An Act Relative to Security Freezes and Notification of Data Breaches Chapter 82 of the Acts of 2007 Massachusetts Digital Government Summit Securing Private.

Slides:

Advertisements

Similar presentations

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Advertisements

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

Overview of the Privacy Act

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Rule Training

HIPAA Regulations What do you need to know?.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Springfield Technical Community College Security Awareness Training.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.

A Summary of CS for House Bill 65 (Jud) – A Presentation to the HCCA Alaska Local Annual Conference Joan Wilson Asst Attorney General State of Alaska

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

1 1 MA201 CMR John Hally January 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN, GPEN.

April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts

Electronic Records Management: What Management Needs to Know May 2009.

2015 ANNUAL TRAINING By: Denise Goff

HIPAA PRIVACY AND SECURITY AWARENESS.

Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.

Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.

LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Arkansas State Law Which Governs Sensitive Information…… Part 3B

Florida Information Protection Act of 2014 (FIPA).

AICP New England 13 th Annual Education Day PRIVACY Jenny Erickson Vice President, Legislative and Regulatory Affairs The Life Insurance Association of.

Understanding HIPAA (Health Insurandce Portability and Accountability Act)

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.

Agency Data Breach Responsibilities: MGL ch. 93H and Executive Order 504 Massachusetts Digital Government Summit October 20, 2008.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

© Copyright 2010 Hemenway & Barnes LLP H&B

FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc

A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.

HOW TO RESPOND TO A DATA BREACH: IT’S NOT JUST ABOUT HIPAA ANYMORE The Thirteenth National HIPAA Summit  September 26, 2006 Renee H. Martin, JD, RN, MSN.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

DON Code of Privacy Act Fair Information Principles DON has devised a list of principles to be applied when handling Protected Personal Information (PPI).

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

Data Security Survival Skills for 21 st Century Evaluators Teresa Doksum & Sean Owen October 17, 2013.

Status of identity and privacy related AZ Legislative bills April 20, 2006 Mike Keeling ATIC, Chair.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.

Nassau Association of School Technologists

Florida Information Protection Act of 2014 (FIPA)

Responding to a Data Breach 360° of IT Compliance

Obligations of Educational Agencies: Parents’ Bill of Rights

Florida Information Protection Act of 2014 (FIPA)

Chapter 3: IRS and FTC Data Security Rules

Red Flags Rule An Introduction County College of Morris

Alabama Data Breach Notification Act: What 911 Districts Need to Know

Disability Services Agencies Briefing On HIPAA

Alabama Data Breach Notification Act: What County Governments Need to Know Morgan Arrington, General Counsel Association of County Commissions of Alabama.

Colorado “Protections For Consumer Data Privacy” Law

State of florida tax information sharing Paula Barfield August 5, 2015

Presentation transcript:

An Act Relative to Security Freezes and Notification of Data Breaches Chapter 82 of the Acts of 2007 Massachusetts Digital Government Summit Securing Private Information Session December 11, 2007

One More Addition to Existing Data Security Rules  HIPAA Security Rule  Fair Information Practices Act  Social Security Administration Agreements  PCI-DSS Requirements  And now, the Commonwealth’s Identity Theft Act….

Summary  Credit Report Freeze: Effective October 31, 2007  Security Breaches: Effective October 31, 2007  Disposition and Destruction of Records: Effective February 3, 2008

Credit Report Freeze, Sections 1 through 16 of the Act  Chapter 93, s. 62(A)  If identity stolen, consumer has right to control who has access to credit report, except under certain circumstances, including –State agencies, law enforcement agencies, or trial court acting under court order, warrant or subpoena –The Massachusetts child support agency (DOR) –EOHHS when investigating Medicaid fraud –DOR investigating or collecting delinquent taxes unpaid court orders or to fulfill other statutory responsibilities

Security Breaches, Section 16 of the Act  Creates MGL ch. 93H  Key definitions  Agency broadly defined to include among others all exec department agencies

Security Breaches, cont.  Agencies will have a notice obligation when: – Breach of Security re: PI OR –PI Acquired or used by an unauthorized person OR –PI used for unauthorized purpose

Security Breaches, cont.  Breach of Security = unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality or identity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. –A good faith but unauthorized acquisition of PI by a person or agency or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the PI used in an unauthorized manner or subject to further unauthorized disclosure.

Security Breaches, cont.  Personal information (PI) = –[(first name + last name) or (first initial and last name)] –in combination with any 1 or more of the following:  SSN  drivers license or Mass ID card  financial account number, credit or debit card number, with or without required security access code, personal ID number, or password that would permit account access –BUT NOT information lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.  (No biometric identifiers included)

Security Breaches, cont.  Encrypted = transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of confidential process or key, unless further defined by regulation of the Department of Consumer Affairs and Business Regulation (OCA).

