470 likes | 542 Views
Massachusetts’s New Data Security Regulations And Their Impact On Employers. Amy Crafts December 15, 2009. Identity Theft Is A Serious Problem.
E N D
Massachusetts’s New Data Security Regulations And Their Impact On Employers Amy Crafts December 15, 2009
Identity Theft Is A Serious Problem • Identity theft occurs when someone uses your personally identifying information – your name, Social Security number or credit card number – without your permission to commit fraud or other crimes. • The FTC estimates that over 9 million Americans have their identities stolen each year. • Massachusetts has become one of the most aggressive states in the country in terms of protecting personal data following a number of recent scandals.
Boston Globe – 2006 • Credit and bank card numbers of as many as 240,000 subscribers of the Boston Globe and Worcester Telegram & Gazette were distributed with bundles of T&G newspapers • Confidential information on the back of paper slated for recycling was used to wrap newspaper bundles • Underscores need for companies to focus on more than just online security to protect sensitive information
TJX – 2007 • Hackers breached TJX’s wireless network and gained access to servers at the Framingham headquarters. • TJX lacked appropriate firewalls to protect its servers. • Allowed hackers to quickly export data. • Affected more than 94 million accounts.
Hannaford Brothers – 2008 • Exposed 4.2 million debit and credit card numbers over period from December 7, 2007 – March 10, 2008 • Occurred even though Hannaford had met the payment card industry standard and were not using wireless technology to transmit unencrypted data • Both of these factors contributed to the TJX breach
In Response To These Scandals, The State Legislature Passed And Governor Patrick Signed A New Data Breach Law The law, “An Act Relative to Security Freezes and Notification of Data Breaches,” creates two new chapters in the Massachusetts General Laws: • Chapter 93H (Security Breaches) Effective October 31, 2007 • Chapter 93I (Disposition and Destruction of Records) Chapter Effective February 3, 2008
Each Chapter Concerns The “Personal Information” Of Massachusetts Residents Personal information is defined as a Massachusetts resident’s first and last name, or first initial and last name in combination with any of the following information: • the resident’s social security number; • the resident’s driver’s license number or state issued identification card number; or • the resident’s financial account number, or credit or debit card number.
The Broad Definition Of Personal Information Will Have A Far-Reaching Effect • Any company that employs Massachusetts residents will have to comply. • Any benefits consultant will likely have to comply. • And it could change the way that many companies do business. For example, the way we handle our private equity clients at Proskauer is going through dramatic changes, since we gather and store investors information in connection with fund closings.
And Chances Are, It Applies To You It applies to all persons, which includes: • A natural person • Corporation • Association • Partnership • Other legal entity There is a carve out for certain government entities, including an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches or political subdivisions.
Compliance With Chapter 93I (Disposition and Destruction of Records) Is Straightforward • Sets forth minimum standards for destruction of paper and electronic records containing personal information to ensure that they cannot be read or reconstructed. • Paper documents must be either: • Redacted • Burned • Pulverized • Shredded • Electronic documents and other non-paper media must be either: • Destroyed • Erased
Compliance With Chapter 93I (Disposition And Destruction Of Records) Is Straightforward • Entity disposing of documents may contract with a third party to do so. • The third party is required to implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation and disposal of personal information. • Violations are subject to a civil fine of not more than $100 per data subject affected, and each fine shall not exceed $50,000 for each instance of improper disposal. • Attorney General may file a civil action in superior or district court to recover penalties.
Compliance With Chapter 93H (Security Breaches) Is More Complicated • Imposes notice obligations on employers that know or have reason to know of a “breach of security” concerning the personal information of any of its current or former employees, or job applicants, who reside in Massachusetts. • “Breach of security” is defined as the unauthorized acquisition or use of unencrypted personal information (or encrypted personal information plus theft of the decryption process or key), whether in paper or electronic form, that creates a substantial risk of identity theft or fraud.
