april 23, 20101 massachusetts’ new data security regulations: ten steps to compliance amy crafts...
TRANSCRIPT
April 23, 20101
Massachusetts’ New Data Security Regulations:Ten Steps To Compliance
April 23, 2010
April 23, 20102
1. Determine Whether You Own Or License Personal Information And Where It Is Located
The regulations apply to all persons – including natural persons, corporations, associations, partnerships or other legal entities – that own or license personal information of MA residents.
Personal information is defined by the regulations as a Massachusetts resident’s first and last name, or first initial and last name, in combination with any of the following information:
the resident’s Social Security number;
the resident’s driver’s license number or state-issued identification card number; or
the resident’s financial account number, or credit or debit card number.
April 23, 20103
2. Develop A Written Information Security Program (WISP)
• Massachusetts requires that all covered entities must develop, implement and maintain a comprehensive WISP.
• WISP must be risk-based, and must contain administrative, technical and physical safeguards that are appropriate to: the size, scope and type of business; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and
employee information.
April 23, 20104
3. Designate Employee(s) Responsible For Implementing And Maintaining WISP
Responsibilities should include:• Regular monitoring to ensure that the WISP is operating in a
manner intended to prevent unauthorized access to or use of personal information.
• Upgrading information safeguards as necessary to decrease risk.
• Reviewing scope of security measures at least annually, or whenever there is a material change in business practice that may implicate security or integrity of personal information.
• Following a security breach, conducting and documenting a post-incident review of events and actions taken.
April 23, 20105
4. Identify And Assess Reasonably Foreseeable Internal And External Risks To Security And Integrity Of Personal Information
Efforts should include:• Ongoing employee (including temporary and contract employee)
training on the proper use of the computer security system and the importance of personal information security.
• Employee compliance with policies and procedures – and imposition of disciplinary measures for noncompliance.
• Means for detecting and preventing security system failures.
April 23, 20106
5. Identify Paper Records That Contain Personal Information
• Restrict access only to those employees who need information to perform their employment responsibilities.
• Require that terminated employees return copies of any documents containing personal information.
• Store in locked facilities, storage areas or containers.
• Develop a security policy for storage, access and transportation of such records outside of business premises.
April 23, 20107
6. Implement Secure User IDs/Passwords And Access Control Measures
• Develop a secure method of assigning passwords, preferably unique identification-plus passwords, and consider using identifier technologies, such as biometrics or token devices.
• Ensure that user IDs and passwords are kept in a locked or encrypted file.
• Block access after multiple unsuccessful attempts to gain access.
• Restrict access to active users and active user accounts, and those who need such information to perform their job duties.
April 23, 20108
7. Ensure Security Of Computer Systems
• Requires reasonably up-to-date firewall protection and operating security system patches, designed to maintain integrity of personal information.
• Requires reasonably up-to-date versions of system security agent software, including malware protection, patches and virus definitions.
April 23, 20109
8. Encrypt Electronic Files, To The Extent “Technically Feasible”
• All transmitted files containing personal information that will travel across public networks (i.e. the Internet), and all data that will be transmitted wirelessly, should be encrypted.
• All personal information stored on laptops or other portable devices should be encrypted.
April 23, 201010
9. Oversee Third-Party Service Providers
• Take reasonable steps to select and retain third-party service providers that are capable of maintaining security measures to protect personal information.
• Require third-party service providers by contract to implement and maintain appropriate security measures for personal information, with a carve-out: Contracts in existence prior to March 1, 2010 do not have to contain
such a representation until March 1, 2012.
April 23, 201011
10. When Discarded, Completely Destroy Paper And Electronic Documents
• Paper documents must be either: Redacted Burned Pulverized Shredded
• Electronic documents and other non-paper media must be either: Destroyed Erased
April 23, 201012
What Are The Penalties For Non-Compliance With The Regulations?
• Massachusetts provides for civil penalties in cases of non-compliance, pursuant to its consumer protection statute, M.G.L. 93A.
• A civil penalty of $5,000 may be awarded for each deceptive act or practice, in addition to injunctive relief and attorneys’ fees.
April 23, 201013
What Does All Of This Mean?
Let’s discuss some hypothetical or frequently asked questions.
April 23, 201014
How Do I Store And Destroy Old Tapes/CDs?
• Old tapes and CDs (which are portable devices) should be encrypted, or at least stored in a locked file or room.
• Destruction must completely erase the content of the tapes and CDs. Be careful – after data is erased, residue may remain which
could lead to inadvertent disclosure. Overwriting the storage data is a popular low-cost option
(also called “wiping” or “shredding”). Work with your IT staff to ensure the tapes and CDs have
been completely erased.
April 23, 201015
How Should Businesses Protect E-mails Containing Personal Information?
• If technically feasible, e-mails should be encrypted.
• If not technically feasible, implement best practices by not sending personal information via e-mail.
There are alternative methods to communicate personal information other than through e-mail, such as establishing a secure Website that requires safeguards including username and password to conduct transactions involving personal information.
April 23, 201016
Is There A Maximum Period Of Time To Keep Records Containing Personal Information?
• As good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected, and limit the time such information is retained to that reasonably necessary to accomplish such purpose.
• Access should be limited to those persons who are reasonably required to know such information.
April 23, 201017
How Much Employee Training Is Required?
• The regulations do not articulate what specifically is required.
• We suggest that you: Provide enough training to ensure that employees who will
have access to personal information know what their obligations are regarding the protection of that information.
Train both temporary and permanent employees. Convey to your employees that data security is taken seriously
by your business. Require trained employees to sign an acknowledgement of
training.
April 23, 201018
What Is The Extent Of The Monitoring Obligation?
• Depends on the nature of your business, your business practices, and the amount of personal information you own or license.
• Also depends on the form in which the information is kept and stored.
• In the end, the monitoring you put in place must be such that it is reasonably likely to reveal unauthorized access or use.
April 23, 201019
What If I Use Laptops?
• Assess whether your laptop(s) contain personal information.
• If they do, consider encryption. The regulations make clear that, to be encrypted, data must
be altered into an unreadable form: encryption must bring about a “transformation of data into a form in which meaning cannot be assigned.”
Password protection is not enough.
April 23, 201020
What Should You Do Now?
• Develop a plan to work towards compliance.
• Evaluate protection mechanisms you have in place, and determine how they must be revised.
• Talk to your colleagues – lawyers, IT, etc. – to determine what makes sense for your business.
April 23, 201021
Massachusetts’ New Data Security Regulations:Ten Steps To Compliance
April 23, 2010