470 likes | 612 Views
Emerging Issues in Data Security and an Overview of the Massachusetts Data Security Law. March 27, 2008. David Szabo, Nutter, McClennen & Fish David A. Holley, Kroll Scott Schafer, Office of the Attorney General Art Crow, Millennium Pharmaceuticals. Introductory Comments: David S. Szabo
E N D
Emerging Issues in Data Security and an Overview of the Massachusetts Data Security Law March 27, 2008 David Szabo, Nutter, McClennen & Fish David A. Holley, Kroll Scott Schafer, Office of the Attorney General Art Crow, Millennium Pharmaceuticals
Introductory Comments: David S. Szabo Nutter, McClennen & Fish
Key Points • New State Data Breach Law Effective October 1, 2007 • New State Data Disposal Law Effective February 3, 2008 • Other States’ Laws Must be Observed, Too • Proposed Information Security Regulations
Other States Laws • At least 38 States have enacted data breach notification laws • Most of these protect financial (identity theft) information, but some also protect medical information (e.g. new California amendments) • The states have differing notice requirements in regards to timing, content and the like.
Other States’ Laws • Are you subject to those laws? You should find out now, not later. • You must coordinate notices and other compliance issues across jurisdictions. • Responses can be complex, as laws may conflict
Other Laws May Apply? • HIPAA • GLB • EU Data Directive
In Event of Trouble • Read your data breach policy (you do have one, don’t you?) • Investigate and determine the facts • Call your insurance carrier • Notify counsel • Notify, as required by law • Notify, as required by contracts • Mitigate, as needed
What the numbers look like: David A. Holley Kroll Worldwide
Identity Theft and Fraud • Numbers • Attrition.org: 2006 – 326/45,538,298 vs. 2007 – 275/126,231,985 – a 277% increase • ITRC: 2006 – 392/49,000,000 vs. 2007 – 443/127,369,523 – a 260% increase • Cost to Organizations • Average Cost of a data breach - $197/record (increase of 8% over 2006, 43% over 2005) * • Cost of lost business - $128/record (increase of 30% over 2006) * • Costs organizations expended for legal defense and PR (8% and 3% of total breach costs, respectively) * • Cost of a data breach for financial services organizations was $239/record (21% higher than average) * * Source: Ponemon Institute – November 2007
Cost and Commerce • Industry Issues • FTC Estimates nearly 10 Million victims per year • Many victims don’t know or don’t report • Fastest growing white collar crime in America • Average 175 hours and $1,500 to resolve • 49% of data breaches were due to lost or stolen laptops or other devices (i.e. USB) * • Common Types of Fraud • Current Credit – Credit Card, Debit Card, Phone Card • Identity Fraud using: • Your name and SS# to: • Establish new credit • Commit other criminal activity • Only 21% of ID theft is credit related • Consumer claims, blogging sites, class action • Tangible loss of credibility in your community • Lost business accounts for 65% of breach costs. (increase of 30% over 2006) * * Source: Ponemon Institute – November 2007
Addressing the Risk • Avoidance - No • Not really an option • Mitigation - Absolutely • The possibility of risk of breach can be reduced before an incident • Insurance - Absolutely • Regular commercial insurance programs do not cover data breaches • Cyber Risk policies can be customized to insure liability and costs of notification and compliance
Data Protection: Concepts and Practice Art Crow Millennium Pharmaceuticals
Considerations • What information do I need to protect? • How and where do I store this information? • Who should have access to the information? • How do I protect my information from theft or wrongful use?
Integrated Security Approach • Risk Assessment • Information Technology Controls • Physical Security Controls • Procedural Controls
Information Technology Controls • Network – Servers – Computers – Software • Change manufacturer’s default passwords! • If it doesn’t have anti-virus/anti-spam/anti-spyware software, it doesn’t go on the network (i.e., lab equipment computers)
Information Technology Controls • Encrypted hard drives on all laptops – encryption software is not enough • Not everyone needs a laptop • Limit remote network access to only those people who require it in the performance of their job • Anti-theft/recovery software
Physical Security Controls • Install your own physical security system • Use a card access system and CCTV cameras • An alarmed door does no good if someone doesn’t respond to the alarm • Lock the server and network gear rooms • Restrict access to sensitive areas – the CFO does not need access to the data center • One key should not unlock all doors
Company Policies • Passwords • Minimum 8 characters • Combination of letters, numbers and symbols • Change every 90 days • Acceptable Use • Business purposes only • No downloading of software/programs from the internet
Company Policies • No Shareware • No non-business related software on any computer or server • Screen savers and passwords are a must – no exceptions • Store sensitive data in a server file – not on the laptop or a CD
Conclusion • Good IT and physical security controls can reduce the risk of data theft • In order for security to be effective it must be an integral part of the company culture • All employees and vendors should receive training in company IT and physical security policies • Monthly security briefs will reinforce company security policies and help to alert people to emerging threats • Social engineering – The Art of Deception
Overview of Massachusetts Data Security Laws Scott D. Schafer Assistant Attorney General Consumer Protection Division Office of Massachusetts Attorney General Martha Coakley
Massachusetts Identity Theft Legislation August 3, 2007 Massachusetts adopts comprehensive identity theft legislation Becomes the 39th state to protect residents by requiring that they be notified in the event of a data security breach or unauthorized access or use of their personal information.
