Upload
stevemeltzer
View
829
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
The MassachusettsThe MassachusettsData Privacy RulesData Privacy Rules
Stephen E. Meltzer, Esquire, CIPP, Stephen E. Meltzer, Esquire, CIPP, Michelle Drolet, CEO Towerwall &Michelle Drolet, CEO Towerwall &
Gerry Young, Secretariat Chief Gerry Young, Secretariat Chief Information OfficerInformation Officer
The New MassachusettsThe New MassachusettsData Security RulesData Security Rules
New Mandate:New Mandate:
PI = PIPI = PI
Personal Information = Privacy Personal Information = Privacy InfrastructureInfrastructure
AgendaAgenda
• IntroductionIntroduction• Scope of RulesScope of Rules• Comprehensive Written Information Security Comprehensive Written Information Security
Program (cWISP)Program (cWISP)• Computer System Security RequirementsComputer System Security Requirements• Breach Reporting RequirementsBreach Reporting Requirements• What To Do NowWhat To Do Now• Questions and AnswersQuestions and Answers
SummarySummary• Statute enacted in 2007Statute enacted in 2007
• Rules issued on September 19, 2008 (and Rules issued on September 19, 2008 (and subsequently amended)subsequently amended)
• • March 1, 2010 (as of August 2009) March 1, 2010 (as of August 2009) (originally scheduled to take effect January (originally scheduled to take effect January 1, 2009, then May 1, 2009, then January 1, 2009, then May 1, 2009, then January 1, 2010)1, 2010)
SummarySummaryConsequences for non-compliance:Consequences for non-compliance:
AT LEASTAT LEAST: :
Increased risk of government enforcement or private litigationIncreased risk of government enforcement or private litigation
93H 93H § § 6 incorporates 93A, 6 incorporates 93A, § § 4493A, 93A, § § 44
• $5,000 per occurrence$5,000 per occurrence• Attorneys feesAttorneys fees• Cost of Investigation/EnforcementCost of Investigation/Enforcement
AT WORSTAT WORST::
Enforcement Enforcement PLUSPLUS Bad PR Bad PR thenthen Compliance Compliance andand oversight oversight
What Prompted the Rules?What Prompted the Rules?
High-profile data breach casesHigh-profile data breach casesBreach notification alone insufficientBreach notification alone insufficientReflection of states’ interest in protecting Reflection of states’ interest in protecting
personal informationpersonal informationData in transit or on portable devices most Data in transit or on portable devices most
at riskat riskMassachusetts is one of the first, but is Massachusetts is one of the first, but is
likely not the lastlikely not the last
Looking AheadLooking Ahead
Massachusetts is one of the first, but is Massachusetts is one of the first, but is likely not the lastlikely not the last
Federal Legislation:Federal Legislation:HITECH (ARRA)HITECH (ARRA)Red FlagsRed FlagsH.2221 (prospect of preemption)H.2221 (prospect of preemption)
Scope of RulesScope of Rules
Scope of RulesScope of Rules
• Covers ALL PERSONS that own or license Covers ALL PERSONS that own or license personal information about a Massachusetts personal information about a Massachusetts residentresident
• Need not have operations in MassachusettsNeed not have operations in Massachusetts
• Financial institutions, health care and other Financial institutions, health care and other regulated entities not exemptregulated entities not exempt
Scope of RulesScope of Rules““Personal information”Personal information”Resident’s first and last name or first initial Resident’s first and last name or first initial
and last name and last name in combination within combination with
• SSNSSN
• Driver’s license or State ID, Driver’s license or State ID, oror
• Financial account number or credit/debit Financial account number or credit/debit card number that would permit access to a card number that would permit access to a financial account financial account
Scope of RulesScope of Rules
Scope of RulesScope of RulesBernard Madoff
Personal Financial Statement
Scope of RulesScope of Rules
Scope of RulesScope of Rules
• Examples:Examples:Employee recordsEmployee recordsPayroll or 401(k) informationPayroll or 401(k) informationDonor records (with credit card)Donor records (with credit card)Volunteer records (expense Volunteer records (expense
reimbursements)reimbursements)
Three RequirementsThree Requirements1.Develop, implement, maintain and maintain a 1.Develop, implement, maintain and maintain a
comprehensive, written information security comprehensive, written information security program that meets very specific requirements program that meets very specific requirements (cWISP)(cWISP)
