an act relative to security freezes and notification of data breaches chapter 82 of the acts of 2007...

An Act Relative to Security An Act Relative to Security Freezes and Notification of Data Freezes and Notification of Data

BreachesBreachesChapter 82 of the Acts of 2007Chapter 82 of the Acts of 2007

Massachusetts Digital Government SummitMassachusetts Digital Government SummitSecuring Private Information SessionSecuring Private Information Session

December 11, 2007December 11, 2007

One More Addition to Existing Data One More Addition to Existing Data Security RulesSecurity Rules

HIPAA Security RuleHIPAA Security Rule Fair Information Practices ActFair Information Practices Act Social Security Administration AgreementsSocial Security Administration Agreements PCI-DSS RequirementsPCI-DSS Requirements And now, the Commonwealth’s Identity And now, the Commonwealth’s Identity

Theft Act….Theft Act….

SummarySummary

Credit Report Freeze: Effective October 31, Credit Report Freeze: Effective October 31, 20072007

Security Breaches: Effective October 31, Security Breaches: Effective October 31, 20072007

Disposition and Destruction of Records: Disposition and Destruction of Records: Effective February 3, 2008Effective February 3, 2008

Credit Report Freeze, Sections 1 Credit Report Freeze, Sections 1 through 16 of the Actthrough 16 of the Act

Chapter 93, s. 62(A)Chapter 93, s. 62(A) If identity stolen, consumer has right to control If identity stolen, consumer has right to control

who has access to credit report, except under who has access to credit report, except under certain circumstances, including certain circumstances, including – State agencies, law enforcement agencies, or trial court State agencies, law enforcement agencies, or trial court

acting under court order, warrant or subpoenaacting under court order, warrant or subpoena– The Massachusetts child support agency (DOR)The Massachusetts child support agency (DOR)– EOHHS when investigating Medicaid fraudEOHHS when investigating Medicaid fraud– DOR investigating or collecting delinquent taxes unpaid DOR investigating or collecting delinquent taxes unpaid

court orders or to fulfill other statutory responsibilitiescourt orders or to fulfill other statutory responsibilities

Security Breaches, Section 16 of the Security Breaches, Section 16 of the Act Act

Creates MGL ch. 93HCreates MGL ch. 93H Key definitionsKey definitions Agency broadly defined to include among Agency broadly defined to include among

others all exec department agenciesothers all exec department agencies

Security Breaches, cont.Security Breaches, cont.

Agencies will have a notice obligation when:Agencies will have a notice obligation when:– Breach of Security re: PI ORBreach of Security re: PI OR– PI Acquired or used by an unauthorized person PI Acquired or used by an unauthorized person

OR OR – PI used for unauthorized purposePI used for unauthorized purpose


Breach of Security = unauthorized acquisition or Breach of Security = unauthorized acquisition or unauthorized use of unencrypted data or, unauthorized use of unencrypted data or, encrypted electronic data and the confidential encrypted electronic data and the confidential process or key that is capable of compromising process or key that is capable of compromising the security, confidentiality or identity of the security, confidentiality or identity of personal personal informationinformation, maintained by a person or agency , maintained by a person or agency that creates a substantial risk of identity theft or that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. fraud against a resident of the commonwealth. – A good faith but unauthorized acquisition of PI by a A good faith but unauthorized acquisition of PI by a

person or agency or employee or agent thereof, for the person or agency or employee or agent thereof, for the lawful purposes of such person or agency, is not a lawful purposes of such person or agency, is not a breach of security unless the PI used in an unauthorized breach of security unless the PI used in an unauthorized manner or subject to further unauthorized disclosure. manner or subject to further unauthorized disclosure.


Personal information (PI)Personal information (PI) = = – [(first name + last name) or (first initial and last name)] [(first name + last name) or (first initial and last name)] – in combination with any 1 or more of the following: in combination with any 1 or more of the following:

SSNSSN drivers license or Mass ID card drivers license or Mass ID card financial account number, credit or debit card number, with or financial account number, credit or debit card number, with or

without required security access code, personal ID number, or without required security access code, personal ID number, or password that would permit account access password that would permit account access

– BUT NOT information lawfully obtained from publicly BUT NOT information lawfully obtained from publicly available information, or from federal, state or local available information, or from federal, state or local government records lawfully made available to the government records lawfully made available to the general public. general public. (No biometric identifiers included)(No biometric identifiers included)


EncryptedEncrypted = transformation of data through = transformation of data through the use of a 128-bit or higher algorithmic the use of a 128-bit or higher algorithmic process into a form in which there is a low process into a form in which there is a low probability of assigning meaning without use probability of assigning meaning without use of confidential process or key, unless of confidential process or key, unless further defined by regulation of the further defined by regulation of the Department of Consumer Affairs and Department of Consumer Affairs and Business Regulation (OCA). Business Regulation (OCA).


