The New Massachusetts Privacy Rules V4

The MassachusettsThe MassachusettsData Privacy RulesData Privacy Rules

Stephen E. Meltzer, Esquire, CIPP, Stephen E. Meltzer, Esquire, CIPP, Michelle Drolet, CEO Towerwall &Michelle Drolet, CEO Towerwall &

Gerry Young, Secretariat Chief Gerry Young, Secretariat Chief Information OfficerInformation Officer

The New MassachusettsThe New MassachusettsData Security RulesData Security Rules

New Mandate:New Mandate:

PI = PIPI = PI

Personal Information = Privacy Personal Information = Privacy InfrastructureInfrastructure

AgendaAgenda

• IntroductionIntroduction• Scope of RulesScope of Rules• Comprehensive Written Information Security Comprehensive Written Information Security

Program (cWISP)Program (cWISP)• Computer System Security RequirementsComputer System Security Requirements• Breach Reporting RequirementsBreach Reporting Requirements• What To Do NowWhat To Do Now• Questions and AnswersQuestions and Answers

SummarySummary• Statute enacted in 2007Statute enacted in 2007

• Rules issued on September 19, 2008 (and Rules issued on September 19, 2008 (and subsequently amended)subsequently amended)

• • March 1, 2010 (as of August 2009) March 1, 2010 (as of August 2009) (originally scheduled to take effect January (originally scheduled to take effect January 1, 2009, then May 1, 2009, then January 1, 2009, then May 1, 2009, then January 1, 2010)1, 2010)

SummarySummaryConsequences for non-compliance:Consequences for non-compliance:

AT LEASTAT LEAST: :

Increased risk of government enforcement or private litigationIncreased risk of government enforcement or private litigation

93H 93H § § 6 incorporates 93A, 6 incorporates 93A, § § 4493A, 93A, § § 44

• $5,000 per occurrence$5,000 per occurrence• Attorneys feesAttorneys fees• Cost of Investigation/EnforcementCost of Investigation/Enforcement

AT WORSTAT WORST::

Enforcement Enforcement PLUSPLUS Bad PR Bad PR thenthen Compliance Compliance andand oversight oversight

What Prompted the Rules?What Prompted the Rules?

High-profile data breach casesHigh-profile data breach casesBreach notification alone insufficientBreach notification alone insufficientReflection of states’ interest in protecting Reflection of states’ interest in protecting

personal informationpersonal informationData in transit or on portable devices most Data in transit or on portable devices most

at riskat riskMassachusetts is one of the first, but is Massachusetts is one of the first, but is

likely not the lastlikely not the last

Looking AheadLooking Ahead

Massachusetts is one of the first, but is Massachusetts is one of the first, but is likely not the lastlikely not the last

Federal Legislation:Federal Legislation:HITECH (ARRA)HITECH (ARRA)Red FlagsRed FlagsH.2221 (prospect of preemption)H.2221 (prospect of preemption)

Scope of RulesScope of Rules


• Covers ALL PERSONS that own or license Covers ALL PERSONS that own or license personal information about a Massachusetts personal information about a Massachusetts residentresident

• Need not have operations in MassachusettsNeed not have operations in Massachusetts

• Financial institutions, health care and other Financial institutions, health care and other regulated entities not exemptregulated entities not exempt

Scope of RulesScope of Rules““Personal information”Personal information”Resident’s first and last name or first initial Resident’s first and last name or first initial

and last name and last name in combination within combination with

• SSNSSN

• Driver’s license or State ID, Driver’s license or State ID, oror

• Financial account number or credit/debit Financial account number or credit/debit card number that would permit access to a card number that would permit access to a financial account financial account


Scope of RulesScope of RulesBernard Madoff

Personal Financial Statement



• Examples:Examples:Employee recordsEmployee recordsPayroll or 401(k) informationPayroll or 401(k) informationDonor records (with credit card)Donor records (with credit card)Volunteer records (expense Volunteer records (expense

reimbursements)reimbursements)

Three RequirementsThree Requirements1.Develop, implement, maintain and maintain a 1.Develop, implement, maintain and maintain a

comprehensive, written information security comprehensive, written information security program that meets very specific requirements program that meets very specific requirements (cWISP)(cWISP)

