Post on 08-Jan-2017
Massachusetts Privacy Laws – Protecting Personal Information
Can You Do It?
Presented By:Mark R. Adams, Esq., SPHR
January 13th, 2010
Background /history leading to the requirements Overview of the Massachusetts Data Protection Law What is “Personal Information?” What is a “Comprehensive Written Information
Security Program?” (CWISP) Issues to consider in developing a program that meets
your company’s needs Logistical problems in keeping information accessible
yet confidential Penalties for non-compliance Enforcement
Agenda
Massachusetts requirements are in response to high-profile identity theft cases:
The TJX Companies: Massachusetts-based retailer with approx. 2,500 stores.
Computer system first breached in July 2005.
Information from 45.7 million cards was stolen from transactions from January through November 2003; TJX did not discover breach until late 2006.
455,000 customers affected
Background
Massachusetts requirements are in response to high-profile identity theft cases:
The TJX Companies: TJX settled in late 2007 and early 2008 with issuing banks of Visa
and MasterCard for $40.9 million and $24 million, respectively.
TJX reached an agreement with the FTC in April 2008 to immediately upgrade and implement comprehensive data security procedures and to submit to outside audits.
In August 2008, 11 individuals were indicted for crimes in connection with what the Justice Department described as “the single largest and most complex identity theft case ever charged in this country.”
Background
Massachusetts requirements are in response to high-profile identity theft cases:
Hannaford Brothers Company: Maine-based supermarket chain with 165 stores in the
Northeast.
Security breach began in December 2007.
Credit card numbers were stolen when shoppers swiped their cards and the information was transmitted to banks for approval.
Background
Massachusetts requirements are in response to high-profile identity theft cases:
Hannaford Brothers Company: Estimated 4.2 million credit and debit card numbers were exposed.
The thefts occurred despite Hannaford’s compliance with the Data Security Standards promulgated by the Payment Card Industry (PCI)–which do not require companies to encrypt data at the point of sale–raising doubts about the sufficiency of the PCI standards and merchants’ reliance on them.
1,800 cases of reported fraud related to the breach.
Background
“New” Law The first stage of the law, Chapter 93H:
Effective on October 31, 2007 Requires notification to residents and state authorities if
personal information is improperly accessed or used.
The second stage of the law, Chapter 93I: Became effective on February 3, 2008 Mandates destruction of hard copy and electronic data
containing personal information Sets forth minimum standards for proper disposal of paper
or electronic records containing personal information “electronic media and other non-paper media containing
personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.”
“New” Law New comprehensive regulations (201 CMR
17.00) Regulations issued originally to be effective January 1,
2009 Effective on March 1, 2010 Define parameters of a Comprehensive Written
Information Security Program (“CWISP”) policies and procedures for storing and protecting personal
information and employee training
What is protected personal information? The first and last name or first initial and last
name; PLUS Any one of the following:
social security number; driver’s license number; state identification number; financial account; debit or credit card number [in
combination with or without any required security code, access code or password that would permit access to the individual’s account].
Applies to both electronically stored information and paper files.
Exercise What Records Contain Personal
Information?
Identity Theft Law: Employer obligations Notice to:
Person affected Attorney General’s Office Director of Consumer Affairs and Business
Regulation Notice regardless of whether there is likelihood of
harm Destruction.
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:Risk Assessment:
Designating an employee to maintain the program; Identifying and assessing reasonably foreseeable internal
and external risks to the security Evaluating and improving the effectiveness of the current
safeguards including but not limited to: ongoing employee (including temporary and contract
employee) training; employee compliance with policies and procedures; and means for detecting and preventing security system failures;
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include: Information Storage Assessment:
Identify where personal information is stored including: paper, electronic and other records, computing systems, and storage media, laptops and portable devices used to store personal
information, to determine which records contain personal information,
except where the comprehensive information security program provides for the handling of all records as if they all contained personal information.
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:Policy Development:
Developing security policies for employees that: Take into account whether and how employees
should be allowed to keep, access and transport records containing personal information;
Impose disciplinary measures for violations of the program rules;
Prevent terminated employees from accessing records by immediately terminating their access information outside of business premises.
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:Third Party Compliance:
Contractually requiring service providers to maintain such safeguards;
Take “reasonable steps” to verify that third-party service providers are capable of maintaining appropriate security measures to protect personal information;
What are examples of reasonable steps?
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:Limiting Access to Personal Information:
Limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected;
Limit the time such information is retained to that reasonably necessary to accomplish such purpose;
Limit access to those persons who are reasonably required to know such information.
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:
Limiting Access to Personal Information: Place reasonable restrictions upon physical access
to records containing personal information, ***Including a written procedure that sets forth
the manner in which physical access to such records is restricted;
and storage of such records and data in locked facilities, storage areas or containers.
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:
Monitoring and Maintenance: Regularly monitor to ensure that the program is
operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and
Upgrading information safeguards as necessary to limit risks.
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:Monitoring and Maintenance:
Review the scope of the security measures at least annually;
Or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
Document responsive actions taken in connection with any incident involving a breach of security
Conduct mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
What Is a CWISP?For electronically stored files, employers must
maintain a security system that: Secures user ids and passwords Blocks access after multiple unsuccessful attempts to
log in Encrypts records traveling across public networks and
transmitted wirelessly Encrypts personal information stored on laptops, and
other devices (smartphones, memory sticks, PDA’s etc). Deadline for ensuring encryption on laptops: May 1, 2009. Deadline for ensuring encryption on other devices: January
1, 2010.