DataData = any material upon which written, = any material upon which written, drawn, spoken, visual, or electromagnetic drawn, spoken, visual, or electromagnetic information or images are recorded or information or images are recorded or preserved, regardless of physical form or preserved, regardless of physical form or characteristicscharacteristics

Electronic Electronic = relating to technology having = relating to technology having electrical, digital, magnetic, wireless, optical, electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilitieselectromagnetic or similar capabilities


Notice [to consumers]Notice [to consumers]::– WrittenWritten– Electronic if provided consistent with E-SIGN consumer Electronic if provided consistent with E-SIGN consumer

protection provisions (15 USC Section 7001(c)) and protection provisions (15 USC Section 7001(c)) and UETA consumer protection provisions (MGL ch. 110G) UETA consumer protection provisions (MGL ch. 110G)

– ““Substitute notice” if the agency required to provide Substitute notice” if the agency required to provide notice demonstrates that:notice demonstrates that: cost of providing written notice will exceed $250,000cost of providing written notice will exceed $250,000 affected class of Mass. residents to be notified exceeds affected class of Mass. residents to be notified exceeds

500,000 residents or 500,000 residents or agency does not have sufficient contact information to provide agency does not have sufficient contact information to provide

noticenotice


Substitute NoticeSubstitute Notice [to consumers] is [to consumers] is allall of the of the following:following:– Email if the agency has email addresses for the Email if the agency has email addresses for the

members of the affected classmembers of the affected class– Clear and conspicuous posting of the notice on Clear and conspicuous posting of the notice on

the home page of the agency if the agency has the home page of the agency if the agency has a website ANDa website AND

– Publication in or broadcast through media or Publication in or broadcast through media or medium that provides notice throughout the medium that provides notice throughout the commonwealthcommonwealth

Security BreachesSecurity Breaches The supervisor of public records, with the advice and consent of ITD The supervisor of public records, with the advice and consent of ITD

insofar as ITD sets IT standards for the Exec Department, must insofar as ITD sets IT standards for the Exec Department, must establish rules or regs designed to safeguard the PI of residents of the establish rules or regs designed to safeguard the PI of residents of the Commonwealth that is owned or licensed. Commonwealth that is owned or licensed.

Purpose of rules: Purpose of rules: – Insure security and confidentiality of PIInsure security and confidentiality of PI– Protect against anticipated threats or hazards to security or integrity of Protect against anticipated threats or hazards to security or integrity of

such information; such information; – Protect against unauthorized access to or use of such information that Protect against unauthorized access to or use of such information that

could result in substantial harm or inconvenience to any resident of the could result in substantial harm or inconvenience to any resident of the Commonwealth.Commonwealth.

Take into account size, scope and type of services provided by Take into account size, scope and type of services provided by agencies; agencies;

Legislature, judiciary, and constitutional offices to adopt their own rulesLegislature, judiciary, and constitutional offices to adopt their own rules Status: ITD working on an SPR Bulletin with Supervisor of Public Status: ITD working on an SPR Bulletin with Supervisor of Public

RecordsRecords

Security BreachesSecurity Breaches

Notice obligation triggered when agency knows or should Notice obligation triggered when agency knows or should have known: have known: – Of breach of security orOf breach of security or– that the PI was acquired or used by an unauthorized person or for that the PI was acquired or used by an unauthorized person or for

an unauthorized purpose an unauthorized purpose Notice must be provided “as soon as practicable and Notice must be provided “as soon as practicable and

without unreasonable delay”without unreasonable delay” Notice requirements differ depending on whether agencyNotice requirements differ depending on whether agency

– Maintains and stores data for owner or licensorMaintains and stores data for owner or licensor– Is the owner or licensor of data [use defined notice and substitute Is the owner or licensor of data [use defined notice and substitute

notice terms]notice terms]


