidanceo Ad Hoc Decisionmaking
The REAL Question is:How Do You Comply, Technically (Feasible) Speaking?
Contact LOMAP:Massachusetts Law OfficeManagement Assistance Program31 Milk StreetSuite 815Boston, MA 02109Email: [email protected]: (888) 54-LOMAP
Follow LOMAP:Rodney S. Dowell, Esq.DirectorJared D. Correia, Esq.Law Practice Management AdvisorWeb: www.masslomap.orgBlog: http://masslomap.blogspot.comTwitter: www.twitter.com/rodneydowellTwitter: www.twitter.com/jaredcorreia
