Transcript Title of Presentation

Massachusetts’ New
Data Security Regulations
And Their Impact On
Businesses
Amy Crafts
February 16, 2009
1
February 16, 2010
Identity Theft Is A Serious Problem
• Identity theft occurs when someone uses your personally
identifying information – your name, Social Security number or
credit card number – without your permission to commit fraud
or other crimes.
• The FTC estimates that over 9 million Americans have their
identities stolen each year.
• Massachusetts has become one of the most aggressive states
in the country in terms of protecting personal data following a
number of recent scandals.
2
February 16, 2010
Boston Globe – 2006
• Credit and bank card numbers of as many as 240,000
subscribers of the Boston Globe and Worcester Telegram &
Gazette were distributed with bundles of T&G newspapers.
- Confidential information on the back of paper slated for
recycling was used to wrap newspaper bundles.
- Underscores need for companies to focus on more than
just online security to protect sensitive information.
3
February 16, 2010
TJX – 2007
• Hackers breached TJX’s wireless network and gained access
to servers at the Framingham headquarters.
• TJX lacked appropriate firewalls to protect its servers.
• Allowed hackers to quickly export data.
• Affected more than 94 million accounts.
4
February 16, 2010
Hannaford Brothers – 2008
• Exposed 4.2 million debit and credit card numbers over period
from December 7, 2007 – March 10, 2008.
• Occurred even though Hannaford had met the payment card
industry standard and were not using wireless technology to
transmit unencrypted data.
- Both of these factors contributed to the TJX breach.
5
February 16, 2010
In Response To These Scandals, The State
Legislature Passed And Governor Patrick
Signed A New Data Breach Law
The law, “An Act Relative to Security Freezes and Notification of
Data Breaches,” creates two new chapters in the Massachusetts
General Laws:
 Chapter 93I (Disposition and Destruction of Records)
 Chapter 93H (Security Breaches)
6
February 16, 2010
Each Chapter Concerns The “Personal
Information” Of Massachusetts Residents
Personal information is defined as a Massachusetts resident’s
first and last name, or first initial and last name in combination
with any of the following information:
 the resident’s social security number;
 the resident’s driver’s license number or state issued
identification card number; or
 the resident’s financial account number, or credit or debit card
number.
7
February 16, 2010
The Broad Definition Of Personal Information
Will Have A Far-Reaching Effect
 Any company that employs Massachusetts residents will have
to comply.
 And it could change the way that many companies conduct
their day to day business.
8
February 16, 2010
The Law Applies To Your Business
It applies to all persons that own or license personal information of
Massachusetts residents.
“Persons” includes:





A natural person
Corporation
Association
Partnership
Other legal entity
There is a carve out for certain government entities, including an
agency, executive office, department, board, commission, bureau,
division or authority of the Commonwealth, or any of its branches or
political subdivisions.
9
February 16, 2010
Compliance With Chapter 93I (Disposition and
Destruction of Records) Is Straightforward
• Sets forth minimum standards for destruction of paper and
electronic records containing personal information to ensure that
they cannot be read or reconstructed.
• Paper documents must be either:
- Redacted
- Burned
- Pulverized
- Shredded
• Electronic documents and other non-paper media must be either:
- Destroyed
- Erased
10
February 16, 2010
Entity Disposing Of Documents May Contract
With A Third Party
• The third party is required to implement and monitor compliance
with policies and procedures that prohibit unauthorized access to
or acquisition of or use of personal information during the
collection, transportation and disposal of personal information.
• Violations are subject to a civil fine of not more than $100 per
data subject affected, and each fine shall not exceed $50,000 for
each instance of improper disposal.
- Attorney General may file a civil action in superior or district
court to recover penalties.
11
February 16, 2010
Compliance With Chapter 93H (Security
Breaches) Is More Complicated
• Imposes notice obligations on employers that know or have
reason to know of a “breach of security” concerning the
personal information of any of its current or former employees,
or job applicants, who reside in Massachusetts.
• “Breach of security” is defined as the unauthorized acquisition
or use of unencrypted personal information (or encrypted
personal information plus theft of the decryption process or
key), whether in paper or electronic form, that creates a
substantial risk of identity theft or fraud.
12
February 16, 2010
Employees Must Be Notified Of Breach
• The employer must notify the affected employees, in writing,
“as soon as practicable and without unreasonable delay.”
• The notice must include the following information:
- How employees may obtain a police report;
- How employees may ask consumer reporting agencies
(Equifax, Experian and Transunion) to impose a security
freeze; and
- Any fees required to be paid to the consumer reporting
agencies.
13
February 16, 2010
Attorney General and Director Of OCABR Must
Also Be Notified Of Breach
• The employer must also provide written notice to the Attorney
General and the Director of Consumer Affairs and Business
Regulation. The notice must state:
- The nature of the breach;
- The number of affected employees who are residents of
Massachusetts; and
- Any remedial steps the employer has taken or plans to
take.
