mass information security requirements january 2010
TRANSCRIPT
![Page 1: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/1.jpg)
Massachusetts Privacy Laws – Protecting Personal Information
Can You Do It?
Presented By:Mark R. Adams, Esq., SPHR
January 13th, 2010
![Page 2: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/2.jpg)
Background /history leading to the requirements Overview of the Massachusetts Data Protection Law What is “Personal Information?” What is a “Comprehensive Written Information
Security Program?” (CWISP) Issues to consider in developing a program that meets
your company’s needs Logistical problems in keeping information accessible
yet confidential Penalties for non-compliance Enforcement
Agenda
![Page 3: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/3.jpg)
Massachusetts requirements are in response to high-profile identity theft cases:
The TJX Companies: Massachusetts-based retailer with approx. 2,500 stores.
Computer system first breached in July 2005.
Information from 45.7 million cards was stolen from transactions from January through November 2003; TJX did not discover breach until late 2006.
455,000 customers affected
Background
![Page 4: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/4.jpg)
Massachusetts requirements are in response to high-profile identity theft cases:
The TJX Companies: TJX settled in late 2007 and early 2008 with issuing banks of Visa
and MasterCard for $40.9 million and $24 million, respectively.
TJX reached an agreement with the FTC in April 2008 to immediately upgrade and implement comprehensive data security procedures and to submit to outside audits.
In August 2008, 11 individuals were indicted for crimes in connection with what the Justice Department described as “the single largest and most complex identity theft case ever charged in this country.”
Background
![Page 5: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/5.jpg)
Massachusetts requirements are in response to high-profile identity theft cases:
Hannaford Brothers Company: Maine-based supermarket chain with 165 stores in the
Northeast.
Security breach began in December 2007.
Credit card numbers were stolen when shoppers swiped their cards and the information was transmitted to banks for approval.
Background
![Page 6: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/6.jpg)
Massachusetts requirements are in response to high-profile identity theft cases:
Hannaford Brothers Company: Estimated 4.2 million credit and debit card numbers were exposed.
The thefts occurred despite Hannaford’s compliance with the Data Security Standards promulgated by the Payment Card Industry (PCI)–which do not require companies to encrypt data at the point of sale–raising doubts about the sufficiency of the PCI standards and merchants’ reliance on them.
1,800 cases of reported fraud related to the breach.
Background
![Page 7: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/7.jpg)
“New” Law The first stage of the law, Chapter 93H:
Effective on October 31, 2007 Requires notification to residents and state authorities if
personal information is improperly accessed or used.
The second stage of the law, Chapter 93I: Became effective on February 3, 2008 Mandates destruction of hard copy and electronic data
containing personal information Sets forth minimum standards for proper disposal of paper
or electronic records containing personal information “electronic media and other non-paper media containing
personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.”
![Page 8: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/8.jpg)
“New” Law New comprehensive regulations (201 CMR
17.00) Regulations issued originally to be effective January 1,
2009 Effective on March 1, 2010 Define parameters of a Comprehensive Written
Information Security Program (“CWISP”) policies and procedures for storing and protecting personal
information and employee training
![Page 9: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/9.jpg)
What is protected personal information? The first and last name or first initial and last
name; PLUS Any one of the following:
social security number; driver’s license number; state identification number; financial account; debit or credit card number [in
combination with or without any required security code, access code or password that would permit access to the individual’s account].
Applies to both electronically stored information and paper files.
![Page 10: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/10.jpg)
Exercise What Records Contain Personal
Information?
![Page 11: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/11.jpg)
Identity Theft Law: Employer obligations Notice to:
Person affected Attorney General’s Office Director of Consumer Affairs and Business
Regulation Notice regardless of whether there is likelihood of
harm Destruction.
