Mass Information Security Requirements January 2010

Massachusetts Privacy Laws – Protecting Personal Information

Can You Do It?

Presented By:Mark R. Adams, Esq., SPHR

January 13th, 2010

Background /history leading to the requirements Overview of the Massachusetts Data Protection Law What is “Personal Information?” What is a “Comprehensive Written Information

Security Program?” (CWISP) Issues to consider in developing a program that meets

your company’s needs Logistical problems in keeping information accessible

yet confidential Penalties for non-compliance Enforcement

Agenda

Massachusetts requirements are in response to high-profile identity theft cases:

The TJX Companies: Massachusetts-based retailer with approx. 2,500 stores.

Computer system first breached in July 2005.

Information from 45.7 million cards was stolen from transactions from January through November 2003; TJX did not discover breach until late 2006.

455,000 customers affected

Background


The TJX Companies: TJX settled in late 2007 and early 2008 with issuing banks of Visa

and MasterCard for $40.9 million and $24 million, respectively.

TJX reached an agreement with the FTC in April 2008 to immediately upgrade and implement comprehensive data security procedures and to submit to outside audits.

In August 2008, 11 individuals were indicted for crimes in connection with what the Justice Department described as “the single largest and most complex identity theft case ever charged in this country.”

Background


Hannaford Brothers Company: Maine-based supermarket chain with 165 stores in the

Northeast.

Security breach began in December 2007.

Credit card numbers were stolen when shoppers swiped their cards and the information was transmitted to banks for approval.

Background


Hannaford Brothers Company: Estimated 4.2 million credit and debit card numbers were exposed.

The thefts occurred despite Hannaford’s compliance with the Data Security Standards promulgated by the Payment Card Industry (PCI)–which do not require companies to encrypt data at the point of sale–raising doubts about the sufficiency of the PCI standards and merchants’ reliance on them.

1,800 cases of reported fraud related to the breach.

Background

“New” Law The first stage of the law, Chapter 93H:

Effective on October 31, 2007 Requires notification to residents and state authorities if

personal information is improperly accessed or used.

The second stage of the law, Chapter 93I: Became effective on February 3, 2008 Mandates destruction of hard copy and electronic data

containing personal information Sets forth minimum standards for proper disposal of paper

or electronic records containing personal information “electronic media and other non-paper media containing

personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.”

“New” Law New comprehensive regulations (201 CMR

17.00) Regulations issued originally to be effective January 1,

2009 Effective on March 1, 2010 Define parameters of a Comprehensive Written

Information Security Program (“CWISP”) policies and procedures for storing and protecting personal

information and employee training

What is protected personal information? The first and last name or first initial and last

name; PLUS Any one of the following:

social security number; driver’s license number; state identification number; financial account; debit or credit card number [in

combination with or without any required security code, access code or password that would permit access to the individual’s account].

Applies to both electronically stored information and paper files.

Exercise What Records Contain Personal

Information?

Identity Theft Law: Employer obligations Notice to:

Person affected Attorney General’s Office Director of Consumer Affairs and Business

Regulation Notice regardless of whether there is likelihood of

harm Destruction.

What Is a CWISP?Comprehensive Written Information Security Program

(CWISP) must include:Risk Assessment:

Designating an employee to maintain the program; Identifying and assessing reasonably foreseeable internal

and external risks to the security Evaluating and improving the effectiveness of the current

safeguards including but not limited to: ongoing employee (including temporary and contract

employee) training; employee compliance with policies and procedures; and means for detecting and preventing security system failures;


(CWISP) must include: Information Storage Assessment:

Identify where personal information is stored including: paper, electronic and other records, computing systems, and storage media, laptops and portable devices used to store personal

information, to determine which records contain personal information,

except where the comprehensive information security program provides for the handling of all records as if they all contained personal information.


(CWISP) must include:Policy Development:

Developing security policies for employees that: Take into account whether and how employees

should be allowed to keep, access and transport records containing personal information;

Impose disciplinary measures for violations of the program rules;

Prevent terminated employees from accessing records by immediately terminating their access information outside of business premises.


(CWISP) must include:Third Party Compliance:

Contractually requiring service providers to maintain such safeguards;

Take “reasonable steps” to verify that third-party service providers are capable of maintaining appropriate security measures to protect personal information;

What are examples of reasonable steps?


(CWISP) must include:Limiting Access to Personal Information:

Limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected;

Limit the time such information is retained to that reasonably necessary to accomplish such purpose;

Limit access to those persons who are reasonably required to know such information.


(CWISP) must include:

Limiting Access to Personal Information: Place reasonable restrictions upon physical access

to records containing personal information, ***Including a written procedure that sets forth

the manner in which physical access to such records is restricted;

and storage of such records and data in locked facilities, storage areas or containers.


(CWISP) must include:

Monitoring and Maintenance: Regularly monitor to ensure that the program is

operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and

Upgrading information safeguards as necessary to limit risks.


(CWISP) must include:Monitoring and Maintenance:

Review the scope of the security measures at least annually;

Or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

Document responsive actions taken in connection with any incident involving a breach of security

Conduct mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

What Is a CWISP?For electronically stored files, employers must

maintain a security system that: Secures user ids and passwords Blocks access after multiple unsuccessful attempts to

log in Encrypts records traveling across public networks and

transmitted wirelessly Encrypts personal information stored on laptops, and

other devices (smartphones, memory sticks, PDA’s etc). Deadline for ensuring encryption on laptops: May 1, 2009. Deadline for ensuring encryption on other devices: January

1, 2010.