2.Heightened information security meeting specific 2.Heightened information security meeting specific computer information security requirementscomputer information security requirements
3.Vendor Compliance3.Vendor Compliance
(Phase-in)(Phase-in)
Evaluating ComplianceEvaluating Compliance((notnot Evaluating Applicability Evaluating Applicability))
• AppropriateAppropriate– Size of businessSize of business– Scope of businessScope of business– Type of businessType of business– Resources availableResources available– Amount of data storedAmount of data stored– Need for security and confidentialityNeed for security and confidentiality
• Consumer and employee informationConsumer and employee information
Evaluating ComplianceEvaluating Compliance((notnot Evaluating Applicability Evaluating Applicability))
“The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”
EnforcementEnforcement
• Litigation and enforcement by the Litigation and enforcement by the Massachusetts Attorney GeneralMassachusetts Attorney General
• Massachusetts law requires notice to Massachusetts law requires notice to Attorney General of any breach, in Attorney General of any breach, in addition to affected consumersaddition to affected consumers
• Attorney General likely to investigate Attorney General likely to investigate based on breach reportsbased on breach reports
• No explicit private right of action or No explicit private right of action or penaltiespenalties
Comprehensive WrittenComprehensive WrittenInformation SecurityInformation SecurityProgramProgram
201 CMR 17.03201 CMR 17.03
Information SecurityInformation SecurityProgramProgram
““[D]evelop, implement, and maintain a comprehensive information security
program that is written in one or more readily accessible parts and contains administrative, technical, and physical
safeguards”
Comprehensive Information Comprehensive Information Security ProgramSecurity Program 201 CMR 17.03 (2)(a) through (j)201 CMR 17.03 (2)(a) through (j)
a.a. DesignateDesignate
b.b. IdentifyIdentify
c.c. DevelopDevelop
d.d. ImposeImpose
e.e. PreventPrevent
f.f. OverseeOversee
g.g. RestrictRestrict
h.h. MonitorMonitor
i.i. ReviewReview
j.j. DocumentDocument
Comprehensive Information Comprehensive Information Security ProgramSecurity Program(a) Designate an employee to maintain the WISP.
(b) Identify and assess reasonably foreseeable risks (Internal and external).
(c) Develop security policies for keeping, accessing and transporting records.
(d) Impose disciplinary measures for violations of the program.
(e) Prevent access by terminated employees.
(f) Oversee service providers and contractually ensure compliance.
(g) Restrict physical access to records.
(h) Monitor security practices to ensure effectiveness and make changes if warranted.
(i) Review the program at least annually.
(j) Document responsive actions to breaches.
Comprehensive Information Comprehensive Information Security ProgramSecurity ProgramThird Party Compliance
1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and
2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information
Comprehensive Information Comprehensive Information Security ProgramSecurity ProgramThird Party Compliance
Contracts entered “no later than” March 1, 2010:Contracts entered “no later than” March 1, 2010:
Two – year phase-in.Two – year phase-in.
Contracts entered into “later than” March 1, 2010:Contracts entered into “later than” March 1, 2010:
Immediate compliance.Immediate compliance.
Comprehensive Information Comprehensive Information Security ProgramSecurity Program
““INDUSTRY STANDARDS”INDUSTRY STANDARDS”
Breach ReportingBreach Reporting
G.L. c. 93H G.L. c. 93H §§ 3 3
Breach ReportingBreach Reporting
Breach of security –
“the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”
Breach ReportingBreach Reporting
• Possessor must give notice ofPossessor must give notice of– Breach of SecurityBreach of Security– Unauthorized Use or AcquisitionUnauthorized Use or Acquisition
• To Owner/Licensor of InformationTo Owner/Licensor of Information
• Owner/Licensor must give notice of Owner/Licensor must give notice of – Breach of SecurityBreach of Security– Unauthorized Use or AcquisitionUnauthorized Use or Acquisition
• To – To – – Attorney GeneralAttorney General– Office of Consumer AffairsOffice of Consumer Affairs– ResidentResident
Breach ReportingBreach Reporting
“The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to:
(1)the nature of the breach of security or the unauthorized acquisition or use; (2)the number of Massachusetts residents affected by such incident at the time of notification; and (3)any steps the person or agency has taken or plans to take relating to the incident.”