2.Heightened information security meeting specific 2.Heightened information security meeting specific computer information security requirementscomputer information security requirements

3.Vendor Compliance3.Vendor Compliance

(Phase-in)(Phase-in)

Evaluating ComplianceEvaluating Compliance((notnot Evaluating Applicability Evaluating Applicability))

• AppropriateAppropriate– Size of businessSize of business– Scope of businessScope of business– Type of businessType of business– Resources availableResources available– Amount of data storedAmount of data stored– Need for security and confidentialityNeed for security and confidentiality

• Consumer and employee informationConsumer and employee information

Evaluating ComplianceEvaluating Compliance((notnot Evaluating Applicability Evaluating Applicability))

“The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”

EnforcementEnforcement

• Litigation and enforcement by the Litigation and enforcement by the Massachusetts Attorney GeneralMassachusetts Attorney General

• Massachusetts law requires notice to Massachusetts law requires notice to Attorney General of any breach, in Attorney General of any breach, in addition to affected consumersaddition to affected consumers

• Attorney General likely to investigate Attorney General likely to investigate based on breach reportsbased on breach reports

• No explicit private right of action or No explicit private right of action or penaltiespenalties

Comprehensive WrittenComprehensive WrittenInformation SecurityInformation SecurityProgramProgram

201 CMR 17.03201 CMR 17.03

Information SecurityInformation SecurityProgramProgram

““[D]evelop, implement, and maintain a comprehensive information security

program that is written in one or more readily accessible parts and contains administrative, technical, and physical

safeguards”

Comprehensive Information Comprehensive Information Security ProgramSecurity Program 201 CMR 17.03 (2)(a) through (j)201 CMR 17.03 (2)(a) through (j)

a.a. DesignateDesignate

b.b. IdentifyIdentify

c.c. DevelopDevelop

d.d. ImposeImpose

e.e. PreventPrevent

f.f. OverseeOversee

g.g. RestrictRestrict

h.h. MonitorMonitor

i.i. ReviewReview

j.j. DocumentDocument

Comprehensive Information Comprehensive Information Security ProgramSecurity Program(a) Designate an employee to maintain the WISP.

(b) Identify and assess reasonably foreseeable risks (Internal and external).

(c) Develop security policies for keeping, accessing and transporting records.

(d) Impose disciplinary measures for violations of the program.

(e) Prevent access by terminated employees.

(f) Oversee service providers and contractually ensure compliance.

(g) Restrict physical access to records.

(h) Monitor security practices to ensure effectiveness and make changes if warranted.

(i) Review the program at least annually.

(j) Document responsive actions to breaches.

Comprehensive Information Comprehensive Information Security ProgramSecurity ProgramThird Party Compliance

1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and

2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information

Comprehensive Information Comprehensive Information Security ProgramSecurity ProgramThird Party Compliance

Contracts entered “no later than” March 1, 2010:Contracts entered “no later than” March 1, 2010:

Two – year phase-in.Two – year phase-in.

Contracts entered into “later than” March 1, 2010:Contracts entered into “later than” March 1, 2010:

Immediate compliance.Immediate compliance.

Comprehensive Information Comprehensive Information Security ProgramSecurity Program

““INDUSTRY STANDARDS”INDUSTRY STANDARDS”

Breach ReportingBreach Reporting

G.L. c. 93H G.L. c. 93H §§ 3 3


Breach of security –

“the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”


• Possessor must give notice ofPossessor must give notice of– Breach of SecurityBreach of Security– Unauthorized Use or AcquisitionUnauthorized Use or Acquisition

• To Owner/Licensor of InformationTo Owner/Licensor of Information

• Owner/Licensor must give notice of Owner/Licensor must give notice of – Breach of SecurityBreach of Security– Unauthorized Use or AcquisitionUnauthorized Use or Acquisition

• To – To – – Attorney GeneralAttorney General– Office of Consumer AffairsOffice of Consumer Affairs– ResidentResident


“The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to:

(1)the nature of the breach of security or the unauthorized acquisition or use; (2)the number of Massachusetts residents affected by such incident at the time of notification; and (3)any steps the person or agency has taken or plans to take relating to the incident.”