Agency that Agency that maintains, stores, but does not maintains, stores, but does not own or license data that includes PI about own or license data that includes PI about state residentsstate residents must provide notice must provide notice to to owner owner or licensor of dataor licensor of data


In addition, such agency must cooperate In addition, such agency must cooperate with owner or licensor of PI, including with owner or licensor of PI, including informing them of:informing them of:– breach of security or unauthorized acquisition or breach of security or unauthorized acquisition or

use, use, – date of incidentdate of incident– nature thereofnature thereof– steps agency has taken or plans to take relating steps agency has taken or plans to take relating

to the incidentto the incident


Agency that Agency that owns or licenses data that owns or licenses data that includes PI about a residentincludes PI about a resident must provide must provide notice to notice to AG, OCAAG, OCA and resident. and resident.

Upon receipt of notice, OCA must provide Upon receipt of notice, OCA must provide notice to the reporting agency of any notice to the reporting agency of any relevant consumer reporting agency or state relevant consumer reporting agency or state agency, and the agency, and the agency must provide notice agency must provide notice to relevant consumer reporting agencyto relevant consumer reporting agency. .


Notice to resident must include:Notice to resident must include:– Consumers right to obtain police reportConsumers right to obtain police report– How to request a security freezeHow to request a security freeze– Fees required to be paid to consumer reporting Fees required to be paid to consumer reporting

agenciesagencies– But notBut not the nature of the breach or the nature of the breach or

unauthorized acquisition or use or the number unauthorized acquisition or use or the number of residents of the commonwealth affected by it. of residents of the commonwealth affected by it.


Exec department agencies must also provide Exec department agencies must also provide written notification of the nature and written notification of the nature and circumstances of the breach or unauthorized circumstances of the breach or unauthorized acquisition or use to acquisition or use to – ITD ITD – supervisor of public recordssupervisor of public records

and must comply with all policies and procedures adopted and must comply with all policies and procedures adopted by them pertaining to reporting and investigating the by them pertaining to reporting and investigating the incident. incident.

Security Breaches, cont. Security Breaches, cont.

– ITD ITD Enterprise Cybercrime & Security Enterprise Cybercrime & Security Incident Response Policy and Procedures. Incident Response Policy and Procedures.

– Required notification: Required notification: To CommonHelp viaTo CommonHelp via

– 1-866-888-28081-866-888-2808– [email protected]@MassMail.state.ma.us

Then CSIRT (Cybercrime Incident and Response Then CSIRT (Cybercrime Incident and Response Team at Team at [email protected]@state.ma.us a.us

mailto:[email protected]


Other requirements of the CSIPOther requirements of the CSIP– Event logEvent log– InvestigateInvestigate– Identify riskIdentify risk– Snapshot of files within first half hour of investigationSnapshot of files within first half hour of investigation– Confer with CSIRT and network managerConfer with CSIRT and network manager– Response planResponse plan– Monitor and evaluateMonitor and evaluate– Preliminary and final report to file with agency and Preliminary and final report to file with agency and

CSIRTCSIRT– Preserve evidencePreserve evidence– Post mortem; lessons learnedPost mortem; lessons learned


Notice may be delayed if Notice may be delayed if law enforcementlaw enforcement agency agency determines that provision of notice will impede determines that provision of notice will impede criminal investigation and has notified AG in criminal investigation and has notified AG in writing thereof and informs the agency of such writing thereof and informs the agency of such determination. Once law enforcement agency determination. Once law enforcement agency informs agency that notification no longer poses a informs agency that notification no longer poses a risk, notification must be provided. risk, notification must be provided.

Agency must cooperate with law enforcement in its Agency must cooperate with law enforcement in its investigation of breach investigation of breach


Safe HarborSafe Harbor: The Mass. ID Theft law does not : The Mass. ID Theft law does not preempt other state and federal laws regarding preempt other state and federal laws regarding protection and privacy of PI; however, person who protection and privacy of PI; however, person who maintains procedures for responding to a breach maintains procedures for responding to a breach pursuant to federal laws, rules, regs, guidance or pursuant to federal laws, rules, regs, guidance or guidelines is in compliance with this chapter if they guidelines is in compliance with this chapter if they – notify affected Mass. residents in accordance with the notify affected Mass. residents in accordance with the

maintained or required procedures when a breach maintained or required procedures when a breach occurs, and occurs, and

– notify AG and OCA as well. notify AG and OCA as well.

