1 / 39

Agency Data Breach Responsibilities: MGL ch. 93H and Executive Order 504

Agency Data Breach Responsibilities: MGL ch. 93H and Executive Order 504. Massachusetts Digital Government Summit October 20, 2008. Summary. MGL 93H (brief review) Executive Order 504. MGL 93H. 93H Security Breaches/Unauthorized Access (effective 10/31/07)

tasya
Download Presentation

Agency Data Breach Responsibilities: MGL ch. 93H and Executive Order 504

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Agency Data Breach Responsibilities: MGL ch. 93H and Executive Order 504 Massachusetts Digital Government Summit October 20, 2008

  2. Summary • MGL 93H (brief review) • Executive Order 504

  3. MGL 93H • 93H • Security Breaches/Unauthorized Access (effective 10/31/07) • Note 93I: Data destruction and disposition (not the subject of this presentation)

  4. 93H Applicability: A limited data set: “personal information” • Personal information (PI) = • [(a resident’s first name + last name) or (first initial and last name)] • in combination with any 1 or more of the following: • (a) SSN, • (b) drivers license or Mass ID card or • (c) financial account number, credit or debit card number, with or without required security access code, personal ID number, or password that would permit account access • BUT NOT information lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. • Narrowly defined • No biometric identifiers included

  5. 93H Applicability: Private Sector plus Agencies • Agency broadly defined: • any executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof

  6. 93H: Two Basic Rules: • Triggering Events Require Notice • Agencies must Protect PI

  7. Triggering Events, cont. • Two types of Triggering Events involving personal information (PI) • Security breaches OR • PI • acquired or used by an unauthorized person or • used for an unauthorized purpose

  8. Triggering Events, Cont. • First Type of Triggering Event: Breach of Security • unauthorized acquisition or unauthorized use of • unencrypted data or • encrypted electronic data and the confidential process or key • capable of compromising the security, confidentiality or identity of PI • Note that the unauthorized acquisition or use doesn’t have to be of the PI itself • creates a substantial risk of identity theft or fraud against a resident of the commonwealth. Exception: Good faith but unauthorized acquisition of PI by an agency or its employees or agents for the lawful purposes of such person or agency, is not a breach of security unless the PI is • used in an unauthorized manner or • subject to further unauthorized disclosure.

  9. Triggering Events, cont. • Second Type of Triggering Event: PI Acquired or used by Unauthorized Person or used for an unauthorized purpose • No further definition • Unlike security breach, must pertain to the PI itself, not just to data that may result in compromise of PI

  10. Triggering Events, cont. • What Form of Notice do Agencies Have to Provide when a Triggering Event Occurs? • Written OR • Electronic if provided consistent with E-SIGN consumer protection provisions (for pre-existing electronic relationship with consumer, see 15 USC 7001(c)) OR • “Substitute notice” if the agency required to provide notice demonstrates that: • cost of providing written notice > $250,000 • affected class of Mass. residents to be notified > 500,000 residents or • agency does not have sufficient contact information to provide notice

  11. Triggering Events Require Notice • Substitute Notice: Agency must engage in ALL, not just one, of the following: • Email if agency has email addresses for members of the affected class AND • Clear and conspicuous posting of the notice on the home page of the agency if agency has a website AND • Publication in or broadcast through media or medium that provides notice throughout the commonwealth

  12. Triggering Events Require Notice • Supervisor of Public Records must issue rules regarding reporting and investigating triggering events • Status: rules have not yet been issued, SPR Bulletin to come • But agencies already subject to rules regarding reporting and investigating included in ITD Cybercrime and Security Incident Policy; go to www.mass.gov/itd; click on Policies and Standards; Click on Security

  13. Triggering Events Require Notice • When do agencies have to provide notice of triggering events? • When agency knows or should have known of triggering events: • “As soon as practicable and without unreasonable delay” • Notice may be delayed if law enforcement agency • determines that provision of notice will impede criminal investigation • has notified AG in writing thereof • informs the agency of such determination. Once law enforcement agency informs agency that notification no longer poses a risk, notification must be provided.