What Is a CWISP?For electronically stored files, employers must

maintain a security system that: Has reasonably up-to-date firewall protection for

files containing personal information on a system that is connected to the Internet

Has reasonably up-to-date Malware Educate and train employees on the proper use of

the computer security system and the importance of personal information security.

What Is a CWISP?Destruction of personal information: Personal information shall be destroyed or erased so that

personal information cannot practicably be read or reconstructed

Unacceptable forms of destruction: More than just “hitting the delete button” Smashing the hard drive with a hammer Drilling a hole (or multiple holes) in the hard drive

Acceptable forms of destruction: Hard drive shredding Scrubbing Degaussing

What Is a CWISP?Destruction of personal information: Hard drive shredding:

Melts all the particles within the drive. While inexpensive, shredding is only an option if you can afford to constantly purchase new hard drives.

Scrubbing: Programs that delete the data stored on a hard drive and

then overwrite it with random data several times.

What Is a CWISP?Destruction of personal information: Degaussing:

Data is stored in magnetic media, such as hard drives, tapes and diskettes (floppy disks), by making very small areas change their magnetic alignment to go in a certain direction. Degaussing equipment applies a strong magnetic field to the media, effectively destroying it because it removes the magnetic alignment. Again, this process is only useful if you can afford to continually purchase new storage media. Further, there is no way to be sure that the degaussing was successful.

What Is a CWISP?Destruction of personal information: Options are generally expensive Recommend companies use third parties who can

destroy information for them.

Issues to ConsiderWhat files are being preserve

and WHERE?Who will be accessing this

information?How this information

safeguarded? Centralized? Decentralized?

Structure and OrganizationWho is going to be accessing these files?

HR? Supervisors? Employees? Third parties?

Where are these files being accessed from? Office? Home?

Access and Safeguard IssuesThe greater the access – the

greater the need for structure:

Making sure firewalls and encryption software is updated to protect level of access

The need for a policy and training of staff on acceptable computer use.

Access and Safeguard IssuesThe greater the access – the

greater the need for structure:

Different passwords with different levels of access to information

Need to ACTIVELY oversee that access is added and removed timely

Regulate how passwords are provided and changed Don’t get locked out of your

proprietary information!

Computer Use PolicyElements: Define who is subjected to policy Computer, Email, Network and Servers are

company property No right to privacy

Regarding files, data or email message stored or transmitted through a company’s network or systems.

Limited to use in normal course of business Information accessed or retrieved only to be used or

shared with persons who have “need to know” Extend standard to home access/telecommuting.

Computer Use PolicyElements: Prohibit illegal, personal and unprofessional material

from being transmitted through systems Including email!!!!

Define where files are to be created and stored (on network or on individual PC’s)

Require use of proper naming protocols for files and folders Passwords must be kept on file at all times Only license software to company is permitted to be

loaded on to systems. Tie enforcement to discipline policy.

Retention and Purging PoliciesPolicy and procedures need to operate within these

constraints Identifying communication channels between HR and IT for

reviewing files scheduled to be removed Methodology for indexing or classifying files that can be

expunged or deleted Temporary files v. semi-permanent or permanent files

If email incorporates documents that need to be retained, identifying protocols for archiving and preserving that information in conjunction with other files.

MAKING SURE HR AND IT ARE ON THE SAME PAGE!!!!

Penalties for Non-Compliance

Area of Non-Compliance Monetary Damages Unreasonable delay/failure to provide notice of security breach to the attorney general, director of the OCABR and affected resident

$5,000 fine; reasonable costs of investigation and litigation of such violation, including reasonable attorneys’ fees.

Failure to maintain a written, comprehensive information security system

$5,000 fine; reasonable costs of investigation and litigation of such violation, including reasonable attorneys’ fees. (effective 3/01/2010)

Improper disposal of records containing PI

$100 fine per individual affected, maximum of $50,000 per instance of improper disposal

Failure to take all reasonable steps to verify that third-party service with access to PI has capacity to protect PI

$100 fine per individual affected, maximum of $50,000 per instance of improper disposal (effective 3/01/2010)

Failure to take all reasonable steps to ensure that third-party service is applying security measures to PI

$100 fine per individual affected, maximum of $50,000 per instance of improper disposal (effective 3/01/2010)

EnforcementMassachusetts Office of the Attorney General

Office of Consumer Affairs and Business Regulation (OCABR)

Individuals can sue on their own: Unfair or deceptive trade practices pursuant to G.L. c.

93A, § 11- an individual may seek injunctive relief and/or monetary damages, including double or treble damages, attorneys' fees and costs.

Negligence- an individual may seek actual and consequential damages against a non-compliant entity.

Questions?Employers Association of the NorthEast

3 Convenient Offices:67 Hunt StreetPO Box 1070

Agawam, MA 01001-6070413-789-6400

250 Pomeroy AvenueSuite 200

Meriden, CT 06450203-686-1739

67 Millbrook StreetWorcester, MA 01606

508-767-3415

Toll Free – 877-662-6444www.eane.org

http://www.eane.org/

Mass Information Security Requirements January 2010

Technology

Transcript of Mass Information Security Requirements January 2010