Transcript Title of Presentation

Massachusetts’s New
Data Security Regulations
And Their Impact On Employers
Amy Crafts
December 15, 2009
1
December 15, 2009
Identity Theft Is A Serious Problem
• Identity theft occurs when someone uses your personally
identifying information – your name, Social Security number or
credit card number – without your permission to commit fraud
or other crimes.
• The FTC estimates that over 9 million Americans have their
identities stolen each year.
• Massachusetts has become one of the most aggressive states
in the country in terms of protecting personal data following a
number of recent scandals.
2
December 15, 2009
Boston Globe – 2006
• Credit and bank card numbers of as many as 240,000
subscribers of the Boston Globe and Worcester Telegram &
Gazette were distributed with bundles of T&G newspapers
- Confidential information on the back of paper slated for
recycling was used to wrap newspaper bundles
- Underscores need for companies to focus on more than
just online security to protect sensitive information
3
December 15, 2009
TJX – 2007
• Hackers breached TJX’s wireless network and gained access
to servers at the Framingham headquarters.
• TJX lacked appropriate firewalls to protect its servers.
• Allowed hackers to quickly export data.
• Affected more than 94 million accounts.
4
December 15, 2009
Hannaford Brothers – 2008
• Exposed 4.2 million debit and credit card numbers over period
from December 7, 2007 – March 10, 2008
• Occurred even though Hannaford had met the payment card
industry standard and were not using wireless technology to
transmit unencrypted data
- Both of these factors contributed to the TJX breach
5
December 15, 2009
In Response To These Scandals, The State
Legislature Passed And Governor Patrick
Signed A New Data Breach Law
The law, “An Act Relative to Security Freezes and Notification of
Data Breaches,” creates two new chapters in the Massachusetts
General Laws:
 Chapter 93H (Security Breaches)
Effective October 31, 2007
 Chapter 93I (Disposition and Destruction of Records)
Chapter Effective February 3, 2008
6
December 15, 2009
Each Chapter Concerns The “Personal
Information” Of Massachusetts Residents
Personal information is defined as a Massachusetts resident’s
first and last name, or first initial and last name in combination
with any of the following information:
 the resident’s social security number;
 the resident’s driver’s license number or state issued
identification card number; or
 the resident’s financial account number, or credit or debit card
number.
7
December 15, 2009
The Broad Definition Of Personal Information
Will Have A Far-Reaching Effect
 Any company that employs Massachusetts residents will have
to comply.
 Any benefits consultant will likely have to comply.
 And it could change the way that many companies do
business. For example, the way we handle our private equity
clients at Proskauer is going through dramatic changes, since
we gather and store investors information in connection with
fund closings.
8
December 15, 2009
And Chances Are, It Applies To You
It applies to all persons, which includes:





A natural person
Corporation
Association
Partnership
Other legal entity
There is a carve out for certain government entities, including an
agency, executive office, department, board, commission,
bureau, division or authority of the Commonwealth, or any of its
branches or political subdivisions.
9
December 15, 2009
Compliance With Chapter 93I (Disposition and
Destruction of Records) Is Straightforward
• Sets forth minimum standards for destruction of paper and
electronic records containing personal information to ensure that
they cannot be read or reconstructed.
• Paper documents must be either:
- Redacted
- Burned
- Pulverized
- Shredded
• Electronic documents and other non-paper media must be either:
- Destroyed
- Erased
10
December 15, 2009
Compliance With Chapter 93I (Disposition And
Destruction Of Records) Is Straightforward
• Entity disposing of documents may contract with a third party to
do so.
- The third party is required to implement and monitor
compliance with policies and procedures that prohibit
unauthorized access to or acquisition of or use of personal
information during the collection, transportation and disposal of
personal information.
• Violations are subject to a civil fine of not more than $100 per
data subject affected, and each fine shall not exceed $50,000 for
each instance of improper disposal.
- Attorney General may file a civil action in superior or district
court to recover penalties.
11
December 15, 2009
Compliance With Chapter 93H (Security
Breaches) Is More Complicated
• Imposes notice obligations on employers that know or have
reason to know of a “breach of security” concerning the
personal information of any of its current or former employees,
or job applicants, who reside in Massachusetts.
• “Breach of security” is defined as the unauthorized acquisition
or use of unencrypted personal information (or encrypted
personal information plus theft of the decryption process or
key), whether in paper or electronic form, that creates a
substantial risk of identity theft or fraud.
12
December 15, 2009
If A Breach of Security Occurs….
• The employer must notify the affected employees, in writing,
“as soon as practicable and without unreasonable delay.”
• The notice must include the following information:
- How employees may obtain a police report;
- How employees may ask consumer reporting agencies
(Equifax, Experian and Transunion) to impose a security
freeze; and
- Any fees required to be paid to the consumer reporting
agencies.
13
December 15, 2009
If A Breach of Security Occurs….