![Page 12: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/12.jpg)
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:Risk Assessment:
Designating an employee to maintain the program; Identifying and assessing reasonably foreseeable internal
and external risks to the security Evaluating and improving the effectiveness of the current
safeguards including but not limited to: ongoing employee (including temporary and contract
employee) training; employee compliance with policies and procedures; and means for detecting and preventing security system failures;
![Page 13: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/13.jpg)
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include: Information Storage Assessment:
Identify where personal information is stored including: paper, electronic and other records, computing systems, and storage media, laptops and portable devices used to store personal
information, to determine which records contain personal information,
except where the comprehensive information security program provides for the handling of all records as if they all contained personal information.
![Page 14: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/14.jpg)
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:Policy Development:
Developing security policies for employees that: Take into account whether and how employees
should be allowed to keep, access and transport records containing personal information;
Impose disciplinary measures for violations of the program rules;
Prevent terminated employees from accessing records by immediately terminating their access information outside of business premises.
![Page 15: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/15.jpg)
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:Third Party Compliance:
Contractually requiring service providers to maintain such safeguards;
Take “reasonable steps” to verify that third-party service providers are capable of maintaining appropriate security measures to protect personal information;
What are examples of reasonable steps?
![Page 16: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/16.jpg)
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:Limiting Access to Personal Information:
Limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected;
Limit the time such information is retained to that reasonably necessary to accomplish such purpose;
Limit access to those persons who are reasonably required to know such information.
![Page 17: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/17.jpg)
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:
Limiting Access to Personal Information: Place reasonable restrictions upon physical access
to records containing personal information, ***Including a written procedure that sets forth
the manner in which physical access to such records is restricted;
and storage of such records and data in locked facilities, storage areas or containers.
![Page 18: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/18.jpg)
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:
Monitoring and Maintenance: Regularly monitor to ensure that the program is
operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and
Upgrading information safeguards as necessary to limit risks.
![Page 19: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/19.jpg)
What Is a CWISP?Comprehensive Written Information Security Program
(CWISP) must include:Monitoring and Maintenance:
Review the scope of the security measures at least annually;
Or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
Document responsive actions taken in connection with any incident involving a breach of security
Conduct mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
![Page 20: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/20.jpg)
What Is a CWISP?For electronically stored files, employers must
maintain a security system that: Secures user ids and passwords Blocks access after multiple unsuccessful attempts to
log in Encrypts records traveling across public networks and
transmitted wirelessly Encrypts personal information stored on laptops, and
other devices (smartphones, memory sticks, PDA’s etc). Deadline for ensuring encryption on laptops: May 1, 2009. Deadline for ensuring encryption on other devices: January
1, 2010.
![Page 21: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/21.jpg)
What Is a CWISP?For electronically stored files, employers must
maintain a security system that: Has reasonably up-to-date firewall protection for
files containing personal information on a system that is connected to the Internet
Has reasonably up-to-date Malware Educate and train employees on the proper use of
the computer security system and the importance of personal information security.
![Page 22: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/22.jpg)
What Is a CWISP?Destruction of personal information: Personal information shall be destroyed or erased so that
personal information cannot practicably be read or reconstructed
Unacceptable forms of destruction: More than just “hitting the delete button” Smashing the hard drive with a hammer Drilling a hole (or multiple holes) in the hard drive
Acceptable forms of destruction: Hard drive shredding Scrubbing Degaussing
![Page 23: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/23.jpg)
What Is a CWISP?Destruction of personal information: Hard drive shredding:
Melts all the particles within the drive. While inexpensive, shredding is only an option if you can afford to constantly purchase new hard drives.
Scrubbing: Programs that delete the data stored on a hard drive and
then overwrite it with random data several times.
![Page 24: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/24.jpg)
What Is a CWISP?Destruction of personal information: Degaussing:
Data is stored in magnetic media, such as hard drives, tapes and diskettes (floppy disks), by making very small areas change their magnetic alignment to go in a certain direction. Degaussing equipment applies a strong magnetic field to the media, effectively destroying it because it removes the magnetic alignment. Again, this process is only useful if you can afford to continually purchase new storage media. Further, there is no way to be sure that the degaussing was successful.
![Page 25: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/25.jpg)
What Is a CWISP?Destruction of personal information: Options are generally expensive Recommend companies use third parties who can
destroy information for them.
