Transcript Healthcare Initiative Presentation

Emerging Issues in Data Security and
an Overview of the Massachusetts
Data Security Law
March 27, 2008
David Szabo, Nutter, McClennen & Fish
David A. Holley, Kroll
Scott Schafer, Office of the Attorney General
Art Crow, Millennium Pharmaceuticals
Introductory Comments:
David S. Szabo
Nutter, McClennen & Fish
Key Points
New State Data Breach Law Effective October 1, 2007
New State Data Disposal Law Effective February 3, 2008
Other States’ Laws Must be Observed, Too
Proposed Information Security Regulations
2
Other States Laws
At least 38 States have enacted data breach notification laws
Most of these protect financial (identity theft) information, but
some also protect medical information (e.g. new California
amendments)
The states have differing notice requirements in regards to
timing, content and the like.
3
Other States’ Laws
Are you subject to those laws? You should find out now,
not later.
You must coordinate notices and other compliance issues
across jurisdictions.
Responses can be complex, as laws may conflict
4
Other Laws May Apply?
HIPAA
GLB
EU Data Directive
5
In Event of Trouble
Read your data breach policy (you do have one, don’t you?)
Investigate and determine the facts
Call your insurance carrier
Notify counsel
Notify, as required by law
Notify, as required by contracts
Mitigate, as needed
6
What the numbers look like:
David A. Holley
Kroll Worldwide
Identity Theft and Fraud
Numbers
 Attrition.org:
2006 – 326/45,538,298 vs. 2007 – 275/126,231,985 – a 277% increase
 ITRC:
2006 – 392/49,000,000 vs. 2007 – 443/127,369,523 – a 260% increase
Cost to Organizations
 Average Cost of a data breach - $197/record
(increase of 8% over 2006, 43% over 2005) *
 Cost of lost business - $128/record
(increase of 30% over 2006) *
 Costs organizations expended for legal defense and PR
(8% and 3% of total breach costs, respectively) *
 Cost of a data breach for financial services organizations was $239/record
(21% higher than average) *
* Source: Ponemon Institute – November 2007
8
Cost and Commerce
 Industry Issues





FTC Estimates nearly 10 Million victims per year
Many victims don’t know or don’t report
Fastest growing white collar crime in America
Average 175 hours and $1,500 to resolve
49% of data breaches were due to lost or stolen laptops or other devices (i.e. USB) *
 Common Types of Fraud
 Current Credit – Credit Card, Debit Card, Phone Card
 Identity Fraud using:
 Your name and SS# to:
 Establish new credit
 Commit other criminal activity
 Only 21% of ID theft is credit related
 Consumer claims, blogging sites, class action
 Tangible loss of credibility in your community
 Lost business accounts for 65% of breach costs.
(increase of 30% over 2006) *
* Source: Ponemon Institute – November 2007
9
Addressing the Risk
 Avoidance - No
 Not really an option
 Mitigation - Absolutely
 The possibility of risk of breach can be reduced before an incident
 Insurance - Absolutely
 Regular commercial insurance programs do not cover data breaches
 Cyber Risk policies can be customized to insure liability and costs of
notification and compliance
10
Data Protection: Concepts and Practice
Art Crow
Millennium Pharmaceuticals
Considerations
•
What information do I need to protect?
•
How and where do I store this
information?
•
Who should have access to the
information?
•
How do I protect my information from
theft or wrongful use?
R&D
Clinical
Financial
Information
Storage
Operations
Commercial
Human
Resources
12
Integrated Security Approach
• Risk Assessment
• Information Technology Controls
• Physical Security Controls
• Procedural Controls
13
Information Technology Controls
• Network – Servers – Computers – Software
• Change manufacturer’s default passwords!
• If it doesn’t have anti-virus/anti-spam/anti-spyware software, it doesn’t go on
the network (i.e., lab equipment computers)
14
Information Technology Controls
• Encrypted hard drives on all laptops – encryption software is not enough
Not everyone needs a laptop
• Limit remote network access to only those people who require it in the
performance of their job
• Anti-theft/recovery software
15
Physical Security Controls
• Install your own physical security system
• Use a card access system and CCTV cameras
• An alarmed door does no good if someone doesn’t respond to the alarm
• Lock the server and network gear rooms
• Restrict access to sensitive areas – the CFO does not need access to the data
center
• One key should not unlock all doors
16
Company Policies
• Passwords
− Minimum 8 characters
− Combination of letters, numbers and symbols
− Change every 90 days
• Acceptable Use
− Business purposes only
− No downloading of software/programs from the internet
17
Company Policies
• No Shareware
• No non-business related software on any computer or server
Screen savers and passwords are a must – no exceptions
• Store sensitive data in a server file – not on the laptop or a CD
18
Conclusion
• Good IT and physical security controls can reduce the risk of data theft
• In order for security to be effective it must be an integral part of the company
culture
• All employees and vendors should receive training in company IT and physical
security policies
• Monthly security briefs will reinforce company security policies and help to
alert people to emerging threats
• Social engineering – The Art of Deception
19
Overview of Massachusetts
Data Security Laws
Scott D. Schafer
Assistant Attorney General
Consumer Protection Division
Office of Massachusetts
Attorney General Martha Coakley
Massachusetts Identity Theft Legislation
August 3, 2007
Massachusetts adopts comprehensive identity theft legislation
Becomes the 39th state to protect residents by requiring that they be
notified in the event of a data security breach or unauthorized access or
use of their personal information.
21
Massachusetts Identity Theft Legislation
Major Provisions of the Legislation
1)
Establishes a consumer’s right to request a security freeze (G.L. ch. 93,
§§56 and 62A);
2)
Establishes requirements for notification to state government and
consumers in the event of a data breach (G.L. ch. 93H); and
3)
Establishes requirements for destruction and disposal of records
containing a consumer’s personal information (G.L. ch. 93I).