Sample Breach Notification Letter
• http://www.mass.gov/Cago/docs/Consumer/93h_sampleletter_ago.pdf
Breach ReportingBreach Reporting
• StopStop
• Be afraidBe afraid
• Call for helpCall for help
Computer System Computer System SecuritySecurityRequirementsRequirements
201 CMR 17.04201 CMR 17.04
Electronic Requirements201 CMR 17.04• Use
authentication protocols
• Secure access controls
• Encryption of transmittable records
• Mentoring systems
• Laptop and mobile device encryption
• Security patches and firewalls
• System security agents
• IT Security user awareness
User Authentication Protocols
• Control of user IDs• Secure password
selection• Secure or
encrypted password files
• User accounts blocked for unusual logon attempts
Examples:
Passwords should be at least 9 characters, alpha numeric with special characters
After 3 attempts to login users are blocked access
Secure Access Control Measures
• Permit “access” on a need to know basis
• Password protect account and login to determine level of access
Example:
Network Access Control Software/Hardware
Consentry
Sophos
Audit control who is accessing what and when?
Encryption of Transmitted Records
• Encryption of personal information accessed over a public network– Tunneling options
(VPN)– Faxes, VOIP, phone
calls• Encryption of PI on
wireless– Bluetooth, WEP, Wifi
• Encryption definition if very broad
Examples:
PGP and Utimaco are encryption technologies
Monitoring of Systems
• Require systems to detect unauthorized use of, access to personal information
• Some existing user account based on systems will already comply
Examples:
Again, Network Access Control
Audit controls
Laptop and Mobile Device Encryption
• Encryption of PI stored on laptops– Applies regardless
of laptop location
• Encryption of PI stored on “mobile” devices– Does incoming
email become a problem?
This applies only if you have data in motion of personal information.
Email is clear text. So anyone can read any ones email on the internet.
Security Patches and Firewalls
• “Reasonably up-to-date firewall protection and operating systems patches” for Internet connected computers
• Date on operating systems
All organizations should have a firewall in place (not a router a firewall)
Can hire an organization to update and manage the security infrastructure:
Firewall
Anti-virus
Patches…
Systems Security Agent Software
• Anti-malware technology required– Are certain
products better?
– What about MACs or Linux?
• Set to receive auto-updates
Malware is what is infecting most enviroments. HTTP and HTTPS traffic.
Your users are your worst enemy
Products to look at for Malware
TrendMicro
Websense
Webwasher
Employee Education and IT Security Training
• Proper training on all IT security policies
• User awareness– Importance of PI
security– Proper use of the
computer– Everyone is
involved
Your employees are your weakest link to any IT security program.
They need to know the rules.
Suggestions:
Stand up training
News Letters
Programs
Online training
The Approach• Inventory type of personal
information is being kept– Assess risk
• Plan information security strategy– Data
• Security, Confidentially, Integrity• IT infrastructure and information
change processes• Implement, plan and policies
– Technology deployment– Policy implementation – User awareness– Continual review
Security is all about vigilance…
Compliance is knowing what you need to protect and building a fortress around it and testing it on a frequent basis!
Data DestructionData Destruction
G.L. c. 93IG.L. c. 93I
Data Destruction (93I)Data Destruction (93I)
Paper documents/ electronic Paper documents/ electronic Media: Media:
Redact, Burn, Pulverize, ShredRedact, Burn, Pulverize, Shred
So that Personal Information So that Personal Information cannot be read or cannot be read or reconstructedreconstructed
Data Destruction (93I)Data Destruction (93I)
– Violations:Violations:
• Attorney General: Unfair and Deceptive Practices Attorney General: Unfair and Deceptive Practices remedies - 93Hremedies - 93H
• Civil Fine-$100/data subject not to exceed Civil Fine-$100/data subject not to exceed $50,000/instance – 93I$50,000/instance – 93I
What To Do NowWhat To Do Now
Compliance DeadlinesCompliance DeadlinesMarch 1, 2010March 1, 2010
• Implement internal Implement internal policies and practicespolicies and practices
• Encrypt company Encrypt company laptopslaptops
• Amend contracts with Amend contracts with service providers to service providers to incorporate the data incorporate the data security requirementssecurity requirements
• Take all reasonable Take all reasonable steps to ensure steps to ensure vendors apply vendors apply protections as protections as stringent as these stringent as these (written certification (written certification not necessary)not necessary)
• Encrypt other Encrypt other (nonlaptop) portable (nonlaptop) portable devicesdevices
TasksTasks
TasksTasks• Form a team (“A” Team)Form a team (“A” Team)
– – Include necessary Management, IT, HR, Legal and Include necessary Management, IT, HR, Legal and Compliance personnelCompliance personnel
• Review existing policiesReview existing policies– – Do your current data security policies and procedures Do your current data security policies and procedures create barriers to compliance.create barriers to compliance.