If A Breach of Security Occurs…. • The employer must notify the affected employees, in writing, “as soon as practicable and without unreasonable delay.” • The notice must include the following information: • How employees may obtain a police report; • How employees may ask consumer reporting agencies (Equifax, Experian and Transunion) to impose a security freeze; and • Any fees required to be paid to the consumer reporting agencies.
If A Breach of Security Occurs…. • The employer must also provide written notice to the Attorney General and the Director of Consumer Affairs and Business Regulation. The notice must state: • The nature of the breach; • The number of affected employees who are residents of Massachusetts; and • Any remedial steps the employer has taken or plans to take. • Special notice procedures apply if the cost of providing written notice will exceed $250,000, or more than 500,000 employees are to be notified, or the employer lacks sufficient contact information to provide written notice.
Regulations Have Been Issued to Implement M.G.L. 93H (Security Breaches) Data Security Regulations – 201 C.M.R. 17.00 • As required by M.G.L. 93H, the regulations were issued by the Office of Consumer Affairs and Business Regulation to implement the new law. • Initially issued September 2008; most recently updated in November 2009.
Regulations Have Been Issued to Implement M.G.L. 93H (Security Breaches) • Establish minimum standards to be met by those who own or license personal information of Massachusetts residents in connection with the safeguarding of personal information contained in both paper and electronic forms. • Go into effect on March 1, 2010. • Will be enforced by the Attorney General’s Office. • Initially issued September 2008; last updated in November 2009.
The Regulations Have Been Revised A Number Of Times • In response to pressure from businesses of all sizes, but particularly small businesses, for which compliance would be particularly onerous. • The new Undersecretary of the Office of Consumer Affairs and Business Regulation, Barbara Anthony has been very receptive to the challenges that businesses of all sizes face in complying with the new regulations. • The new iteration of the regulations, issued in early November as the final set, are a “risk-based” approach that allows for companies of different sizes and resources to comply with the regulations in different ways.
The Regulations Have Three Objectives: • To ensure the security and confidentiality of customer information; • To protect against anticipated threats or hazards to the security or integrity of such information; • To protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any customer.
The Regulations Contain Two Major Requirements • A comprehensive written security program. • Extensive requirements for electronic data.
1. The Law Requires a Comprehensive Information Security Program • Every covered entity must develop, implement and maintain a comprehensive information security program. • Must be written. • Must contain administrative, technical and physical safeguards.
The Safeguards Should be “Risk Based” They should be appropriate to • the size, scope and type of business handling the information; • the amount of resources available to the business; • the amount of stored data; and • the need for security and confidentiality of both consumer and employee information.
The Safeguards Have Been Extensively Revised • The current iteration is a risk-based approach to alleviate the burden on small businesses that may not handle a lot of personal information. • According to Undersecretary Anthony, it is an effort by her office “to balance consumer protections and business realities.”
The Written Security Program Must • Provide for a designated employee to maintain the program • Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the information
And Evaluate And Improve The Effectiveness Of The Safeguards In Place, Including • Ongoing employee training, for permanent and contract employees • Employee compliance with policies and procedures • Means for detecting and preventing security system failures
The Written Security Program Must Also • Develop security policies for employees relating to the storage, access and transportation of records outside of business premises • Impose disciplinary measures for violations of the program rules • Prevent terminated employees from accessing records
It Requires Oversight Of Service Providers And Vendors By: • Taking reasonable steps to select and retain third party service providers who also comply with the regulations • Requiring third party service providers by contract to implement and maintain appropriate security measures for personal information
With An Important Carve Out • If a contract is already in place as of the effective date, March 1, 2010, there is a two year grace period for compliance. • But any contract entered into after March 1, 2010 must ensure that the third party service provider is also protecting personal information in compliance with the regulations.
In Addition . . . • Storage of paper records must be in locked facilities, storage areas or containers. • The program must be regularly monitored. • The security measures must be reviewed at least annually, or if there is a material change in business practice that may implicate the security or integrity of records.
In Addition . . . • The covered entity must document responsive actions taken in connection with any incident involving a breach of security. • In the event of a breach, there is a mandatory post-incident review of events and actions taken, if any, to make any necessary changes in business practices.
