20
presented for Massachusetts Bar Association at The Massachusetts Data Privacy Conference from Sheraton Springfield Monarch Place Hotel on Wednesday, January 27, 2010 presented by Jared D. Correia, Esq. Law Practice Management Advisor Law Office Management Assistance Progr 31 Milk Street Suite 815 Boston, MA 02109 Email: [email protected] Phone: (857) 383-3252

The Massachusetts Data Protection Regime

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: The Massachusetts Data Protection Regime

presented forMassachusetts Bar Associationat The Massachusetts DataPrivacy ConferencefromSheraton Springfield MonarchPlace HotelonWednesday, January 27, 2010

presented byJared D. Correia, Esq.Law Practice Management AdvisorLaw Office Management Assistance Program31 Milk StreetSuite 815Boston, MA 02109Email: [email protected]: (857) 383-3252

Page 2: The Massachusetts Data Protection Regime

The Massachusetts Data Privacy Regime

o Response to High-Profile Data Breach Cases o Late 2007: Massachusetts Becomes 39th State to Enact Data Breach Lawo EFFECTIVE DATE: March 1, 2010

o Laws and Regulation Implicatedo MGL c. 93H: Security Breacheso MGL c. 93I: Disposition and Destruction of Recordso 201 CMR 17: Standards for the Protection of Personal

Information of Residents of the Commonwealth

o Further Guidanceo Office of Consumer Affairs and Business Regulation website

o under “For Businesses”o under “Identity Theft”

Page 3: The Massachusetts Data Protection Regime

ANY Business/Business OwnerINCLUDING Law Firms and Solo Attorneys

Person: “A Natural Person, Corporation, Association, Partnershipor Other Legal Entity . . .” (MGL c. 93H, sec. 1)

INCLUDING Out-of-State BusinessesIF Those Businesses Keep Massachusetts Resident Information

Page 4: The Massachusetts Data Protection Regime

First Name/Last Name OR First Initial/Last NameAND

Social Security NumberOR

Driver’s License/State-Issued Identification Card NumberOR

Financial Account Number

The Threshold Question:What Sort of Information Do You Keep?

Piecemeal Compliance versus Compliance In Toto

Page 5: The Massachusetts Data Protection Regime

Regulations to Safeguard the Personal Information of Residents of the Commonwealth, in order to:

o insure the security and confidentiality of customer information in a manner fully consistent with industry standards;

o protect against anticipated threats or hazards to the security orintegrity of such information;

o protect against unauthorized access to or use of suchinformation that may result in substantial harm orinconvenience to the consumer.

Page 6: The Massachusetts Data Protection Regime

o WISP (Written Information Security Program)o Control Over Electronic Informationo Computer System Security Requirementso Control Over Paper Fileso Totality of (Most of) the Circumstanceso Disposal

Page 7: The Massachusetts Data Protection Regime

Think: Your Handbook for ComplianceWrite It Down, Get It Right

Sources:o Check One: 201 CMR 17.03o Check Two: Resources at the OCABR Website

Some Important Considerations:o Employee to Maintain and Supervise WISP Performanceo Review WISP Annually AND When Material Changeo Duty to Oversee Third Party Service Providers

Page 8: The Massachusetts Data Protection Regime

o To be Established and Maintained “To the Extent Technically Feasible”, per 201 CMR 17.04:

o Control Over Users/Control Over Passwords (17.04, 1)o Secure Access Control Measures (17.04, 2)o Encryption of Data (17.04, 3 and 5)

o Travelling Wirelessly OR Stored on Portable Electronic Deviceso Protection of Systems (17.04, 4 and 6 and 7)

o Firewall o Security Patcheso System Security Agent Software

o Staff Education/Training (17.04, 8)o Proper Use of Computer Securityo Importance of Personal Information Security

Page 9: The Massachusetts Data Protection Regime

The Threshold Question Is the Same:What Sort of Information Do You Keep?

Piecemeal Compliance versus Compliance In Toto

How To Comply

o Determine Reasonably Foreseeable Internal and External Risks to Fileso Store Paper Files in “Locked Facilities, Storage Areas or Containers”o Restrict Access to Persons Who Must Access To Perform Job Functions

o Record Physical Safeguards in WISP

Whither Paper?