What Is a CWISP?For electronically stored files, employers must
maintain a security system that: Has reasonably up-to-date firewall protection for
files containing personal information on a system that is connected to the Internet
Has reasonably up-to-date Malware Educate and train employees on the proper use of
the computer security system and the importance of personal information security.
What Is a CWISP?Destruction of personal information: Personal information shall be destroyed or erased so that
personal information cannot practicably be read or reconstructed
Unacceptable forms of destruction: More than just “hitting the delete button” Smashing the hard drive with a hammer Drilling a hole (or multiple holes) in the hard drive
Acceptable forms of destruction: Hard drive shredding Scrubbing Degaussing
What Is a CWISP?Destruction of personal information: Hard drive shredding:
Melts all the particles within the drive. While inexpensive, shredding is only an option if you can afford to constantly purchase new hard drives.
Scrubbing: Programs that delete the data stored on a hard drive and
then overwrite it with random data several times.
What Is a CWISP?Destruction of personal information: Degaussing:
Data is stored in magnetic media, such as hard drives, tapes and diskettes (floppy disks), by making very small areas change their magnetic alignment to go in a certain direction. Degaussing equipment applies a strong magnetic field to the media, effectively destroying it because it removes the magnetic alignment. Again, this process is only useful if you can afford to continually purchase new storage media. Further, there is no way to be sure that the degaussing was successful.
What Is a CWISP?Destruction of personal information: Options are generally expensive Recommend companies use third parties who can
destroy information for them.
Issues to ConsiderWhat files are being preserve
and WHERE?Who will be accessing this
information?How this information
safeguarded? Centralized? Decentralized?
Structure and OrganizationWho is going to be accessing these files?
HR? Supervisors? Employees? Third parties?
Where are these files being accessed from? Office? Home?
Access and Safeguard IssuesThe greater the access – the
greater the need for structure:
Making sure firewalls and encryption software is updated to protect level of access
The need for a policy and training of staff on acceptable computer use.
Access and Safeguard IssuesThe greater the access – the
greater the need for structure:
Different passwords with different levels of access to information
Need to ACTIVELY oversee that access is added and removed timely
Regulate how passwords are provided and changed Don’t get locked out of your
proprietary information!
Computer Use PolicyElements: Define who is subjected to policy Computer, Email, Network and Servers are
company property No right to privacy
Regarding files, data or email message stored or transmitted through a company’s network or systems.
Limited to use in normal course of business Information accessed or retrieved only to be used or
shared with persons who have “need to know” Extend standard to home access/telecommuting.
Computer Use PolicyElements: Prohibit illegal, personal and unprofessional material
from being transmitted through systems Including email!!!!
Define where files are to be created and stored (on network or on individual PC’s)
Require use of proper naming protocols for files and folders Passwords must be kept on file at all times Only license software to company is permitted to be
loaded on to systems. Tie enforcement to discipline policy.
Retention and Purging PoliciesPolicy and procedures need to operate within these
constraints Identifying communication channels between HR and IT for
reviewing files scheduled to be removed Methodology for indexing or classifying files that can be
expunged or deleted Temporary files v. semi-permanent or permanent files
If email incorporates documents that need to be retained, identifying protocols for archiving and preserving that information in conjunction with other files.
MAKING SURE HR AND IT ARE ON THE SAME PAGE!!!!
Penalties for Non-Compliance
Area of Non-Compliance Monetary Damages Unreasonable delay/failure to provide notice of security breach to the attorney general, director of the OCABR and affected resident
$5,000 fine; reasonable costs of investigation and litigation of such violation, including reasonable attorneys’ fees.
Failure to maintain a written, comprehensive information security system
$5,000 fine; reasonable costs of investigation and litigation of such violation, including reasonable attorneys’ fees. (effective 3/01/2010)
Improper disposal of records containing PI
$100 fine per individual affected, maximum of $50,000 per instance of improper disposal
Failure to take all reasonable steps to verify that third-party service with access to PI has capacity to protect PI
$100 fine per individual affected, maximum of $50,000 per instance of improper disposal (effective 3/01/2010)
Failure to take all reasonable steps to ensure that third-party service is applying security measures to PI
$100 fine per individual affected, maximum of $50,000 per instance of improper disposal (effective 3/01/2010)
EnforcementMassachusetts Office of the Attorney General
Office of Consumer Affairs and Business Regulation (OCABR)
Individuals can sue on their own: Unfair or deceptive trade practices pursuant to G.L. c.
93A, § 11- an individual may seek injunctive relief and/or monetary damages, including double or treble damages, attorneys' fees and costs.
Negligence- an individual may seek actual and consequential damages against a non-compliant entity.
Questions?Employers Association of the NorthEast
3 Convenient Offices:67 Hunt StreetPO Box 1070
Agawam, MA 01001-6070413-789-6400
250 Pomeroy AvenueSuite 200
Meriden, CT 06450203-686-1739
67 Millbrook StreetWorcester, MA 01606
508-767-3415
Toll Free – 877-662-6444www.eane.org