410 likes | 418 Views
Learn about the security policies, practices, and requirements for the Minnesota Energy Assistance Program (EAP) data security, including data practices, SSA requirements, and MN.IT security policies.
E N D
Energy Assistance Program FFY20 Annual Training EAP Data Security, Data Practices
EAP Data Security Tracy Smetana Minnesota Energy Assistance Program
EAP Data Security Topics • MN.IT Security Policies and Standards • Social Security Administration (SSA) Requirements
EAP Data Security MN.IT Security Policies and Standards • One of eHEAT Next Generation’s expected benefits is to improve program compliance & integrity by • Improving auditability and traceability • Enabling more effective budget management • Improving data accuracy • Improving data and system security • Improving user access management • Improving person identification
EAP Data Security MN.IT Security Policies and Standards • Roles in eHEAT • Unique user IDs • Must document requests to create or modify accounts and privileges • Accounts and privileges no longer required must be removed or disabled • Within 8 hours for voluntary changes • Within 1 hour for involuntary changes, including lost or compromised accounts
EAP Data Security MN.IT Security Policies and Standards • Segregation of duties • Group accounts prohibited • Multiple concurrent active sessions for individual user accounts prohibited • Requires changes: policy, eHEAT security agreement
EAP Data Security SSA Requirements • eHEAT Next Generation will obtain data from SSA to verify EAP HH members’ identity • SSA has detailed security requirements for state agencies and their contractors
EAP Data Security SSA Requirements • eHEAT Next Gen sends SSA first name, last name, DOB, and SSN • SSA sends back a verification field stating the info is correct – or, if not correct, a code detailing which field is incorrect • Since SSA attests to the accuracy of the information we supplied, data becomes SSA-provided information (SSA data)
EAP Data Security SSA Requirements • Procedural documents to describe methods and controls to safeguard SSA data while… • In use • At rest • During transmission • After archiving
EAP Data Security SSA Requirements Restrict access to SSA data to authorized users who need it to perform their official duties • Physical – examples include • Secure building with badge access • Visitor sign-in • Guards • Photo credential badges • 24 hour security
EAP Data Security SSA Requirements Restrict access to SSA data to authorized users who need it to perform their official duties • Technological – examples include • Remote wipe for mobile devices/laptops • Mobile device/laptop encryption • Mobile device/laptop locks • Access management
EAP Data Security SSA Requirements • Remote access and work from home security measures • Recording, photographing, capturing screen shots of any SSA data prohibited • Includes cell phones, tablets, laptops, video cameras, security cameras, family member access to workstations • Safeguard SSA data during remote connections • Printing media containing SSA data prohibited
EAP Data Security SSA Requirements Information system contingency plan • Address internal and external threats • Address security of SSA data if a disaster occurs • Include details regarding business continuity plan • Protect SSA data in the event of a natural disaster or system disabling cyber-attack • Perform a disaster recovery exercise at least once annually
EAP Data Security SSA Requirements Disposal/destruction of case files with SSA data • Must have written policy and procedures for periodic disposal/destruction of any media containing SSA data • Paper documents must be destroyed by burning, pulping, shredding, macerating, or other similar means that ensure the information is unrecoverable • Personnel who will encounter SSA data must sign non-disclosure agreement
EAP Data Security SSA Requirements Data breach containing SSA data is a “reportable incident” • If hard copy or electronic information containing SSA data left our custody • Or was disclosed to an unauthorized entity or individual
EAP Data Security SSA Requirements Security awareness training • Required safeguards to protect SSA data • Civil and criminal sanctions for noncompliance • Sensitivity of SSA data • Privacy Act and other Federal and State laws governing use and misuse of SSA data • Rules of behavior concerning use and security in systems processing SSA data
EAP Data Security SSA Requirements Security awareness training • Restrictions on viewing and/or copying SSA data • Responsibility for proper use and protection of SSA data • Proper disposal of SSA data • Security incident reporting procedures • Basic understanding of procedures to protect the network from malware attacks • Spoofing, phishing, and pharming scam prevention • Must maintain security awareness training records for employees
EAP Data Security SSA Requirements Compliance reviews • Commerce must do compliance reviews once every 3 years
Data Practices Emily Kelnberger Minnesota Department of Commerce