Page 10: The Massachusetts Data Protection Regime

Requirement of Reasonable Efforts to Comply

o Compliance Judged in Light of/WISP Contains Safeguards Appropriate to:o Size, Scope and Type of Service Providedo Amount of Resources Availableo Amount of Stored Datao Need for Security and Confidentiality of

Both Consumer and Employee Information

Page 11: The Massachusetts Data Protection Regime

This is Not JUST About How to Keep DataThis is ALSO About How to Get Rid of Data

Check MGL c. 93I for guidance

o Separate Standards for Disposal of (1) Electronic Mediaand (2) Paper Documents (MGL c. 93I, sec. 2)

o Options that Would Make Information UNREADABLE or UNRECONSTRUCTABLE

*Nota BeneMGL c. 93I, sec. 1 ADDS a Fourth Category of Protected Information:

First Name/Last Name OR First Initial/Last NameAND

a Biometric Indicator

Page 12: The Massachusetts Data Protection Regime

o Breach of Security

Unauthorized Acquisition/Use of

Unencrypted DataOR

Encrypted Data PLUS Confidential Process or Key

THATCreates a Substantial Risk of Identity Theft or Fraud

Page 13: The Massachusetts Data Protection Regime

o Notification of Breach

o When (to Send)o (To) Whomo What (to Include)o What (Kind)

Page 14: The Massachusetts Data Protection Regime

WHEN (to Send)

Knowledge of Breach of SecurityOR

Knowledge that Personal Information Acquired/Used by Unauthorized Person/for Unauthorized Purpose

“. . . as soon as practicable and without unreasonable delay . . .”(MGL c. 93H, sec. 3)

Page 15: The Massachusetts Data Protection Regime

(To) WHOM

Own/License:

o to Attorney General’s Office;o to Director of OCABR;o to Consumer Reporting Agencies Identified by OCABR; and,o to Resident(s).

Page 16: The Massachusetts Data Protection Regime

WHAT (to Include)

In Notice to Government:

o Nature of Breach;o Number of Residents Affected; and,o Steps Taken/To Be Taken to Respond to Incident.

In Notice to Resident:

o Right to Obtain Police Report;o Process for Requesting Security Freeze; and,o Any Fees Required to be Paid to Consumer Reporting Agencies.

BUT, DO NOT INCLUDE:o Nature of Breach; or,o Number of Residents Affected.

Page 17: The Massachusetts Data Protection Regime

WHAT (Kind):Three Forms of Notice

o Written Notice;o Electronic Notice

(consistent with Sec. 7001 of Title 15 of the USCS, MGL c. 110G); or,

o Substitute Notice(IF cost of providing notice greater than $250,000OR affected class greater than 500,000 OR insufficient contact information).

Page 18: The Massachusetts Data Protection Regime

Violation of MGL c. 93H

o Enforcement via MGL c. 93Ao $5,000 Fine per Violationo What is a “Violation”?

o A Breach? A Breached Record? An Individual Resident Affected?

Violation of MGL c. 93I

o Not More Than $100 per Resident Affectedo Not to Exceed $50,000 for Each Instance of Improper Disposalo What is an “Instance”?

o A Record? A Device? A Series of Disposals?

Page 19: The Massachusetts Data Protection Regime

Six Questions:o What Information Do You Keep?o Are You Careful About How You Keep/Send/Transport Data?o Have You Created a WISP?o Do You Limit Access to Your Data?o Do You Oversee Your Employees and Third Party Providers?o How Do You Dispose of Your Data?

Three Problems:o Technology Regime Crafted by Lawyer-Legislatorso Lack of Specific Guidanceo Ad Hoc Decisionmaking

The REAL Question is:How Do You Comply, Technically (Feasible) Speaking?

Page 20: The Massachusetts Data Protection Regime

Contact LOMAP:Massachusetts Law OfficeManagement Assistance Program31 Milk StreetSuite 815Boston, MA 02109Email: [email protected]: (888) 54-LOMAP

Follow LOMAP:Rodney S. Dowell, Esq.DirectorJared D. Correia, Esq.Law Practice Management AdvisorWeb: www.masslomap.orgBlog: http://masslomap.blogspot.comTwitter: www.twitter.com/rodneydowellTwitter: www.twitter.com/jaredcorreia