Sample Breach Notification Letter

• http://www.mass.gov/Cago/docs/Consumer/93h_sampleletter_ago.pdf


• StopStop

• Be afraidBe afraid

• Call for helpCall for help

Computer System Computer System SecuritySecurityRequirementsRequirements

201 CMR 17.04201 CMR 17.04

Electronic Requirements201 CMR 17.04• Use

authentication protocols

• Secure access controls

• Encryption of transmittable records

• Mentoring systems

• Laptop and mobile device encryption

• Security patches and firewalls

• System security agents

• IT Security user awareness

User Authentication Protocols

• Control of user IDs• Secure password

selection• Secure or

encrypted password files

• User accounts blocked for unusual logon attempts

Examples:

Passwords should be at least 9 characters, alpha numeric with special characters

After 3 attempts to login users are blocked access

Secure Access Control Measures

• Permit “access” on a need to know basis

• Password protect account and login to determine level of access

Example:

Network Access Control Software/Hardware

Consentry

Sophos

Audit control who is accessing what and when?

Encryption of Transmitted Records

• Encryption of personal information accessed over a public network– Tunneling options

(VPN)– Faxes, VOIP, phone

calls• Encryption of PI on

wireless– Bluetooth, WEP, Wifi

• Encryption definition if very broad

Examples:

PGP and Utimaco are encryption technologies

Monitoring of Systems

• Require systems to detect unauthorized use of, access to personal information

• Some existing user account based on systems will already comply

Examples:

Again, Network Access Control

Audit controls

Laptop and Mobile Device Encryption

• Encryption of PI stored on laptops– Applies regardless

of laptop location

• Encryption of PI stored on “mobile” devices– Does incoming

email become a problem?

This applies only if you have data in motion of personal information.

Email is clear text. So anyone can read any ones email on the internet.

Security Patches and Firewalls

• “Reasonably up-to-date firewall protection and operating systems patches” for Internet connected computers

• Date on operating systems

All organizations should have a firewall in place (not a router a firewall)

Can hire an organization to update and manage the security infrastructure:

Firewall

Anti-virus

Patches…

Systems Security Agent Software

• Anti-malware technology required– Are certain

products better?

– What about MACs or Linux?

• Set to receive auto-updates

Malware is what is infecting most enviroments. HTTP and HTTPS traffic.

Your users are your worst enemy

Products to look at for Malware

TrendMicro

Websense

Webwasher

Employee Education and IT Security Training

• Proper training on all IT security policies

• User awareness– Importance of PI

security– Proper use of the

computer– Everyone is

involved

Your employees are your weakest link to any IT security program.

They need to know the rules.

Suggestions:

Stand up training

News Letters

Programs

Online training

The Approach• Inventory type of personal

information is being kept– Assess risk

• Plan information security strategy– Data

• Security, Confidentially, Integrity• IT infrastructure and information

change processes• Implement, plan and policies

– Technology deployment– Policy implementation – User awareness– Continual review

Security is all about vigilance…

Compliance is knowing what you need to protect and building a fortress around it and testing it on a frequent basis!

Data DestructionData Destruction

G.L. c. 93IG.L. c. 93I

Data Destruction (93I)Data Destruction (93I)

Paper documents/ electronic Paper documents/ electronic Media: Media:

Redact, Burn, Pulverize, ShredRedact, Burn, Pulverize, Shred

So that Personal Information So that Personal Information cannot be read or cannot be read or reconstructedreconstructed

Data Destruction (93I)Data Destruction (93I)

– Violations:Violations:

• Attorney General: Unfair and Deceptive Practices Attorney General: Unfair and Deceptive Practices remedies - 93Hremedies - 93H

• Civil Fine-$100/data subject not to exceed Civil Fine-$100/data subject not to exceed $50,000/instance – 93I$50,000/instance – 93I

What To Do NowWhat To Do Now

Compliance DeadlinesCompliance DeadlinesMarch 1, 2010March 1, 2010

• Implement internal Implement internal policies and practicespolicies and practices

• Encrypt company Encrypt company laptopslaptops

• Amend contracts with Amend contracts with service providers to service providers to incorporate the data incorporate the data security requirementssecurity requirements

• Take all reasonable Take all reasonable steps to ensure steps to ensure vendors apply vendors apply protections as protections as stringent as these stringent as these (written certification (written certification not necessary)not necessary)

• Encrypt other Encrypt other (nonlaptop) portable (nonlaptop) portable devicesdevices

TasksTasks

TasksTasks• Form a team (“A” Team)Form a team (“A” Team)

– – Include necessary Management, IT, HR, Legal and Include necessary Management, IT, HR, Legal and Compliance personnelCompliance personnel

• Review existing policiesReview existing policies– – Do your current data security policies and procedures Do your current data security policies and procedures create barriers to compliance.create barriers to compliance.