Disposition and Destruction of Disposition and Destruction of Records, Section 17 of the Act Records, Section 17 of the Act

Creates MGL ch. 93ICreates MGL ch. 93I Data must contain Personal information = Data must contain Personal information =

– [(first name + last name) or (first initial and last name)] [(first name + last name) or (first initial and last name)] – in combination with any 1 or more of the following: (a) SSN, (b) in combination with any 1 or more of the following: (a) SSN, (b)

drivers license or Mass ID card ( c ) financial account number, drivers license or Mass ID card ( c ) financial account number, credit or debit card number, with or without required security credit or debit card number, with or without required security access code, personal ID number, or password that would permit access code, personal ID number, or password that would permit account access or (d) biometric indicator account access or (d) biometric indicator Ex: JSmith plus SS# 35423-0972Ex: JSmith plus SS# 35423-0972

– Note biometric indicators are NOT included in security breach Note biometric indicators are NOT included in security breach section of law, and that exception to definition of PI in security section of law, and that exception to definition of PI in security breach section for publicly available information is also NOT breach section for publicly available information is also NOT included here. included here.

Disposition and Destruction, cont.Disposition and Destruction, cont.

Applies to agencies, broadly definedApplies to agencies, broadly defined

Disposition and DestructionDisposition and Destruction

When When disposing of recordsdisposing of records, each agency or , each agency or person must at a minimum do the following: person must at a minimum do the following: – Paper docs containing PI redacted, burned, pulverized Paper docs containing PI redacted, burned, pulverized

or shredded so PI cannot practicably be read and or shredded so PI cannot practicably be read and reconstructedreconstructed

– Electronic media and other non-paper media containing Electronic media and other non-paper media containing PI shall be destroyed or erased so that PI cannot be PI shall be destroyed or erased so that PI cannot be practicably read or reconstructedpracticably read or reconstructed What does “cannot be practicably read or reconstructed” mean? What does “cannot be practicably read or reconstructed” mean?

Does it mean not susceptible to the nontechnologist? To the Does it mean not susceptible to the nontechnologist? To the teenage hacker? To the forensic specialist? teenage hacker? To the forensic specialist?

– See new National Institute of Standards and Technology Standard See new National Institute of Standards and Technology Standard 800-88 Guidelines for Media Sanitization800-88 Guidelines for Media Sanitization

– ESB Media Sanitization ProjectESB Media Sanitization Project

Disposition and Destruction, cont.Disposition and Destruction, cont.

An agency disposing of PI may contract with An agency disposing of PI may contract with a 3a 3rdrd party to dispose of PI according to this party to dispose of PI according to this chapter. chapter. – 33rdrd party must implement and monitor party must implement and monitor

compliance with policies and procedures that compliance with policies and procedures that prohibit unauthorized access to or acquisition of prohibit unauthorized access to or acquisition of or use of PI during collection, transportation and or use of PI during collection, transportation and disposal of PIdisposal of PI

Penalties Penalties

Civil money penalties for violation of Civil money penalties for violation of sections of act pertaining to security sections of act pertaining to security breaches and disposition and destruction of breaches and disposition and destruction of data data

Identity Theft Bill: Agency CIO To Do Identity Theft Bill: Agency CIO To Do ListList

Ensure all agency counsel aware of ID theft bill if your Ensure all agency counsel aware of ID theft bill if your agency holds PI (Techlaw training for counsel in January agency holds PI (Techlaw training for counsel in January ‘08)‘08)

Review the regulations that will be adopted by OCA and Review the regulations that will be adopted by OCA and SPR and analyze their impact on your agency SPR and analyze their impact on your agency – Determine if Federal laws to which your agency is subject preempt Determine if Federal laws to which your agency is subject preempt – Identify key players in agencyIdentify key players in agency

Identify and notify key players in your agencyIdentify and notify key players in your agency Adopt policies and procedures consistent with law and Adopt policies and procedures consistent with law and

OCA/SPR regulation.OCA/SPR regulation. Monitor and enforce against employees, contractors and Monitor and enforce against employees, contractors and

agents. agents.

Linda HamelLinda HamelGeneral CounselGeneral Counsel

ITDITD

[email protected]@state.ma.us

(617) 626 4404 (617) 626 4404

mailto:[email protected]