Massachusetts Identity Theft Legislation Major Provisions of the Legislation 1) Establishes a consumer’s right to request a security freeze (G.L. ch. 93, §§56 and 62A); 2) Establishes requirements for notification to state government and consumers in the event of a data breach (G.L. ch. 93H); and 3) Establishes requirements for destruction and disposal of records containing a consumer’s personal information (G.L. ch. 93I).
Security BreachesG.L. ch. 93H Who does the law apply to? Any individual, business or governmental agency that owns, licenses, maintains or stores data whose unauthorized access or use is capable of compromising a Massachusetts resident’s personal information.
Security BreachesG.L. ch. 93H What is personal information? First name and last name or first initial and last name of a resident in combination with one or more of the following: 1. SSN; 2. driver's license number or state-issued card id number; or 3. financial account, debit or credit card number.
Security BreachesG.L. ch. 93H Massachusetts law protects personal information regardless of form – paper or electronic. Protected personal information does not include information that is lawfully obtained from publicly available information.
Security BreachesG.L. ch. 93H When is notice triggered? 1. Breach of security 2. Personal information acquired or used by an unauthorized person; or 3. Personal information used for an unauthorized purpose.
Security BreachesG.L. ch. 93H Definition of “Breach of Security” Unauthorized acquisition or use of unencrypted data or, encrypted electronic data and the confidential process of key that is capableof compromising the security, confidentiality of personal information, maintained by a person or agency that creates a substantial risk or identity theft or fraud against a Massachusetts resident.
Security BreachesG.L. ch. 93H Definition of “Breach of Security” Broader definition -- Breach need not involve “personal information” as defined in statute Notice triggered if there is a substantial risk of ID Theft or fraud
Security BreachesG.L. ch. 93H Personal Information Notification Triggers Personal information acquired or used by unauthorized person Personal information used for unauthorized purpose
Security BreachesG.L. ch. 93H Personal Information Notification Triggers No “substantial risk of harm” calculus. Notification is triggered by the breach itself rather than the likelihood of harm or misuse of personal information. Entities are therefore not exempt from providing notice if a breach does not create a risk of harm.
Security BreachesG.L. ch. 93H Who must be notified? 1. The Attorney General; 2. Director of Consumer Affairs and Business Regulation; and 3. Affected Residents
Security BreachesG.L. ch. 93H What must the notice say? Massachusetts law has different content requirements depending on the recipient of the notice.
Security BreachesG.L. ch. 93H Notice to the Attorney General and Director of Consumer Affairs and Business Regulation 1. Nature of the breach of security or the unauthorized access or use of personal information; 2. Number of Massachusetts residents affected; and 3. Steps the notifying entity is taking, or plans to take, relating to the incident.
Security BreachesG.L. ch. 93H Notice to Affected MA Residents 1. Consumer’s right to obtain police report; 2. How a consumer requests a security freeze; G.L. 93, §§ 56 and 62A 3. Information consumer will need to provide to request security freeze; and 4. Disclosure of fees associated with placing, lifting or removing a security freeze
Security BreachesG.L. ch. 93H Notice to Affected MA Residents Notice to the affected residents shall not include: 1. Nature of the breach or unauthorized access or use; or 2. The number of residents affected.
Security BreachesG.L. ch. 93H Common Mistakes Made in Notices to Affected MA Residents 1. Notice is too general and fails to include the four (4) Massachusetts specific requirements 2. Fraud Alert vs. Security Freeze
Security BreachesG.L. ch. 93H Common Mistakes Made in Notices to Affected MA Residents 3. References to websites rather than providing information in letter itself – thereby putting burden on affected residents to find information 4. Provides a range of fees relating to security freeze when in fact amount is set by statute (G.L. ch. 93, §62A)
Security BreachesG.L. ch. 93H Notice to Affected MA Residents Law provides for direct notice to affected consumers unless: 1. More than 500,000 affected MA residents; or 2. Costs of providing written notice shall exceed $250,000. “Substitute” notice consists of: 1) email notice to affected consumers; 2) clear and conspicuous notice on the company’s home page; and 3) publication in statewide media.
Security BreachesG.L. ch. 93H When must notice be provided? “As soon as practicable and without unreasonable delay” Massachusetts permits a delay where law enforcement determines notification would hinder a criminal investigation -- provided that the law enforcement agency notifies the Attorney General of that determination.
Most Common Causes of Data Breaches Stolen Laptops Rogue Employees Inadvertent Disclosure Intra-company Email Hacking
Data DisposalG.L. ch. 93I Scope of the Law Requires individuals, businesses and governmental agencies to employ certain safeguards when disposing of or destroying records containing personal information – regardless of form.
Data DisposalG.L. ch. 93I Minimum standard for disposal/destruction of records Destruction of records containing personal information must be done in such a manner so that personal information "cannot practically be read or reconstructed." Paper records shall be burned, redacted, pulverized or shredded so that personal information cannot be read or reconstructed. Electronic records and other non-paper media shall be destroyed or erased so that personal information cannot be read or reconstructed.
Data DisposalG.L. ch. 93I Third-party Disposal May use third parties provided that the third parties adopt and monitor compliance with policies and procedures that prohibit unauthorized access to or use of personal information in the course of the collection, transportation or disposal of the information. Entities employing such third-party services should obtain written assurances from the third party that its disposal practices are in compliance with the law.
Data DisposalG.L. ch. 93I Penalties $100 per individual affected Maximum of $50,000 per instance of improper disposal