• Map data flows that include personal informationMap data flows that include personal information– – Consider limiting collection of personal information and Consider limiting collection of personal information and restrict access to those with a need to knowrestrict access to those with a need to know
TasksTasks
• Identify internal and external risks and Identify internal and external risks and effectiveness of current safeguardseffectiveness of current safeguards
• Draft comprehensive written information Draft comprehensive written information security programsecurity program
• Negotiate amendments to vendor Negotiate amendments to vendor agreements and audit for vendor agreements and audit for vendor compliancecompliance
• Encrypt laptops, portable devices and data Encrypt laptops, portable devices and data in transitin transit
TasksTasks
• Restrict access to personal informationRestrict access to personal information
• Train employeesTrain employees
• Institute monitoring and self-auditing Institute monitoring and self-auditing proceduresprocedures
• Update systems including firewall Update systems including firewall protection and malware and virus protection and malware and virus protectionprotection
Action PlanAction Plan
Sample WISP PleaseSample WISP Please
Action PlanAction Plan
Compliance Engagement PlanCompliance Engagement Plan
In-house IT/HR/LegalIn-house IT/HR/Legal
Outsourced IT/HR/LegalOutsourced IT/HR/Legal
CombinationCombination
Action PlanAction Plan• Meeting and Implementation PlanMeeting and Implementation Plan
Data GatheringData Gathering::
1.1. Initial Meeting with Top ManagementInitial Meeting with Top Management
2.2. Engage IT firm or Department to audit Engage IT firm or Department to audit securitysecurity
3.3. Overview/assignment meeting with Overview/assignment meeting with Implementation Staff and ConsultantsImplementation Staff and Consultants
4.4. Post assignment completion interviews with Post assignment completion interviews with Implementation Staff and ConsultantsImplementation Staff and Consultants
Action PlanAction Plan
• Meeting and Implementation PlanMeeting and Implementation PlanData Analysis:Data Analysis:
5.5. Information organization and assignment Information organization and assignment meeting with Implementation Staff and meeting with Implementation Staff and ConsultantsConsultants
6.6. ISP data-flow meeting with ISISP data-flow meeting with IS
7.7. WISP and Security review with ISWISP and Security review with IS
Action PlanAction Plan
• Meeting and Implementation PlanMeeting and Implementation PlanPlan Implementation:Plan Implementation:
7.7. WISP and Security presentation to Top WISP and Security presentation to Top ManagementManagement
8.8. WISP and Security presentation to RFWISP and Security presentation to RF
9.9. RF training in specific componentsRF training in specific components
10.10. Employee handbook amendmentEmployee handbook amendment
11.11. Vendor contract review and amendmentVendor contract review and amendment
Action PlanAction Plan
• Meeting and Implementation PlanMeeting and Implementation PlanPlan Monitoring and Review:Plan Monitoring and Review:
12.12. New employee trainingNew employee training
13.13. Periodic RF trainingPeriodic RF training
14.14. Plan audit and reviewPlan audit and review
15.15. Plan amendment and refinementPlan amendment and refinement
ResourcesResources• Statute (M.G.L. c. 93H)Statute (M.G.L. c. 93H)• Rules (201 CMR 17.00)Rules (201 CMR 17.00)• OCABR GuidanceOCABR Guidance
– Compliance ChecklistCompliance Checklist– Small Business GuideSmall Business Guide– Frequently Asked Question Regarding 201 Frequently Asked Question Regarding 201
CMR 17.00CMR 17.00
• MeMe• TowerwallTowerwall
Good NewsGood News
• Way ahead of the curveWay ahead of the curve
• Enforcement initially in PSEnforcement initially in PS
• LRA of 2009LRA of 2009
Thank YouThank You