Data Practices Act:What Service Providers Need to Know mn.gov/commerce
WELCOME Emily Kelnberger Legal Analyst & Data Management – Legal Services Emily.Kelnberger@state.mn.us mn.gov/commerce
COURSE OVERVIEW Course Overview The Minnesota Government Data Practices Act Responsibilities as a Commerce contractor (Service Providers) Classification of data Data breaches mn.gov/commerce
Minnesota Government Data Practices Act Minnesota Statutes, Chapter 13 Applies to EAP Service Providers mn.gov/commerce
THE LAW • Minnesota Statutes, Chapter 13 • Defines government data • Presumes government data are public • Classifies data that are not public • Requires that data on individuals are accurate, complete, current, and secure • Minnesota Rules, Chapter 1205 mn.gov/commerce
WHAT ARE GOVERNMENT DATA? Information that is collected, created, stored, maintained, or disseminated • Minn. Stat. § 13.02, subd. 7 • Examples: • Emails • Notes • Applications • Statistics mn.gov/commerce
THE LAW • Application Data • Data on individuals collected, maintained, or created because an individual applies on behalf of a household for benefits or services provided by the energy assistance and weatherization programs are private data on individuals and must not be disseminated except pursuant to section 13.05, subdivisions 3 and 4. • Minn. Stat. § 216C.266, subd. 1 mn.gov/commerce
A Balance Public right to know Government duty to keep accurate records Individual right to privacy mn.gov/commerce
Other Related Laws and Policy Service Providers mn.gov/commerce
Other Related Laws mn.gov/commerce
Other Related Laws • The Records Management Statute (Minn. Stat. § 138.17) • EAP records must be maintained for at least 6 years after the program year has ended, per Minn. Stat. § 16C.05, subd. 5. • However, in order to protect applicants, EAP record retention should not exceed 6 years after the program year has ended. mn.gov/commerce
COMMERCE Data PRACTICE Policy • Policy • Commerce is committed to securing and protecting the privacy of the citizens and businesses of Minnesota. Therefore, access to Not-Public Data will only be granted: • To perform your job • Prior approval in writing for access mn.gov/commerce
PENALTY • Penalty • From EAP Policy Manual: Government entities and their contractors may be subject to penalties when violations of the MGDPA occur. Minn. Stat. § 13.08 states: “[A] responsible authority or government entity which violates any provision of this chapter is liable to a person or representative of a decedent who suffers any damage as a result of the violation, and the person damaged or a representative in the case of private data on decedents…may bring an action against the responsible authority or government entity to cover any damages sustained, plus costs and reasonable attorney fees. In the case of a willful violation, the government entity shall, in addition, be liable to exemplary damages of not less than $1,000, nor more than $15,000 for each violation.” mn.gov/commerce
BE A GOOD STEWARD • Part of your job is to be a good steward of the information you come into contact with for your job. • Be responsible for the data you share or transfer to others – internally and externally • For questions, contact either: • eap.mail@state.mn.us, or • your PPA. mn.gov/commerce
What is a data practices request? Service Providers mn.gov/commerce
WHAT IS A DATA PRACTICES REQUEST? + OR Data Requests vs. Other Inquiries mn.gov/commerce
Data Classifications • Those in entity whose work requires access • Entities authorized by law • Not available to data subject Classifications Who has access to the data? Confidential • Data subject • Those in entity whose work requires access • Entities authorized by law • Those authorized by the data subject Private Available to anyone for any reason Public mn.gov/commerce
Examples Classifications Examples Verification information from SSA Confidential • All EAP records about an individual or household • Hard and electronic copies of the application • Application summary on eHEAT Private Aggregate data with no way to identify individuals: • Number of HHs served • Number of HH with wages Public mn.gov/commerce
Data Breach Minn. Stat. §§ 13.055, 13.08 and 13.09 mn.gov/commerce
DATA BREACH • What do I do if I am involved in or witness a data breach? • Contact your supervisor immediately. • Notify Commerce if a breach in security or inadvertent disclosure of private data is discovered. • Complete an Incident Report and submit to Commerce at eap.mail@state.mn.us • Fixes are easier if we can act quickly • When in doubt, check it out • We can evaluate the situation and identify next steps mn.gov/commerce
RECAP – YOUR RESPONSIBILITIES Become familiar with data retention policies Ensure the data you access is for business purposes only Understand the classifications of data Ensure the data you use or come into contact with is maintained in a matter that is easily accessible If you are a party to or witness a data breach, contact your supervisor immediately mn.gov/commerce
Thank You! mn.gov/commerce