  14. Triggering Events Require Notice • To whom does the agency need to provide notice? • Notice requirements differ depending on whether agency • Maintains and stores data for owner or licensor (1 notice) • Is the owner or licensor of data (6 notices)

  15. Triggering Events Require Notice. • Agency that maintains, stores, but does not own or license data that includes PI about state residents must provide notice to • Owner or licensor of data

  16. Triggering Events Require Notice. • Agency that owns or licenses data that includes PI about a resident must provide notice to • AG • OCA, which must provide notice to agency of any relevant consumer reporting agency or state agency • Resident • Relevant Consumer Reporting Agency (see information on OCA sites) • ITD (if Executive Department Agency) • Supervisor of Public Record (If Executive Department Agency)

  17. Triggering Events Require Notice. • What content must agencies include in notice? • Notice to owner or licensor of data • Triggering event (later, cooperate with owner or licensor and inform them of the date of the triggering event and the nature thereof, and steps the agency has taken or will take related to the incident) • See OCA website, www.mass.gov/oca • Notice to resident: • Consumers right to obtain police report • How to request a security freeze (OCA has posted online on its website a Consumer Advisory with specific information about how to contact the three consumer reporting agencies) • Fees required to be paid to consumer reporting agencies • But not the nature of the breach or unauthorized acquisition or use or the number of residents of the commonwealth affected by it.

  18. Triggering Events Require Notice • Notice to AG, OCA, consumer reporting agencies or other agencies must include: • Nature of the triggering event • Number of residents affected • Steps the agency has taken or plans to take • Notice to ITD and SPR must include nature and circumstances of the triggering event

  19. Triggering Events Require Notice • SPR must adopt rules regarding reporting and investigation of incidents • Status: Not yet issued.

  20. Protect PI. • The Supervisor of Public Records, with the advice and consent of ITD insofar as ITD sets IT standards for the Exec Department, must establish rules or regs • Applicable to executive offices and authorities, designed to • safeguard PI; • ensure PI security, confidentiality, integrity; • protect against unauthorized access to or use of PI that could result in substantial harm or inconvenience to any resident of the Commonwealth. - Status: Not yet issued.

  21. Protect PI. • Don’t wait for the SPR Rules to start protecting your PI!; Exec Department Agencies already subject to ITD standards and policies regarding data security and incident reporting. See ITD website, www.mass.gov/itd under “Policies, Standards and Guidance” and “Security” . Topics: • Attack Intrusion Notification • Cybercrime and Security Incidents • Electronic Messaging Communications Security • Information Security Policy • Data Classification • Public Access and E-Government Applications • Remote Access • Wireless • Also, agencies are already subject to EO 504

  22. Security Breaches, cont. • Conflict of Laws: The Mass. ID Theft law does not override other state and federal laws regarding protection and privacy of PI to which an agency is subject • Safe Harbor: A person (not agency) who maintains procedures for responding to a breach pursuant to federal laws, rules, regs, guidance or guidelines is in compliance with this chapter if they • notify affected Mass. residents in accordance with the maintained or required procedures when a breach occurs, and • notify AG and OCA as well. • Omission of agencies in safe harbor language may be drafting error

  23. Penalties • Civil money penalties for violation of sections of act pertaining to security breaches

  24. Executive Order 504

  25. Executive Order 504 • Before Executive Order (E.O.) 504 • Requirements • What’s new? • Next Steps

  26. Before EO 504 • ITD’s Enabling Legislation enables ITD to set information technology standards for the Executive Department • Executive Department budget language annually gives ITD authority over IT projects $200,000 and over. • Enterprise Security Board (ESB) voluntarily created by ITD under CIO’s general authority in 2001 • With the advice of ESB, ITD has issued enterprise security policies addressing • Attack intrusion notification • Cybercrime and security incidents • Electronic messaging communications security • Information security policy • Data classification • E-government apps public access policy and standards • Remote access • Wireless implementations

  27. Before EO 504, cont. • Agencies subject to contractual security requirements. Examples: • Payment Card Industry (PCI) Data Security Standards • certain data security standards mandated by the credit card industry for all Commonwealth entities that process, transmit, or store cardholder data • Social Security Administration Information Exchange Agreement • governs the transmission of data files received from and sent to the Social Security Administration

  28. Before EO 504, cont. • Law breaks down along two lines: • Privacy (rules about who gets to see sensitive data – broader than security) • Examples: • see HIPAA privacy rule; • main sections of FIPA (Fair Information Practices Act, MGL. Ch. 66A); exemptions to public records law • CORI • Principles governing protection of privacy data • Notice; • Purpose; • Consent; • Security; • Disclosure; • Access; and • Accountability • Security (rules about the physical, technical, administrative methods of limiting access -- a means to effectuate privacy rules) • see HIPAA security rule; • one section of FIPA; • Internal Revenue Manual 30.6.1 Security of Confidential Information

  29. Before EO 504, cont. • Executive Order 412 • Review policies and practices regarding information related to individuals • Determine minimum quantity of personal information need to collect, and reform policies and practices regarding dissemination and security • Adopt a policy regarding employee expectations of privacy

  30. Executive Order 504 -- Summary • Revokes EO 412 (but reinstates many of its terms) • Doesn’t change • Pre-existing contractual requirements imposed on the state • Pre-existing security or privacy laws • Requirements Imposed On: • Executive Department Agencies (not Ex. Branch, Leg., Jud., or Authorities) • ITD and the CIO • Enterprise Security Board