2. There Are Additional Requirements For Electronically Stored Information • Covered entities that electronically store or transmit personal information must establish and maintain a security system covering its computers and any wireless system. • To the extent technically feasible, covered entities must also ... • (“technically feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used”)
Secure User Authentication Protocols, Including: • Control of user IDs and other identifiers • A reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies (biometrics or token devices) • Control of data security passwords so security is not compromised • Restrict access to active users and active user accounts only • Block access to user identification after multiple unsuccessful attempts
Secure Access Control Measures That • Restrict access to records and files containing personal information to those who need such information to perform their job duties. • Assign unique identifications plus passwords, which are not vendor supplied default passwords, that are reasonably designed to maintain the integrity of the security of the access controls.
Encrypt All Records And Files Containing Personal Information • That will travel across public networks • That will be transmitted wirelessly • Or that will be stored on laptops
In Addition, For Electronically Stored Information Reasonable monitoring for unauthorized use or access • Up-to-date firewall protection and operating system security patches • Up-to-date system security agent software, which must include malware, patches and virus protection • Education and training of employees on the proper use of the computer security system and the importance of personal information security.
What Does All of this Mean? Let’s discuss some hypothetical or frequently asked questions.
Must Backup Tapes Be Encrypted? • Yes, on a prospective basis. • However, if you are going to transport a backup tape from storage, and it is technically feasible to encrypt (meaning that the tape allows encryption) then you must do so prior to the transfer. • If it is not technically feasible, you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information. • For example, if you are transporting a large amount of sensitive personal information, you may want to consider using an armored vehicle with an appropriate number of guards.
Must Email Be Encrypted If It Contains Personal Information? • If it is not technically feasible, then no. • But you should implement best practices by not sending unencrypted personal information in an email. • There are alternative methods to communicate personal information other than through email, such as establishing a secure website that requires safeguards such as a username and password to conduct transactions involving personal information.
What Is Required Of A Small Business With Few Employees, Where No Other Personal Information Is Stored? • If you only have employee data with a small number of employees, you should lock your files in a storage cabinet and lock the door to that room. • You should permit access to only those who require it for official duties. • If you have both employee and customer data containing personal information, then your security approach would have to be more stringent.
What If You Only Swipe Credit Cards, And Do Not Retain Personal Information? • If you use swipe technology only, and you do not have actual custody or control over the personal information, then you do not own or license personal information with respect to that data, as long as you batch out such data in accordance with the Payment Card Industry (PCI) standards.
Is There A Maximum Period Of Time To Keep Records Containing Personal Information? • No, that is a business decision that is up to you. • As good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected and limit the time such information is retained to that reasonably necessary to accomplish such purpose. • Access should be limited to those persons who are reasonably required to know such information.
Should Paper And Electronic Records Be Inventoried? • No, it is not necessary to inventory your records. • However, you should perform a risk assessment and identify which of your records contain personal information so that you can handle and protect that information.
How Much Employee Training Is Required? • There is no basic standard. • You will need to do enough training to ensure that the employees who will have access to personal information know what their obligations are regarding the protection of that information.
Is Compliance Necessary If Already Comply With HIPAA? • YES.
What Is The Extent Of The Monitoring Obligation? • Depends on the nature of your business, your business practices, and the amount of personal information you own or license. • Also depends on the form in which the information is kept and stored. • In the end, the monitoring you put in place must be such that it is reasonably likely to reveal unauthorized access or use.
Is Password Protecting A Laptop Enough? • No. The regulations make clear that encryption must bring about a “transformation of data into a form in which meaning cannot be assigned.” • Means that the data must be altered into an unreadable form. • Password protection is not enough.
What If Law Requires Contracting With A Particular Third Party Service Provider? • If state or federal law requires the use of a specific third party service provider, then the obligation to select and retain would effectively be met.
What Should You Do Now? • Develop a plan in advance of the March 1, 2010 effective date • Evaluate protection mechanisms you have in place, and determine how they must be revised • Talk to your colleagues – lawyers, IT, etc. to determine what makes sense for your business • Start now – these changes will take time, and March is right around the corner