• Map data flows that include personal informationMap data flows that include personal information– – Consider limiting collection of personal information and Consider limiting collection of personal information and restrict access to those with a need to knowrestrict access to those with a need to know

TasksTasks

• Identify internal and external risks and Identify internal and external risks and effectiveness of current safeguardseffectiveness of current safeguards

• Draft comprehensive written information Draft comprehensive written information security programsecurity program

• Negotiate amendments to vendor Negotiate amendments to vendor agreements and audit for vendor agreements and audit for vendor compliancecompliance

• Encrypt laptops, portable devices and data Encrypt laptops, portable devices and data in transitin transit

TasksTasks

• Restrict access to personal informationRestrict access to personal information

• Train employeesTrain employees

• Institute monitoring and self-auditing Institute monitoring and self-auditing proceduresprocedures

• Update systems including firewall Update systems including firewall protection and malware and virus protection and malware and virus protectionprotection

Action PlanAction Plan

Sample WISP PleaseSample WISP Please


Compliance Engagement PlanCompliance Engagement Plan

In-house IT/HR/LegalIn-house IT/HR/Legal

Outsourced IT/HR/LegalOutsourced IT/HR/Legal

CombinationCombination

Action PlanAction Plan• Meeting and Implementation PlanMeeting and Implementation Plan

Data GatheringData Gathering::

1.1. Initial Meeting with Top ManagementInitial Meeting with Top Management

2.2. Engage IT firm or Department to audit Engage IT firm or Department to audit securitysecurity

3.3. Overview/assignment meeting with Overview/assignment meeting with Implementation Staff and ConsultantsImplementation Staff and Consultants

4.4. Post assignment completion interviews with Post assignment completion interviews with Implementation Staff and ConsultantsImplementation Staff and Consultants


• Meeting and Implementation PlanMeeting and Implementation PlanData Analysis:Data Analysis:

5.5. Information organization and assignment Information organization and assignment meeting with Implementation Staff and meeting with Implementation Staff and ConsultantsConsultants

6.6. ISP data-flow meeting with ISISP data-flow meeting with IS

7.7. WISP and Security review with ISWISP and Security review with IS


• Meeting and Implementation PlanMeeting and Implementation PlanPlan Implementation:Plan Implementation:

7.7. WISP and Security presentation to Top WISP and Security presentation to Top ManagementManagement

8.8. WISP and Security presentation to RFWISP and Security presentation to RF

9.9. RF training in specific componentsRF training in specific components

10.10. Employee handbook amendmentEmployee handbook amendment

11.11. Vendor contract review and amendmentVendor contract review and amendment


• Meeting and Implementation PlanMeeting and Implementation PlanPlan Monitoring and Review:Plan Monitoring and Review:

12.12. New employee trainingNew employee training

13.13. Periodic RF trainingPeriodic RF training

14.14. Plan audit and reviewPlan audit and review

15.15. Plan amendment and refinementPlan amendment and refinement

ResourcesResources• Statute (M.G.L. c. 93H)Statute (M.G.L. c. 93H)• Rules (201 CMR 17.00)Rules (201 CMR 17.00)• OCABR GuidanceOCABR Guidance

– Compliance ChecklistCompliance Checklist– Small Business GuideSmall Business Guide– Frequently Asked Question Regarding 201 Frequently Asked Question Regarding 201

CMR 17.00CMR 17.00

• MeMe• TowerwallTowerwall

Good NewsGood News

• Way ahead of the curveWay ahead of the curve

• Enforcement initially in PSEnforcement initially in PS

• LRA of 2009LRA of 2009

Thank YouThank You