  31. Executive Department Agencies Must… • “Adopt and implement the maximum feasible measures reasonably needed to ensure the security, confidentiality and integrity of” • Personal Information: as defined in the Security Freezes and Notification of Data Breaches Statute (G.L. 93H) • Personal Data: as defined under FIPA • Personal Information (G.L. 93H): • Resident’s first name (or initial) and last name in combination with • Social security number; • Drivers license (or state issued i.d.) number; or • Financial account number • Personal Data under FIPA • Any information which, because of name, identifying number, mark or description can be readily associated with a particular individual. • Except information that is contained within a public record (G.L. c. 4 § 7(26)).

  32. Executive Department Agencies Must…. • Develop, implement and maintain written information security programs • Collect minimum quantity of personal information reasonably needed to accomplish legitimate purpose for which information being collected • Securely store and protect against unauthorized • access • destruction • use • modification • disclosure • loss • Disclose on a need to know basis • Destroy information as soon as it is no longer needed or required to be maintained under state or federal law • Address administrative, technical, and physical safeguards • Comply with Federal and state privacy and security laws and regs

  33. Personal Information: Information Security Program Electronic Security Plan Executive Department Agencies Must…. • Develop and implement written information security programs… • Cover all personal information (not restricted to electronic information) • Electronic personal data must be addressed in a subset of the Information Security Program (ISP) called an “electronic security plan” (ESP)

  34. Executive Department Agencies Must…. • Appoint an Information “Security” Officer (really a Security and Privacy Officer) • Reports directly to Agency head • Sign agency ISP and its ESP • Coordinate Agency’s compliance with • E.O. 504 • Federal and state laws and regulations (presumably privacy and security) • ITD security standards and policies • Have Agency Head Certify all Programs, Plans, Self-Audits and Reports • By September, 2009, attend mandatory security training for • all agency heads, managers, supervisors, employees (including contract employees) • Re: how to identify, maintain and safeguard records and data • Incorporate required contract language regarding security in all contracts entered post January 1 2009; breach constitutes breach of contract. • Fully cooperate with ITD, including ITD requests for information, in connection with ITD fulfillment of responsibilities

  35. ITD and the CIO: Authority and Oversight • CIO shall have the authority, re: Electronic Security Plans (ESPs) (NOT agencies’ entire Information Security Program) to: • Issue guidelines, standards, and policies about development, implementation and maintenance of ESPs; • Require that agencies submit ESPs to ITD for review • Specify when agencies must submit supplemental or updated ESPs • Establish and oversee periodic self-audit reporting requirements (but must require self-audit no less than annually). Self-audits against • ITD standards • ESPs • Federal and state privacy and security laws [Presumably only e-related] • Conduct reviews to assess agency compliance • Issue MGL 93H “report to ITD” policy • How this authority is enforced? • With approval of ANF, determine remedial action for non-compliant agencies and impose terms and conditions on agency’s IT related expenditures and IT capital funding

  36. ITD and the CIO: Authority and Oversight, cont. • Procurement: • Develop mandatory standards and procedures for agencies to follow before entering contracts that will allow third party access to • Standards must require that measures be taken to • Draft, with OSC and OSD, contract provisions including certification that contractor has • Reviewed and will comply with information security programs, plans, guidelines, standards and policies • Communicate and enforce those provisions against their subcontractors’ • Implement any other reasonable and appropriate measures to protect personal information

  37. Enterprise Security Board • Enterprise Security Board (ESB) has operated for 7 years solely at ITD’s discretion • EO 504 gives legal footing to ESB • Acts as a “consultative body to advise the CIO” • Advises CIO in developing guidelines, standards and policies governing implementation of EO 504 • CIO shall determine members and makeup of ESB, but membership shall be drawn from • State employees from Executive Department • Experience in IT, privacy, and security • Representatives from Judicial and Legislative Branches • Other constitutional offices • Quasi-public authorities

  38. EO 504 Summary—What’s New? • Requirement for agency security officers (addressing both Privacy and Security) and written information security plans (including ESPs) • Requirement for agency at least annual ESP self audit, sent to ITD • Additional ANF/ITD authority over agency IT spending based on agency compliance with ESP self audit • Less uncertainty regarding ESB survival in the future • Focus on data destruction (also required under G.L. c. 93I) • Agencies must give full cooperation, and information, to ITD

  39. Linda HamelGeneral CounselITDLinda.Hamel@state.ma.us(617) 626 4404Acknowledgments to Stephanie Zierten, ITD Deputy General Counsel, for EO 504 Slides and graphics throughout

More Related