![Page 26: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/26.jpg)
Issues to ConsiderWhat files are being preserve
and WHERE?Who will be accessing this
information?How this information
safeguarded? Centralized? Decentralized?
![Page 27: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/27.jpg)
Structure and OrganizationWho is going to be accessing these files?
HR? Supervisors? Employees? Third parties?
Where are these files being accessed from? Office? Home?
![Page 28: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/28.jpg)
Access and Safeguard IssuesThe greater the access – the
greater the need for structure:
Making sure firewalls and encryption software is updated to protect level of access
The need for a policy and training of staff on acceptable computer use.
![Page 29: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/29.jpg)
Access and Safeguard IssuesThe greater the access – the
greater the need for structure:
Different passwords with different levels of access to information
Need to ACTIVELY oversee that access is added and removed timely
Regulate how passwords are provided and changed Don’t get locked out of your
proprietary information!
![Page 30: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/30.jpg)
Computer Use PolicyElements: Define who is subjected to policy Computer, Email, Network and Servers are
company property No right to privacy
Regarding files, data or email message stored or transmitted through a company’s network or systems.
Limited to use in normal course of business Information accessed or retrieved only to be used or
shared with persons who have “need to know” Extend standard to home access/telecommuting.
![Page 31: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/31.jpg)
Computer Use PolicyElements: Prohibit illegal, personal and unprofessional material
from being transmitted through systems Including email!!!!
Define where files are to be created and stored (on network or on individual PC’s)
Require use of proper naming protocols for files and folders Passwords must be kept on file at all times Only license software to company is permitted to be
loaded on to systems. Tie enforcement to discipline policy.
![Page 32: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/32.jpg)
Retention and Purging PoliciesPolicy and procedures need to operate within these
constraints Identifying communication channels between HR and IT for
reviewing files scheduled to be removed Methodology for indexing or classifying files that can be
expunged or deleted Temporary files v. semi-permanent or permanent files
If email incorporates documents that need to be retained, identifying protocols for archiving and preserving that information in conjunction with other files.
MAKING SURE HR AND IT ARE ON THE SAME PAGE!!!!
![Page 33: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/33.jpg)
Penalties for Non-Compliance
Area of Non-Compliance Monetary Damages Unreasonable delay/failure to provide notice of security breach to the attorney general, director of the OCABR and affected resident
$5,000 fine; reasonable costs of investigation and litigation of such violation, including reasonable attorneys’ fees.
Failure to maintain a written, comprehensive information security system
$5,000 fine; reasonable costs of investigation and litigation of such violation, including reasonable attorneys’ fees. (effective 3/01/2010)
Improper disposal of records containing PI
$100 fine per individual affected, maximum of $50,000 per instance of improper disposal
Failure to take all reasonable steps to verify that third-party service with access to PI has capacity to protect PI
$100 fine per individual affected, maximum of $50,000 per instance of improper disposal (effective 3/01/2010)
Failure to take all reasonable steps to ensure that third-party service is applying security measures to PI
$100 fine per individual affected, maximum of $50,000 per instance of improper disposal (effective 3/01/2010)
![Page 34: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/34.jpg)
EnforcementMassachusetts Office of the Attorney General
Office of Consumer Affairs and Business Regulation (OCABR)
Individuals can sue on their own: Unfair or deceptive trade practices pursuant to G.L. c.
93A, § 11- an individual may seek injunctive relief and/or monetary damages, including double or treble damages, attorneys' fees and costs.
Negligence- an individual may seek actual and consequential damages against a non-compliant entity.
![Page 35: Mass Information Security Requirements January 2010](https://reader035.vdocument.in/reader035/viewer/2022070516/587259021a28ab31498b4913/html5/thumbnails/35.jpg)
Questions?Employers Association of the NorthEast
3 Convenient Offices:67 Hunt StreetPO Box 1070
Agawam, MA 01001-6070413-789-6400
250 Pomeroy AvenueSuite 200
Meriden, CT 06450203-686-1739
67 Millbrook StreetWorcester, MA 01606
508-767-3415
Toll Free – 877-662-6444www.eane.org