The New Standard M a s s a c h u s e t t s ’ s w e e p i n g n e w d a t a p r o t e c t i o n r u l e s Joe Laferrera Gesmer Updegrove LLP March 2009
Massachusetts’ Law: Chapter 93H Effective October 2007 Notification in event of data breach Consistent with other states’ laws Reactive
Data Breach Notification Laws
Massachusetts’ Regulations: 201 CMR 17.00
Issued October 2008
Plan to secure and protect residents’ personal information Broader than anything else in the country Proactive
Overview If regs apply: must protect Personal Information must have written information security plan (WISP) detailing policies and procedures must have designee(s) responsible for protecting Personal Information
Massachusetts-type Regulations
Who’s Covered Person
Corp.
Assoc.
Partnership
Nonprofit
Educ. Inst.
which
owns
stores
licenses
maintains
any
personal information about a Massachusetts resident
Personal Information Massachusetts residents’ name + Social Security number Driver’s license or State ID number Credit card or debit card number Financial account number
Territorial Reach Essentially all Massachusetts businesses Retailers nationwide who accept credit cards Third-party service providers nationwide that touch Massachusetts residents’ personal data Many, many more...
Examples 3-person firm in Massachusetts that only transacts business with companies: Has employees’ personal information. No de minimus threshold. If payroll is processed by outside provider, it must also comply.
Examples Large multi-national corporation. Tens of thousands of employees and petabytes of data in dozens of locations. Mountains of archives and backups off-site. Enormity of job does not impact application of regs. Even Personal Information stored on backup tapes is technically PI.
Examples Small retail store in New Hampshire: If it accepts credit cards, it may well obtain Personal Information of Massachusetts residents. There is no actual notice requirement.
Examples Medium-sized North Carolina company that provides corporate data storage services, but has no Massachusetts customers: Absent contractual safeguards, customers’ stored data may contain Massachusetts Personal Information. There is no actual notice requirement.
About The WISP 1. Develop a comprehensive, written information security plan 2. Designate someone to be in charge of it 3. Implement, maintain and monitor it
What’s in a WISP?
(201 CMR 17.03)
Requirements for protecting all Personal Information, in whatever form
(201 CMR 17.04)
Requirements that apply to electronic Personal Information records
General Requirements (201 CMR 17.03)
Risk assessment Off-premises access Disciplinary measures Terminated employees 3rd-party service providers
Inventory Personal Information Physical access WISP monitoring WISP reviews Post-hoc incident review
Risk Assessment Security Internal Risks
External Risks
Confidentiality
Integrity
r o f s i s y l a n a c fi i c e p k s s i t r c g a n F i s s e s s a d n a g n i y f i t n ide and g n i v o r p m i d n a g n i t s a d r a u evalu g e f a s f o s s e n e effectiv
Off-Premises Access Assess “whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.” Telecommuting Use of messenger and delivery services Ability to maintain files at home
Disciplinary Measures State wants to know that WISP is taken seriously. Discipline must be imposed for breach. Flexibility can be preserved.
Terminated Employees Access to Personal Information prohibited for terminated employees. Email and network accounts turned off Physical access prohibited
3rd-Party Providers Before giving 3rd-party provider PI access: 1. Due diligence 2. Contractually obligate compliance Applies to existing contracts as well as prospective ones May force businesses to choose between compliance and breach
Limit Access to PI Access limited to “legitimate purpose”: amount collected length of time kept people with access
PI Inventory Identifying categories of records and devices containing Personal Information. Alternative is treating all data as Personal Information.
Physical Access Physically restrict access to Personal Information Personal Information must be kept in locked facilities or containers
WISP Monitoring and Review WISP must provide for ongoing monitoring of plan effectiveness At least annual review of WISP to accommodate new and unanticipated risks
Post Hoc Incident Reviews After a “breach of security”: subsequent review of response and necessary changes to prevent recurrence documentation of event and response
Electronic Requirements (201 CMR 17.04)
User authentication protocols
Laptop and mobile device encryption
Secure access control measures
Security patches and firewalls
Encryption of transmitted records
System security agent software
Monitoring of systems
Employee education and training
User Authentication Protocols Control use of user IDs Secure password selection Secure or encrypt password files User accounts Blocks for unsuccessful login attempts
Secure Access Control Measures Permit access to records on “need to know” basis Password-protected account logins to determine level of access
Encryption of Transmitted Records Encryption of PI across public networks (i.e., Internet) Tunneling options? Faxes and VOIP phone calls? Encryption of PI over wireless Bluetooth, WEP, WPA? Encryption definition is broad
Monitoring of Systems Requires system to detect unauthorized use of, or access to, Personal Information Compare to “Red Flag” requirement Some existing user account-based systems will already comply
Laptop & Mobile Device Encryption Encryption of Personal Information stored on laptops Applies regardless of laptop location or use Encryption of Personal Information stored on “mobile devices” Does incoming email present a problem?
Security Patches & Firewalls “Reasonably up-to-date firewall protection and operating system security patches” for Internetconnected computers Problematic for legacy systems? Dated OSs?
System Security Agent Software Requires use of anti-malware software Macs and Linux boxes? Are certain products “better” from compliance standpoint? “Set to receive…updates on a regular basis.”
Employee Education and Training Proper use of computer systems Importance of Personal Information security Applies to all employees?
Enforcement AG’s office enforces Chapter 93H and 201 CMR 17.00 No private right of action But regs may become de facto standard in civil suits.
Discretion Factors recognized by regs: Size, scope and type of business Resources available to business Amount of stored data Need for security and confidentiality
Liability and Risk In the event of breach: Governmental risk Contractual risk Insurance coverage at risk
Deadlines Originally, Jan 1, 2009 Then, pushed to May 1, 2009 Now, deadline is Jan 1, 2010
Jan
1
0 1 0 2
The Approach Audit and assess Inventory type of PI kept Review 3rd-party contracts Assess risks Plan information and data strategy IT infrastructure and information process changes Implement plan and policies Contract changes, employee policies, etc.
40 Broad Street Boston, MA 02109 (617) 350-6800 gesmer.com
980 Washington Street, Suite 124 Dedham, MA 02026 (781) 474-7700 ntirety.com
All rights reserved. ©2009 Gesmer Updegrove LLP. This may be considered advertising under Mass. R. Prof. C. 7.3(c).