April 23, 20101 Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts 617.526.9658.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Privacy, Security, Confidentiality, and Legal Issues
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Information Security Policies and Standards
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
New Data Regulation Law 201 CMR TJX Video.
1 1 MA201 CMR John Hally January 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN, GPEN.
Protecting Sensitive Information PA Turnpike Commission.
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
Section Ten: Security Violations and Deviations Note: All classified markings contained within this presentation are for training purposes only.
1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.
Information Security Technological Security Implementation and Privacy Protection.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
HIPAA PRIVACY AND SECURITY AWARENESS.
Security and Privacy Strategic Global Partners, LLC.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
Training Module 11 – Version 1.1 For Internal Use Only Communication Policy ® Corporate Communications, Disclosure and Insider Trading Policy 
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Florida Information Protection Act of 2014 (FIPA).
February 16, Massachusetts’ New Data Security Regulations And Their Impact On Businesses Amy Crafts February 16, 2009.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
SPH Information Security Update September 10, 2010.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
© Copyright 2010 Hemenway & Barnes LLP H&B
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
ICT Legislation  Copyright, Designs and Patents Act (1988);  Computer Misuse Act (1990);  Health and Safety at Work Act (1974);  EU Health and Safety.
Computer Security Sample security policy Dr Alexei Vernitski.
Taylor County Schools FERPA (Confidentiality) Training August 17, 2010.
Nassau Association of School Technologists
Protection of CONSUMER information
Introduction to the Federal Defense Acquisition Regulation
Move this to online module slides 11-56
Red Flags Rule An Introduction County College of Morris
Disability Services Agencies Briefing On HIPAA
County HIPAA Review All Rights Reserved 2002.
HIPAA Security Standards Final Rule
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts April 23, 2010

2 1. Determine Whether You Own Or License Personal Information And Where It Is Located The regulations apply to all persons – including natural persons, corporations, associations, partnerships or other legal entities – that own or license personal information of MA residents. Personal information is defined by the regulations as a Massachusetts resident’s first and last name, or first initial and last name, in combination with any of the following information:  the resident’s Social Security number;  the resident’s driver’s license number or state-issued identification card number; or  the resident’s financial account number, or credit or debit card number.

April 23, Develop A Written Information Security Program (WISP) Massachusetts requires that all covered entities must develop, implement and maintain a comprehensive WISP. WISP must be risk-based, and must contain administrative, technical and physical safeguards that are appropriate to: ­ the size, scope and type of business; ­ the amount of resources available to the business; ­ the amount of stored data; and ­ the need for security and confidentiality of both consumer and employee information.

April 23, Designate Employee(s) Responsible For Implementing And Maintaining WISP Responsibilities should include: Regular monitoring to ensure that the WISP is operating in a manner intended to prevent unauthorized access to or use of personal information. Upgrading information safeguards as necessary to decrease risk. Reviewing scope of security measures at least annually, or whenever there is a material change in business practice that may implicate security or integrity of personal information. Following a security breach, conducting and documenting a post- incident review of events and actions taken.

April 23, Identify And Assess Reasonably Foreseeable Internal And External Risks To Security And Integrity Of Personal Information Efforts should include: Ongoing employee (including temporary and contract employee) training on the proper use of the computer security system and the importance of personal information security. Employee compliance with policies and procedures – and imposition of disciplinary measures for noncompliance. Means for detecting and preventing security system failures.

April 23, Identify Paper Records That Contain Personal Information Restrict access only to those employees who need information to perform their employment responsibilities. Require that terminated employees return copies of any documents containing personal information. Store in locked facilities, storage areas or containers. Develop a security policy for storage, access and transportation of such records outside of business premises.

April 23, Implement Secure User IDs/Passwords And Access Control Measures Develop a secure method of assigning passwords, preferably unique identification-plus passwords, and consider using identifier technologies, such as biometrics or token devices. Ensure that user IDs and passwords are kept in a locked or encrypted file. Block access after multiple unsuccessful attempts to gain access. Restrict access to active users and active user accounts, and those who need such information to perform their job duties.

April 23, Ensure Security Of Computer Systems Requires reasonably up-to-date firewall protection and operating security system patches, designed to maintain integrity of personal information. Requires reasonably up-to-date versions of system security agent software, including malware protection, patches and virus definitions.

April 23, Encrypt Electronic Files, To The Extent “Technically Feasible” All transmitted files containing personal information that will travel across public networks (i.e. the Internet), and all data that will be transmitted wirelessly, should be encrypted. All personal information stored on laptops or other portable devices should be encrypted.

April 23, Oversee Third-Party Service Providers Take reasonable steps to select and retain third-party service providers that are capable of maintaining security measures to protect personal information. Require third-party service providers by contract to implement and maintain appropriate security measures for personal information, with a carve-out: ­ Contracts in existence prior to March 1, 2010 do not have to contain such a representation until March 1, 2012.

April 23, When Discarded, Completely Destroy Paper And Electronic Documents Paper documents must be either: ­ Redacted ­ Burned ­ Pulverized ­ Shredded Electronic documents and other non-paper media must be either: ­ Destroyed ­ Erased

April 23, What Are The Penalties For Non-Compliance With The Regulations? Massachusetts provides for civil penalties in cases of non- compliance, pursuant to its consumer protection statute, M.G.L. 93A. A civil penalty of $5,000 may be awarded for each deceptive act or practice, in addition to injunctive relief and attorneys’ fees.

April 23, What Does All Of This Mean? Let’s discuss some hypothetical or frequently asked questions.

April 23, How Do I Store And Destroy Old Tapes/CDs? Old tapes and CDs (which are portable devices) should be encrypted, or at least stored in a locked file or room. Destruction must completely erase the content of the tapes and CDs. ­ Be careful – after data is erased, residue may remain which could lead to inadvertent disclosure. ­ Overwriting the storage data is a popular low-cost option (also called “wiping” or “shredding”). ­ Work with your IT staff to ensure the tapes and CDs have been completely erased.

April 23, How Should Businesses Protect s Containing Personal Information? If technically feasible, s should be encrypted. If not technically feasible, implement best practices by not sending personal information via . ­ There are alternative methods to communicate personal information other than through , such as establishing a secure Website that requires safeguards including username and password to conduct transactions involving personal information.

April 23, Is There A Maximum Period Of Time To Keep Records Containing Personal Information? As good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected, and limit the time such information is retained to that reasonably necessary to accomplish such purpose. Access should be limited to those persons who are reasonably required to know such information.

April 23, How Much Employee Training Is Required? The regulations do not articulate what specifically is required. We suggest that you: ­ Provide enough training to ensure that employees who will have access to personal information know what their obligations are regarding the protection of that information. ­ Train both temporary and permanent employees. ­ Convey to your employees that data security is taken seriously by your business. ­ Require trained employees to sign an acknowledgement of training.

April 23, What Is The Extent Of The Monitoring Obligation? Depends on the nature of your business, your business practices, and the amount of personal information you own or license. Also depends on the form in which the information is kept and stored. In the end, the monitoring you put in place must be such that it is reasonably likely to reveal unauthorized access or use.

April 23, What If I Use Laptops? Assess whether your laptop(s) contain personal information. If they do, consider encryption. ­ The regulations make clear that, to be encrypted, data must be altered into an unreadable form: encryption must bring about a “transformation of data into a form in which meaning cannot be assigned.” ­ Password protection is not enough.

April 23, What Should You Do Now? Develop a plan to work towards compliance. Evaluate protection mechanisms you have in place, and determine how they must be revised. Talk to your colleagues – lawyers, IT, etc. – to determine what makes sense for your business.

April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts April 23, 2010

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.