Embed Size (px)
Citation preview
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
1
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
2
Massachusetts Data Security Regulations
Teresa A. Belmonte, EsquireHemenway & Barnes LLP60 State StreetBoston, MA 02109(617) 227-7940
March 23, 2010
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
3
What Are They?
Regulations enacted by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) pursuant to M.G.L. ch. 93H
Effective March 1, 2010
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
4
Overview of Requirements
Every “person” who “owns or licenses” “personal information” of a Massachusetts resident must have a comprehensive written information security program (WISP) to protect personal information
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
5
Overview of Requirements
● Risk-based approach to what is required--not a one-size fits all requirement
● It depends on the size of your organization, financial resources available, and how much personal information your organization has
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
6
Personal Information
● A Massachusetts resident’s first name or first initial and last name together with one of the following:• social security number, or• driver’s license number or state
issued identification number, or• financial account number, or credit
or debit card number
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
7
“Person”
● Defined as a natural person or any private legal entity
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
8
“Owns or Licenses”
● Stores, receives, maintains or otherwise has access to personal information in connection with the provision of goods or services
orin connection with employment
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
9
If your organization has employees who are Massachusetts residents,
you have personal information, and you must comply with these
regulations
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
10
How to Comply with 201 CMR 17
● Determine
• what personal information you have and where it is located
• what form it is in--paper or electronic
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
11
How to Comply with 201 CMR 17
● Determine
• what are the risks to the security of personal information
• what you can do to protect it● Create and implement a WISP
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
12
What should your WISP contain?
● Designating one of your employees as a data security coordinator to maintain the WISP
● Requiring employee training ● Imposing disciplinary measures on
employees for violations of your WISP
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
13
What should your WISP contain?
● Limiting access to personal information to those employees who need access to it
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
14
WISP Requirements
● Preventing terminated employees from accessing personal information
● Storing records containing personal information in locked facilities, storage areas, or containers
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
15
WISP Requirements
● Regular monitoring of the WISP to ensure compliance
● Imposing reasonable restrictions on access to records containing personal information
● Annually reviewing your WISP● Reporting any suspicious or
unauthorized use of personal information to the data security coordinator
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
16
WISP Requirements
● Documenting responsive actions taken in connection with a breach of security, including mandatory post-incident review of events and actions taken
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
17
What this means for paper documents containing personal information
● Don’t leave documents with personal information on your desk if you’re not there
● Place personal information in locked cabinets at the end of the day
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
18
What this means for paper documents containing personal information
● If discarding paper documents containing personal information, you must shred them--M.G.L. ch. 93I requires that
● Limit access to personal information
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
19
Computer System Requirements
● If you electronically store or transmit personal information, to the extent “technically feasible”, defined as “if there is a reasonable means through technology to accomplish a desired result,” you must ensure that your computer system
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
20
Computer System Requirements
• has reasonably up-to-date firewall protection, malware, patches and virus protection
• requires unique user IDs plus passwords, which are not vendor supplied default passwords
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
21
Computer System Requirements
• blocks access after multiple unsuccessful attempts to log in
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
22
Encryption
Encryption means “the transformation of data into a form
in which meaning cannot be assigned without the use of a confidential process or key”
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
23
Encryption
● To the extent “technically feasible”, you must encrypt
• all transmitted records and files containing personal information that travel across a public network or are transmitted wirelessly
• all personal information stored on laptops or other portable devices--such as a blackberry
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
24
Third Party Service Providers
● If you give personal information to any of your service providers, you must • take reasonable steps to select
third party service providers capable of maintaining personal information in accordance with 201 CMR 17
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
25
Third Party Service Providers
• contractually require third party service providers to maintain personal information in accordance with 201 CMR 17–for all new contracts–for contracts entered into before
March 1, 2010, you have until March 1, 2012 to amend those contracts to require that third party service providers comply with 201 CMR 17
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
26
Penalties for failing to comply with 201 CMR 17
● Massachusetts Attorney General may bring an action under M.G.L. ch. 93A §4
• civil penalties of up to $5,000 per violation
• reasonable cost of investigation and litigation
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
27
Penalties for failing to comply with 201 CMR 17
● Under M.G.L. ch. 93I--which regulates destruction of records containing personal information, you could be fined $100 per data subject affected, up to $50,000
● Possible common law claims and private right of action under Chapter 93A
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
28
Breach Notification Requirements
Under M.G.L. ch. 93H, if someone in your organization knows or has reason to know of the unauthorized use or acquisition of personal information or data that is capable of compromising the security of personal information, you are required to notify, “as soon as practicable, and without unreasonable delay”
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
29
Breach Notification Requirements
• the person affected
• the AG• the OCABR
© Copyright 2010 Hemenway & Barnes LLPH&B 641682
30
Massachusetts OCABR Website -
www.mass.gov/consumer
Contains helpful information to prepare a WISP
• a small business guide to formulating a WISP
• FAQs about 201 CMR 17
• 201 CMR 17 Compliance Checklist
• the regulations themselves