• The employer must also provide written notice to the Attorney
General and the Director of Consumer Affairs and Business
Regulation. The notice must state:
- The nature of the breach;
- The number of affected employees who are residents of
Massachusetts; and
- Any remedial steps the employer has taken or plans to
take.
• Special notice procedures apply if the cost of providing written
notice will exceed $250,000, or more than 500,000 employees
are to be notified, or the employer lacks sufficient contact
information to provide written notice.
14
December 15, 2009
Regulations Have Been Issued to Implement
M.G.L. 93H (Security Breaches)
Data Security Regulations – 201 C.M.R. 17.00
• As required by M.G.L. 93H, the regulations were issued by the
Office of Consumer Affairs and Business Regulation to
implement the new law.
• Initially issued September 2008; most recently updated in
November 2009.
15
December 15, 2009
Regulations Have Been Issued to Implement
M.G.L. 93H (Security Breaches)
• Establish minimum standards to be met by those who own or
license personal information of Massachusetts residents in
connection with the safeguarding of personal information
contained in both paper and electronic forms.
• Go into effect on March 1, 2010.
• Will be enforced by the Attorney General’s Office.
• Initially issued September 2008; last updated in November
2009.
16
December 15, 2009
The Regulations Have Been Revised A Number
Of Times
 In response to pressure from businesses of all sizes, but
particularly small businesses, for which compliance would be
particularly onerous.
 The new Undersecretary of the Office of Consumer Affairs and
Business Regulation, Barbara Anthony has been very
receptive to the challenges that businesses of all sizes face in
complying with the new regulations.
 The new iteration of the regulations, issued in early November
as the final set, are a “risk-based” approach that allows for
companies of different sizes and resources to comply with the
regulations in different ways.
17
December 15, 2009
The Regulations Have Three Objectives:
1. To ensure the security and confidentiality of customer
information;
2. To protect against anticipated threats or hazards to the
security or integrity of such information;
3. To protect against unauthorized access to or use of such
information that may result in substantial harm or
inconvenience to any customer.
18
December 15, 2009
The Regulations Contain Two Major
Requirements
1. A comprehensive written security program.
2. Extensive requirements for electronic data.
19
December 15, 2009
1. The Law Requires a Comprehensive
Information Security Program
 Every covered entity must develop, implement and maintain a
comprehensive information security program.
 Must be written.
 Must contain administrative, technical and physical
safeguards.
20
December 15, 2009
The Safeguards Should be “Risk Based”
They should be appropriate to
 the size, scope and type of business handling the information;
 the amount of resources available to the business;
 the amount of stored data; and
 the need for security and confidentiality of both consumer and
employee information.
21
December 15, 2009
The Safeguards Have Been Extensively
Revised
 The current iteration is a risk-based approach to alleviate the
burden on small businesses that may not handle a lot of
personal information.
 According to Undersecretary Anthony, it is an effort by her
office “to balance consumer protections and business
realities.”
22
December 15, 2009
The Written Security Program Must
 Provide for a designated employee to maintain the program
 Identify and assess reasonably foreseeable internal and
external risks to the security, confidentiality and integrity of the
information
23
December 15, 2009
And Evaluate And Improve The Effectiveness Of
The Safeguards In Place, Including
 Ongoing employee training, for permanent and contract
employees
 Employee compliance with policies and procedures
 Means for detecting and preventing security system failures
24
December 15, 2009
The Written Security Program Must Also
 Develop security policies for employees relating to the storage,
access and transportation of records outside of business
premises
 Impose disciplinary measures for violations of the program
rules
 Prevent terminated employees from accessing records
25
December 15, 2009
It Requires Oversight Of Service Providers And
Vendors By:
 Taking reasonable steps to select and retain third party service
providers who also comply with the regulations
 Requiring third party service providers by contract to
implement and maintain appropriate security measures for
personal information
26
December 15, 2009
With An Important Carve Out
 If a contract is already in place as of the effective date, March
1, 2010, there is a two year grace period for compliance.
 But any contract entered into after March 1, 2010 must ensure
that the third party service provider is also protecting personal
information in compliance with the regulations.
27
December 15, 2009
In Addition . . .
 Storage of paper records must be in locked facilities, storage
areas or containers.
 The program must be regularly monitored.
 The security measures must be reviewed at least annually, or
if there is a material change in business practice that may
implicate the security or integrity of records.
28
December 15, 2009
In Addition . . .
 The covered entity must document responsive actions taken in
connection with any incident involving a breach of security.
 In the event of a breach, there is a mandatory post-incident
review of events and actions taken, if any, to make any
necessary changes in business practices.
29
December 15, 2009
2. There Are Additional Requirements For
Electronically Stored Information
 Covered entities that electronically store or transmit personal
information must establish and maintain a security system
covering its computers and any wireless system.
 To the extent technically feasible, covered entities must also ...
