Transcript Title of Presentation

Massachusetts’ New
Data Security Regulations:
Ten Steps To Compliance
Amy Crafts
[email protected]
617.526.9658
April 23, 2010
1
April 23, 2010
1. Determine Whether You Own Or License
Personal Information And Where It Is Located
The regulations apply to all persons – including natural persons,
corporations, associations, partnerships or other legal entities – that
own or license personal information of MA residents.
Personal information is defined by the regulations as a
Massachusetts resident’s first and last name, or first initial and last
name, in combination with any of the following information:
 the resident’s Social Security number;
 the resident’s driver’s license number or state-issued
identification card number; or
 the resident’s financial account number, or credit or debit card
number.
2
April 23, 2010
2. Develop A Written Information Security
Program (WISP)
• Massachusetts requires that all covered entities must develop,
implement and maintain a comprehensive WISP.
• WISP must be risk-based, and must contain administrative,
technical and physical safeguards that are appropriate to:
-
3
the size, scope and type of business;
the amount of resources available to the business;
the amount of stored data; and
the need for security and confidentiality of both consumer and
employee information.
April 23, 2010
3. Designate Employee(s) Responsible For
Implementing And Maintaining WISP
Responsibilities should include:
• Regular monitoring to ensure that the WISP is operating in a
manner intended to prevent unauthorized access to or use of
personal information.
• Upgrading information safeguards as necessary to decrease risk.
• Reviewing scope of security measures at least annually, or
whenever there is a material change in business practice that
may implicate security or integrity of personal information.
• Following a security breach, conducting and documenting a postincident review of events and actions taken.
4
April 23, 2010
4. Identify And Assess Reasonably Foreseeable
Internal And External Risks To Security And
Integrity Of Personal Information
Efforts should include:
• Ongoing employee (including temporary and contract employee)
training on the proper use of the computer security system and
the importance of personal information security.
• Employee compliance with policies and procedures – and
imposition of disciplinary measures for noncompliance.
• Means for detecting and preventing security system failures.
5
April 23, 2010
5. Identify Paper Records That Contain
Personal Information
• Restrict access only to those employees who need information to
perform their employment responsibilities.
• Require that terminated employees return copies of any
documents containing personal information.
• Store in locked facilities, storage areas or containers.
• Develop a security policy for storage, access and transportation
of such records outside of business premises.
6
April 23, 2010
6. Implement Secure User IDs/Passwords And
Access Control Measures
• Develop a secure method of assigning passwords, preferably
unique identification-plus passwords, and consider using identifier
technologies, such as biometrics or token devices.
• Ensure that user IDs and passwords are kept in a locked or
encrypted file.
• Block access after multiple unsuccessful attempts to gain access.
• Restrict access to active users and active user accounts, and
those who need such information to perform their job duties.
7
April 23, 2010
7. Ensure Security Of Computer Systems
• Requires reasonably up-to-date firewall protection and operating
security system patches, designed to maintain integrity of
personal information.
• Requires reasonably up-to-date versions of system security agent
software, including malware protection, patches and virus
definitions.
8
April 23, 2010
8. Encrypt Electronic Files, To The Extent
“Technically Feasible”
• All transmitted files containing personal information that will travel
across public networks (i.e. the Internet), and all data that will be
transmitted wirelessly, should be encrypted.
• All personal information stored on laptops or other portable
devices should be encrypted.
9
April 23, 2010
9. Oversee Third-Party Service Providers
• Take reasonable steps to select and retain third-party service
providers that are capable of maintaining security measures to
protect personal information.
• Require third-party service providers by contract to implement
and maintain appropriate security measures for personal
information, with a carve-out:
- Contracts in existence prior to March 1, 2010 do not have to contain
such a representation until March 1, 2012.
10
April 23, 2010
10. When Discarded, Completely Destroy Paper
And Electronic Documents
• Paper documents must be either:
-
Redacted
Burned
Pulverized
Shredded
• Electronic documents and other non-paper media must be either:
- Destroyed
- Erased
11
April 23, 2010
What Are The Penalties For Non-Compliance
With The Regulations?
• Massachusetts provides for civil penalties in cases of noncompliance, pursuant to its consumer protection statute, M.G.L.
93A.
• A civil penalty of $5,000 may be awarded for each deceptive act
or practice, in addition to injunctive relief and attorneys’ fees.
12
April 23, 2010
What Does All Of This Mean?
Let’s discuss some hypothetical or frequently asked questions.
13
April 23, 2010
How Do I Store And Destroy Old Tapes/CDs?
• Old tapes and CDs (which are portable devices) should be
encrypted, or at least stored in a locked file or room.
• Destruction must completely erase the content of the tapes and
CDs.
- Be careful – after data is erased, residue may remain which
could lead to inadvertent disclosure.
- Overwriting the storage data is a popular low-cost option
(also called “wiping” or “shredding”).
- Work with your IT staff to ensure the tapes and CDs have been
completely erased.
14
April 23, 2010
How Should Businesses Protect E-mails
Containing Personal Information?
• If technically feasible, e-mails should be encrypted.
• If not technically feasible, implement best practices by not
sending personal information via e-mail.
- There are alternative methods to communicate personal
information other than through e-mail, such as establishing a
secure Website that requires safeguards including username
and password to conduct transactions involving personal
information.
15
April 23, 2010
Is There A Maximum Period Of Time To Keep
Records Containing Personal Information?
• As good business practice, you should limit the amount of
personal information collected to that reasonably necessary to
accomplish the legitimate purpose for which it is collected, and
limit the time such information is retained to that reasonably
necessary to accomplish such purpose.
• Access should be limited to those persons who are reasonably
required to know such information.
16
April 23, 2010
How Much Employee Training Is Required?
• The regulations do not articulate what specifically is required.
• We suggest that you:
- Provide enough training to ensure that employees who will
have access to personal information know what their
obligations are regarding the protection of that information.
- Train both temporary and permanent employees.
- Convey to your employees that data security is taken seriously
by your business.
- Require trained employees to sign an acknowledgement of
training.
17
April 23, 2010
What Is The Extent Of The Monitoring
Obligation?
• Depends on the nature of your business, your business practices,
and the amount of personal information you own or license.
• Also depends on the form in which the information is kept and
stored.
• In the end, the monitoring you put in place must be such that it is
reasonably likely to reveal unauthorized access or use.
18
April 23, 2010
What If I Use Laptops?
• Assess whether your laptop(s) contain personal information.
• If they do, consider encryption.
- The regulations make clear that, to be encrypted, data must be
altered into an unreadable form: encryption must bring about a
“transformation of data into a form in which meaning cannot be
assigned.”
- Password protection is not enough.
19
April 23, 2010
What Should You Do Now?
• Develop a plan to work towards compliance.
• Evaluate protection mechanisms you have in place, and
determine how they must be revised.
• Talk to your colleagues – lawyers, IT, etc. – to determine what
makes sense for your business.
20
April 23, 2010
Massachusetts’ New
Data Security Regulations:
Ten Steps To Compliance
Amy Crafts
[email protected]
617.526.9658
April 23, 2010
21
April 23, 2010