• If your business experiences a breach, make sure to work with
your attorney to assist you with the notification process.
14
February 16, 2010
Regulations Have Been Issued to Implement
M.G.L. 93H (Security Breaches)
Data Security Regulations – 201 C.M.R. 17.00
• As required by M.G.L. 93H, the regulations were issued by the
Office of Consumer Affairs and Business Regulation to
implement the new law.
• The regulations have evolved considerably since they were
first issued, and were finalized recently.
15
February 16, 2010
The Regulations Go Into Effect On
March 1, 2010
• Will be enforced by the Attorney General’s Office.
• Sets forth minimum standards to be met by those who own or
license personal information of Massachusetts residents in
connection with the safeguarding of personal information
contained in both paper and electronic forms.
- You may not have to start from scratch – your Operations
and Training Manual includes some data security
protections.
- Gather what you have and work with IT and legal
professionals to update as necessary.
16
February 16, 2010
The Regulations Have Three Objectives
1. To ensure the security and confidentiality of employee
information;
2. To protect against anticipated threats or hazards to the
security or integrity of such information;
3. To protect against unauthorized access to or use of such
information that may result in substantial harm or
inconvenience to any employee.
17
February 16, 2010
The Regulations Have Been Revised A Number
Of Times
 In response to pressure from businesses of all sizes, but
particularly small businesses, for which compliance would be
most onerous – i.e. mom and pop shops.
 The most recent iteration of the regulations are a “risk-based”
approach that allows for companies of different sizes and
resources to comply with the regulations in different ways.
- How this will be interpreted by regulators remains to be
seen.
18
February 16, 2010
The Regulations Contain Two Major
Components
1. A comprehensive written security program – every business
must have its own policy, tailored to its specific business.
2. Extensive requirements for electronic data – which must be
implemented to the extent technically feasible.
19
February 16, 2010
1. The Law Requires a Comprehensive
Information Security Program
 Every covered entity must develop, implement and maintain a
comprehensive information security program.
 Must be written.
 Must contain administrative, technical and physical
safeguards.
20
February 16, 2010
The Safeguards Should be “Risk Based”
They should be appropriate to
 the size, scope and type of business handling the information;
 the amount of resources available to the business;
 the amount of stored data; and
 the need for security and confidentiality of both consumer and
employee information.
This is an effort by Massachusetts to balance consumer
protections and business realities.
21
February 16, 2010
The Information Security Program Must Meet
Certain Requirements Set Forth In The
Regulations
 Provide for a designated employee to maintain the program.
 Identify and assess reasonably foreseeable internal and
external risks to the security, confidentiality and integrity of the
information.
22
February 16, 2010
The Information Security Program Must
Evaluate And Improve The Effectiveness Of The
Safeguards In Place
 Ongoing employee training, for permanent and contract
employees
 Employee compliance with policies and procedures
 Means for detecting and preventing security system failures
23
February 16, 2010
The Information Security Program Must Contain
Requirements For Employees
 Develop security policies for employees relating to the storage,
access and transportation of records outside of business
premises
 Impose disciplinary measures for violations of the program
rules
 Prevent terminated employees from accessing records
24
February 16, 2010
The Information Security Program Must Provide
For Oversight Of Service Providers And
Vendors
 Take reasonable steps to select and retain third party service
providers who also comply with the regulations
 Require third party service providers by contract to implement
and maintain appropriate security measures for personal
information
- This applies to any third party that works with you
- Reach out to them and ask about their plans to comply
25
February 16, 2010
An Important Carve Out For Existing Vendor
Contracts
 If a contract is already in place as of the effective date, March
1, 2010, there is a two year grace period for compliance.
 But any contract entered into after March 1, 2010 must ensure
that the third party service provider is also protecting personal
information in compliance with the regulations.
26
February 16, 2010
The Information Security Program Applies To
Paper Records, Too
 Storage of paper records must be in locked facilities, storage
areas or containers.
 The program must be regularly monitored.
 The security measures must be reviewed at least annually, or
if there is a material change in business practice that may
implicate the security or integrity of records.
27
February 16, 2010
The Information Security Program Requires
Certain Steps Following A Breach
 The covered entity must document responsive actions taken in
connection with any incident involving a breach of security.
 In the event of a breach, there is a mandatory post-incident
review of events and actions taken, if any, to make any
necessary changes in business practices.
 Again, if you experience a breach, make sure to consult with
your attorney.
28
February 16, 2010
2. There Are Additional Requirements For
Electronically Stored Information
 Covered entities that electronically store or transmit personal
information must establish and maintain a security system
covering its computers and any wireless system.