– (“technically feasible” means that if there is a reasonable
means through technology to accomplish a required result,
then that reasonable means must be used”)
30
December 15, 2009
Secure User Authentication Protocols, Including:
 Control of user IDs and other identifiers
 A reasonably secure method of assigning and selecting
passwords, or use of unique identifier technologies (biometrics
or token devices)
 Control of data security passwords so security is not
compromised
 Restrict access to active users and active user accounts only
 Block access to user identification after multiple unsuccessful
attempts
31
December 15, 2009
Secure Access Control Measures That
 Restrict access to records and files containing personal
information to those who need such information to perform
their job duties.
 Assign unique identifications plus passwords, which are not
vendor supplied default passwords, that are reasonably
designed to maintain the integrity of the security of the access
controls.
32
December 15, 2009
Encrypt All Records And Files Containing
Personal Information
 That will travel across public networks
 That will be transmitted wirelessly
 Or that will be stored on laptops
33
December 15, 2009
In Addition, For Electronically Stored Information
Reasonable monitoring for unauthorized use or access
 Up-to-date firewall protection and operating system security
patches
 Up-to-date system security agent software, which must include
malware, patches and virus protection
 Education and training of employees on the proper use of the
computer security system and the importance of personal
information security.
34
December 15, 2009
What Does All of this Mean?
Let’s discuss some hypothetical or frequently asked questions.
35
December 15, 2009
Must Backup Tapes Be Encrypted?
• Yes, on a prospective basis.
• However, if you are going to transport a backup tape from
storage, and it is technically feasible to encrypt (meaning that the
tape allows encryption) then you must do so prior to the transfer.
• If it is not technically feasible, you should consider the sensitivity
of the information, the amount of personal information and the
distance to be traveled and take appropriate steps to secure and
safeguard the personal information.
- For example, if you are transporting a large amount of sensitive
personal information, you may want to consider using an armored
vehicle with an appropriate number of guards.
36
December 15, 2009
Must Email Be Encrypted If It Contains Personal
Information?
• If it is not technically feasible, then no.
• But you should implement best practices by not sending
unencrypted personal information in an email.
• There are alternative methods to communicate personal
information other than through email, such as establishing a
secure website that requires safeguards such as a username and
password to conduct transactions involving personal information.
37
December 15, 2009
What Is Required Of A Small Business With Few
Employees, Where No Other Personal
Information Is Stored?
• If you only have employee data with a small number of
employees, you should lock your files in a storage cabinet and
lock the door to that room.
- You should permit access to only those who require it for official
duties.
• If you have both employee and customer data containing
personal information, then your security approach would have to
be more stringent.
38
December 15, 2009
What If You Only Swipe Credit Cards, And Do
Not Retain Personal Information?
• If you use swipe technology only, and you do not have actual
custody or control over the personal information, then you do not
own or license personal information with respect to that data, as
long as you batch out such data in accordance with the Payment
Card Industry (PCI) standards.
39
December 15, 2009
Is There A Maximum Period Of Time To Keep
Records Containing Personal Information?
• No, that is a business decision that is up to you.
• As good business practice, you should limit the amount of
personal information collected to that reasonably necessary to
accomplish the legitimate purpose for which it is collected and
limit the time such information is retained to that reasonably
necessary to accomplish such purpose.
• Access should be limited to those persons who are reasonably
required to know such information.
40
December 15, 2009
Should Paper And Electronic Records Be
Inventoried?
• No, it is not necessary to inventory your records.
• However, you should perform a risk assessment and identify
which of your records contain personal information so that you
can handle and protect that information.
41
December 15, 2009
How Much Employee Training Is Required?
• There is no basic standard.
• You will need to do enough training to ensure that the employees
who will have access to personal information know what their
obligations are regarding the protection of that information.
42
December 15, 2009
Is Compliance Necessary If Already Comply
With HIPAA?
• YES.
43
December 15, 2009
What Is The Extent Of The Monitoring
Obligation?
• Depends on the nature of your business, your business practices,
and the amount of personal information you own or license.
• Also depends on the form in which the information is kept and
stored.
• In the end, the monitoring you put in place must be such that it is
reasonably likely to reveal unauthorized access or use.
44
December 15, 2009
Is Password Protecting A Laptop Enough?
• No. The regulations make clear that encryption must bring about
a “transformation of data into a form in which meaning cannot be
assigned.”
- Means that the data must be altered into an unreadable form.
- Password protection is not enough.
45
December 15, 2009
What If Law Requires Contracting With A
Particular Third Party Service Provider?
• If state or federal law requires the use of a specific third party
service provider, then the obligation to select and retain would
effectively be met.
46
December 15, 2009
What Should You Do Now?
• Develop a plan in advance of the March 1, 2010 effective date
• Evaluate protection mechanisms you have in place, and
determine how they must be revised
• Talk to your colleagues – lawyers, IT, etc. to determine what
makes sense for your business
• Start now – these changes will take time, and March is right
around the corner
47
December 15, 2009