22
Security Breaches
G.L. ch. 93H
Who does the law apply to?
Any individual, business or governmental agency that owns, licenses,
maintains or stores data whose unauthorized access or use is capable
of compromising a Massachusetts resident’s personal information.
23
Security Breaches
G.L. ch. 93H
What is personal information?
First name and last name or first initial and last name of a resident in
combination with one or more of the following:
1. SSN;
2. driver's license number or state-issued card id number; or
3. financial account, debit or credit card number.
24
Security Breaches
G.L. ch. 93H
Massachusetts law protects personal information regardless of form – paper or
electronic.
Protected personal information does not include information that is lawfully
obtained from publicly available information.
25
Security Breaches
G.L. ch. 93H
When is notice triggered?
1. Breach of security
2. Personal information acquired or used by an unauthorized person;
or
3. Personal information used for an unauthorized purpose.
26
Security Breaches
G.L. ch. 93H
Definition of “Breach of Security”
Unauthorized acquisition or use of unencrypted data or, encrypted electronic
data and the confidential process of key that is capable of compromising the
security, confidentiality of personal information, maintained by a person or
agency that creates a substantial risk or identity theft or fraud against a
Massachusetts resident.
27
Security Breaches
G.L. ch. 93H
Definition of “Breach of Security”
Broader definition -- Breach need not involve “personal information” as defined
in statute
Notice triggered if there is a substantial risk of ID Theft or fraud
28
Security Breaches
G.L. ch. 93H
Personal Information Notification Triggers
Personal information acquired or used by unauthorized person
Personal information used for unauthorized purpose
29
Security Breaches
G.L. ch. 93H
Personal Information Notification Triggers
No “substantial risk of harm” calculus.
Notification is triggered by the breach itself rather than the likelihood of harm
or misuse of personal information.
Entities are therefore not exempt from providing notice if a breach does not
create a risk of harm.
30
Security Breaches
G.L. ch. 93H
Who must be notified?
1.
The Attorney General;
2.
Director of Consumer Affairs and
Business Regulation; and
3.
Affected Residents
31
Security Breaches
G.L. ch. 93H
What must the notice say?
Massachusetts law has different content requirements depending on the
recipient of the notice.
32
Security Breaches
G.L. ch. 93H
Notice to the Attorney General and Director of Consumer Affairs and Business
Regulation
1. Nature of the breach of security or the unauthorized
access or use of personal information;
2. Number of Massachusetts residents affected; and
3. Steps the notifying entity is taking, or plans to take,
relating to the incident.
33
Security Breaches
G.L. ch. 93H
Notice to Affected MA Residents
1. Consumer’s right to obtain police report;
2. How a consumer requests a security freeze;
G.L. 93, §§ 56 and 62A
3.
Information consumer will need to provide to request
security freeze; and
4.
Disclosure of fees associated with placing, lifting or
removing a security freeze
34
Security Breaches
G.L. ch. 93H
Notice to Affected MA Residents
Notice to the affected residents shall not include:
1. Nature of the breach or unauthorized
access or use; or
2. The number of residents affected.
35
Security Breaches
G.L. ch. 93H
Common Mistakes Made in
Notices to Affected MA Residents
1. Notice is too general and fails to include
the four (4) Massachusetts specific requirements
2. Fraud Alert vs. Security Freeze
36
Security Breaches
G.L. ch. 93H
Common Mistakes Made in
Notices to Affected MA Residents
3. References to websites rather than providing information in letter itself –
thereby putting burden on affected residents to find information
4. Provides a range of fees relating to security freeze when in fact amount is
set by statute (G.L. ch. 93, §62A)
37
Security Breaches
G.L. ch. 93H
Notice to Affected MA Residents
Law provides for direct notice to affected consumers unless:
1. More than 500,000 affected MA residents; or
2. Costs of providing written notice shall exceed $250,000.
“Substitute” notice consists of: 1) email notice to affected consumers; 2) clear
and conspicuous notice on the company’s home page; and 3) publication in
statewide media.
38
Security Breaches
G.L. ch. 93H
When must notice be provided?
“As soon as practicable and without unreasonable delay”
Massachusetts permits a delay where law enforcement determines notification
would hinder a criminal investigation -- provided that the law enforcement
agency notifies the Attorney General of that determination.
39
Number of Reported
Data Breaches
40
Number of Affected Massachusetts
Residents
41
Most Common Causes of Data Breaches
Stolen Laptops
Rogue Employees
Inadvertent Disclosure
Intra-company Email
Hacking
42
Data Disposal
G.L. ch. 93I
Scope of the Law
Requires individuals, businesses and governmental agencies to employ
certain safeguards when disposing of or destroying records containing
personal information – regardless of form.
43
Data Disposal
G.L. ch. 93I
Minimum standard for disposal/destruction of records
Destruction of records containing personal information must be done in such a
manner so that personal information "cannot practically be read or
reconstructed."
Paper records shall be burned, redacted, pulverized or shredded so that
personal information cannot be read or reconstructed.
Electronic records and other non-paper media shall be destroyed or erased so
that personal information cannot be read or reconstructed.
44
Data Disposal
G.L. ch. 93I
Third-party Disposal
May use third parties provided that the third parties adopt and monitor
compliance with policies and procedures that prohibit unauthorized access to
or use of personal information in the course of the collection, transportation or
disposal of the information.
Entities employing such third-party services should obtain written assurances
from the third party that its disposal practices are in compliance with the law.
45
Data Disposal
G.L. ch. 93I
Penalties
$100 per individual affected
Maximum of $50,000 per instance of improper disposal
46