 Compliance is required to the extent technically feasible:
– “technically feasible” means that if there is a reasonable
means through technology to accomplish a required result,
then that reasonable means must be used.”
 Some of the requirements are technical, so make sure to
involve your IT staff.
29
February 16, 2010
User Passwords And Authorizations Are
Required
 Control of user IDs and other identifiers
 A reasonably secure method of assigning and selecting
passwords, or use of unique identifier technologies
 Control of data security passwords so security is not
compromised
 Restrict access to active users and active user accounts only
 Block access to user identification after multiple unsuccessful
attempts
30
February 16, 2010
Secure Access Control Measures Are Required
 Restrict access to records and files containing personal
information to those who need such information to perform
their job duties.
 Assign unique identifications plus passwords, which are not
vendor supplied default passwords, that are reasonably
designed to maintain the integrity of the security of the access
controls.
31
February 16, 2010
All Records And Files Containing Personal
Information Must Be Encrypted, Where
Technically Feasible
 Any records that will travel across public networks
 Any records that will be transmitted wirelessly
 Or that will be stored on laptops or other portable devices
32
February 16, 2010
Reasonable Monitoring For Unauthorized Use
Or Access Is Required
 Up-to-date firewall protection and operating system security
patches
 Up-to-date system security agent software, which must include
malware, patches and virus protection
 Education and training of employees on the proper use of the
computer security system and the importance of personal
information security
 Any questions should be directed to your regional IT staff
33
February 16, 2010
What Are The Penalties For Non-Compliance?
• Massachusetts provides for civil penalties in cases of noncompliance with its data breach notification statute.
• A civil penalty of $5,000 may be awarded for each violation.
• In addition, the Attorney General may bring a civil action under its
consumer protection statue, Chapter 93A, which permits
imposition of significant fines, injunctive relief and attorneys’ fees.
34
February 16, 2010
What Does All of this Mean?
Let’s discuss some hypothetical or frequently asked questions.
35
February 16, 2010
What About My In-Store Processing System?
• Answer is available from the IT department on a store-by-store
basis.
• If your ISP is not on a recent release, work with your Restaurant
Store Systems Manager, who can help you determine the proper
release and the path to get there.
36
February 16, 2010
How Do I Store And Destroy Old Tapes/CDs?
• Unless they are leaving your business premises, old tapes and
CDs should be stored in a locked file or room.
• Destruction must completely erase the content of the tapes and
CDs.
- Be careful – after data is erased, residue may remain which
could lead to inadvertent disclosure.
- Overwriting the storage data is a popular low cost option.
(Also called “wiping” or “shredding.”) Methods are
implemented in software.
- Work with your IT staff to ensure the tapes and CDs have been
completely erased.
37
February 16, 2010
How Should Businesses Protect Emails
Containing Personal Information?
• If technically feasible, emails should be encrypted.
• If not technically feasible, implement best practices by not
sending personal information via email.
- There are alternative methods to communicate personal
information other than through email, such as establishing a
secure website that requires safeguards including username
and password to conduct transactions involving personal
information.
38
February 16, 2010
Is There A Maximum Period Of Time To Keep
Records Containing Personal Information?
• No, but be aware of minimum state and federal law requirements.
- For example, MA law requires retention of personnel files for
three years after termination of employment
• As good business practice, you should limit the amount of
personal information collected to that reasonably necessary to
accomplish the legitimate purpose for which it is collected, and
limit the time such information is retained to that reasonably
necessary to accomplish such purpose.
• Access should be limited to those persons who are reasonably
required to know such information.
39
February 16, 2010
How Much Employee Training Is Required?
• The regulations do not articulate what specifically is required.
• We suggest that you:
- Provide enough training to ensure that employees who will
have access to personal information know what their
obligations are regarding the protection of that information.
- Train both temporary and permanent employees.
- Convey to your employees that data security is taken seriously
by your business.
- Require trained employees to sign an acknowledgement of
training.
40
February 16, 2010
What Is The Extent Of The Monitoring
Obligation?
• Depends on the nature of your business, your business practices,
and the amount of personal information you own or license.
• Also depends on the form in which the information is kept and
stored.
• In the end, the monitoring you put in place must be such that it is
reasonably likely to reveal unauthorized access or use.
41
February 16, 2010
What If I Use Laptops?
• Assess whether your laptop(s) contain personal information.
• If they do, consider encryption.
- The regulations make clear that encryption must bring about a
“transformation of data into a form in which meaning cannot be
assigned.”
- Data must be altered into an unreadable form.
- Password protection is not enough.
42
February 16, 2010
What Should You Do Now?
• Develop a plan to work towards compliance.
• Evaluate protection mechanisms you have in place, and
determine how they must be revised.
• Talk to your colleagues – lawyers, IT, etc. to determine what
makes sense for your business.
43
February 16, 2010