The New Standard - Massachusetts' Sweeping New Data Protection Rules

  • April 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View The New Standard - Massachusetts' Sweeping New Data Protection Rules as PDF for free.

More details

  • Words: 1,119
  • Pages: 41
The New Standard M a s s a c h u s e t t s ’ s w e e p i n g n e w d a t a p r o t e c t i o n r u l e s Joe Laferrera Gesmer Updegrove LLP March 2009

Massachusetts’ Law: Chapter 93H Effective October 2007 Notification in event of data breach Consistent with other states’ laws Reactive

Data Breach Notification Laws

Massachusetts’ Regulations: 201 CMR 17.00

Issued October 2008

Plan to secure and protect residents’ personal information Broader than anything else in the country Proactive

Overview If regs apply: must protect Personal Information must have written information security plan (WISP) detailing policies and procedures must have designee(s) responsible for protecting Personal Information

Massachusetts-type Regulations

Who’s Covered Person

Corp.

Assoc.

Partnership

Nonprofit

Educ. Inst.

which

owns

stores

licenses

maintains

any

personal information about a Massachusetts resident

Personal Information Massachusetts residents’ name + Social Security number Driver’s license or State ID number Credit card or debit card number Financial account number

Territorial Reach Essentially all Massachusetts businesses Retailers nationwide who accept credit cards Third-party service providers nationwide that touch Massachusetts residents’ personal data Many, many more...

Examples 3-person firm in Massachusetts that only transacts business with companies: Has employees’ personal information. No de minimus threshold. If payroll is processed by outside provider, it must also comply.

Examples Large multi-national corporation. Tens of thousands of employees and petabytes of data in dozens of locations. Mountains of archives and backups off-site. Enormity of job does not impact application of regs. Even Personal Information stored on backup tapes is technically PI.

Examples Small retail store in New Hampshire: If it accepts credit cards, it may well obtain Personal Information of Massachusetts residents. There is no actual notice requirement.

Examples Medium-sized North Carolina company that provides corporate data storage services, but has no Massachusetts customers: Absent contractual safeguards, customers’ stored data may contain Massachusetts Personal Information. There is no actual notice requirement.

About The WISP 1. Develop a comprehensive, written information security plan 2. Designate someone to be in charge of it 3. Implement, maintain and monitor it

What’s in a WISP?

(201 CMR 17.03)

Requirements for protecting all Personal Information, in whatever form

(201 CMR 17.04)

Requirements that apply to electronic Personal Information records

General Requirements (201 CMR 17.03)

Risk assessment Off-premises access Disciplinary measures Terminated employees 3rd-party service providers

Inventory Personal Information Physical access WISP monitoring WISP reviews Post-hoc incident review

Risk Assessment Security Internal Risks

External Risks

Confidentiality

Integrity

r o f s i s y l a n a c fi i c e p k s s i t r c g a n F i s s e s s a d n a g n i y f i t n ide and g n i v o r p m i d n a g n i t s a d r a u evalu g e f a s f o s s e n e effectiv

Off-Premises Access Assess “whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.” Telecommuting Use of messenger and delivery services Ability to maintain files at home

Disciplinary Measures State wants to know that WISP is taken seriously. Discipline must be imposed for breach. Flexibility can be preserved.

Terminated Employees Access to Personal Information prohibited for terminated employees. Email and network accounts turned off Physical access prohibited

3rd-Party Providers Before giving 3rd-party provider PI access: 1. Due diligence 2. Contractually obligate compliance Applies to existing contracts as well as prospective ones May force businesses to choose between compliance and breach

Limit Access to PI Access limited to “legitimate purpose”: amount collected length of time kept people with access

PI Inventory Identifying categories of records and devices containing Personal Information. Alternative is treating all data as Personal Information.

Physical Access Physically restrict access to Personal Information Personal Information must be kept in locked facilities or containers

WISP Monitoring and Review WISP must provide for ongoing monitoring of plan effectiveness At least annual review of WISP to accommodate new and unanticipated risks

Post Hoc Incident Reviews After a “breach of security”: subsequent review of response and necessary changes to prevent recurrence documentation of event and response

Electronic Requirements (201 CMR 17.04)

User authentication protocols

Laptop and mobile device encryption

Secure access control measures

Security patches and firewalls

Encryption of transmitted records

System security agent software

Monitoring of systems

Employee education and training

User Authentication Protocols Control use of user IDs Secure password selection Secure or encrypt password files User accounts Blocks for unsuccessful login attempts

Secure Access Control Measures Permit access to records on “need to know” basis Password-protected account logins to determine level of access

Encryption of Transmitted Records Encryption of PI across public networks (i.e., Internet) Tunneling options? Faxes and VOIP phone calls? Encryption of PI over wireless Bluetooth, WEP, WPA? Encryption definition is broad

Monitoring of Systems Requires system to detect unauthorized use of, or access to, Personal Information Compare to “Red Flag” requirement Some existing user account-based systems will already comply

Laptop & Mobile Device Encryption Encryption of Personal Information stored on laptops Applies regardless of laptop location or use Encryption of Personal Information stored on “mobile devices” Does incoming email present a problem?

Security Patches & Firewalls “Reasonably up-to-date firewall protection and operating system security patches” for Internetconnected computers Problematic for legacy systems? Dated OSs?

System Security Agent Software Requires use of anti-malware software Macs and Linux boxes? Are certain products “better” from compliance standpoint? “Set to receive…updates on a regular basis.”

Employee Education and Training Proper use of computer systems Importance of Personal Information security Applies to all employees?

Enforcement AG’s office enforces Chapter 93H and 201 CMR 17.00 No private right of action But regs may become de facto standard in civil suits.

Discretion Factors recognized by regs: Size, scope and type of business Resources available to business Amount of stored data Need for security and confidentiality

Liability and Risk In the event of breach: Governmental risk Contractual risk Insurance coverage at risk

Deadlines Originally, Jan 1, 2009 Then, pushed to May 1, 2009 Now, deadline is Jan 1, 2010

Jan

1

0 1 0 2

The Approach Audit and assess Inventory type of PI kept Review 3rd-party contracts Assess risks Plan information and data strategy IT infrastructure and information process changes Implement plan and policies Contract changes, employee policies, etc.

40 Broad Street Boston, MA 02109 (617) 350-6800 gesmer.com

980 Washington Street, Suite 124 Dedham, MA 02026 (781) 474-7700 ntirety.com

All rights reserved. ©2009 Gesmer Updegrove LLP. This may be considered advertising under Mass. R. Prof. C. 7.3(c).

Related Documents