Security Breaches, cont.  Data = any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics  Electronic = relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities

Security Breaches, cont.  Notice [to consumers]: –Written –Electronic if provided consistent with E-SIGN consumer protection provisions (15 USC Section 7001(c)) and UETA consumer protection provisions (MGL ch. 110G) –“Substitute notice” if the agency required to provide notice demonstrates that:  cost of providing written notice will exceed $250,000  affected class of Mass. residents to be notified exceeds 500,000 residents or  agency does not have sufficient contact information to provide notice

Security Breaches, cont.  Substitute Notice [to consumers] is all of the following: – if the agency has addresses for the members of the affected class –Clear and conspicuous posting of the notice on the home page of the agency if the agency has a website AND –Publication in or broadcast through media or medium that provides notice throughout the commonwealth

Security Breaches  The supervisor of public records, with the advice and consent of ITD insofar as ITD sets IT standards for the Exec Department, must establish rules or regs designed to safeguard the PI of residents of the Commonwealth that is owned or licensed.  Purpose of rules: –Insure security and confidentiality of PI –Protect against anticipated threats or hazards to security or integrity of such information; –Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any resident of the Commonwealth.  Take into account size, scope and type of services provided by agencies;  Legislature, judiciary, and constitutional offices to adopt their own rules  Status: ITD working on an SPR Bulletin with Supervisor of Public Records

Security Breaches  Notice obligation triggered when agency knows or should have known: –Of breach of security or –that the PI was acquired or used by an unauthorized person or for an unauthorized purpose  Notice must be provided “as soon as practicable and without unreasonable delay”  Notice requirements differ depending on whether agency –Maintains and stores data for owner or licensor –Is the owner or licensor of data [use defined notice and substitute notice terms]

Security Breaches, cont.  Agency that maintains, stores, but does not own or license data that includes PI about state residents must provide notice to owner or licensor of data

Security Breaches, cont.  In addition, such agency must cooperate with owner or licensor of PI, including informing them of: –breach of security or unauthorized acquisition or use, –date of incident –nature thereof –steps agency has taken or plans to take relating to the incident

Security Breaches, cont.  Agency that owns or licenses data that includes PI about a resident must provide notice to AG, OCA and resident.  Upon receipt of notice, OCA must provide notice to the reporting agency of any relevant consumer reporting agency or state agency, and the agency must provide notice to relevant consumer reporting agency.

Security Breaches, cont.  Notice to resident must include: –Consumers right to obtain police report –How to request a security freeze –Fees required to be paid to consumer reporting agencies –But not the nature of the breach or unauthorized acquisition or use or the number of residents of the commonwealth affected by it.

Security Breaches, cont.  Exec department agencies must also provide written notification of the nature and circumstances of the breach or unauthorized acquisition or use to –ITD –supervisor of public records and must comply with all policies and procedures adopted by them pertaining to reporting and investigating the incident.

Security Breaches, cont. –ITD Enterprise Cybercrime & Security Incident Response Policy and Procedures. –Required notification:  To CommonHelp via –  Then CSIRT (Cybercrime Incident and Response Team at

Security Breaches, cont.  Other requirements of the CSIP –Event log –Investigate –Identify risk –Snapshot of files within first half hour of investigation –Confer with CSIRT and network manager –Response plan –Monitor and evaluate –Preliminary and final report to file with agency and CSIRT –Preserve evidence –Post mortem; lessons learned

Security Breaches, cont.  Notice may be delayed if law enforcement agency determines that provision of notice will impede criminal investigation and has notified AG in writing thereof and informs the agency of such determination. Once law enforcement agency informs agency that notification no longer poses a risk, notification must be provided.  Agency must cooperate with law enforcement in its investigation of breach

Security Breaches, cont.  Safe Harbor: The Mass. ID Theft law does not preempt other state and federal laws regarding protection and privacy of PI; however, person who maintains procedures for responding to a breach pursuant to federal laws, rules, regs, guidance or guidelines is in compliance with this chapter if they –notify affected Mass. residents in accordance with the maintained or required procedures when a breach occurs, and –notify AG and OCA as well.

Disposition and Destruction of Records, Section 17 of the Act  Creates MGL ch. 93I  Data must contain Personal information = –[(first name + last name) or (first initial and last name)] –in combination with any 1 or more of the following: (a) SSN, (b) drivers license or Mass ID card ( c ) financial account number, credit or debit card number, with or without required security access code, personal ID number, or password that would permit account access or (d) biometric indicator  Ex: JSmith plus SS# –Note biometric indicators are NOT included in security breach section of law, and that exception to definition of PI in security breach section for publicly available information is also NOT included here.

Disposition and Destruction, cont.  Applies to agencies, broadly defined

Disposition and Destruction  When disposing of records, each agency or person must at a minimum do the following: –Paper docs containing PI redacted, burned, pulverized or shredded so PI cannot practicably be read and reconstructed –Electronic media and other non-paper media containing PI shall be destroyed or erased so that PI cannot be practicably read or reconstructed  What does “cannot be practicably read or reconstructed” mean? Does it mean not susceptible to the nontechnologist? To the teenage hacker? To the forensic specialist? –See new National Institute of Standards and Technology Standard Guidelines for Media Sanitization –ESB Media Sanitization Project

Disposition and Destruction, cont.  An agency disposing of PI may contract with a 3 rd party to dispose of PI according to this chapter. –3 rd party must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of PI during collection, transportation and disposal of PI

Penalties  Civil money penalties for violation of sections of act pertaining to security breaches and disposition and destruction of data

Identity Theft Bill: Agency CIO To Do List  Ensure all agency counsel aware of ID theft bill if your agency holds PI (Techlaw training for counsel in January ‘08)  Review the regulations that will be adopted by OCA and SPR and analyze their impact on your agency –Determine if Federal laws to which your agency is subject preempt –Identify key players in agency  Identify and notify key players in your agency  Adopt policies and procedures consistent with law and OCA/SPR regulation.  Monitor and enforce against employees, contractors and agents.

Linda Hamel General Counsel ITD (617)