AICP New England 13 th Annual Education Day PRIVACY Jenny Erickson Vice President, Legislative and Regulatory Affairs The Life Insurance Association of.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

University of Minnesota
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
DHHS COE Meeting Agenda November, 2013 □Contract Compliance Reporting □Contract Update □Questions and Answers.
Confidentiality and HIPAA
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Unified Carrier Registration (UCR) Update August 24, 2006.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
1 SAFEGUARDING REGULATIONS AND HOW THEY EFFECT US MICHIGAN ASSOCIATION FOR STUDENT FINANACIAL SERVICE ADMINISTRATORS BY: KAREN REDDICK NATIONAL CREDIT.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Code Comparison Changes 2012 IBC to 2012 NPFA 101 Developed for the Florida Department of Business And Professional Regulation Building Codes and Standards.
The Name Equality Act of 2007 AB 102 (Chapter 567, Statutes of 2007)
ELECTION AND QUALIFICATIONS OF DIRECTORS Robert D. Strahota, Assistant Director * SEC Office of International Affairs Prepared for the panel on Improving.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
An Act Relative to Security Freezes and Notification of Data Breaches Chapter 82 of the Acts of 2007 Massachusetts Digital Government Summit Securing Private.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
1 1 MA201 CMR John Hally January 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN, GPEN.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Sharing Low-Income Customer Information Water & Energy Utilities LIOB Meeting - January 2009 Seaneen M Wilson Division of Water & Audits.
BVN GM7 – Code of Ethics Head Office – Department Technology Equipment - V1 – April 2009.
Electronic Records Management: What Management Needs to Know May 2009.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
Customer Service Enforcement After AB 2987 John Risk Communications Support Group, Inc. (c) 2006 John Risk Communications Support Group, Inc. (c) 2006.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.
IVCC Information Security Plan Important information about the privacy of student records Adapted from SVCC Information Security Plan, 3/03. IVCC Revision.
Florida Information Protection Act of 2014 (FIPA).
September 14, David A. Reed Attorney at Law Reed & Jolly, PLLC (703)
May 16, 2007 Board of Directors Texas Regional Entity Division Update Sam R. Jones ERCOT President & CEO.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
MAINTAINING PRIVACY & DATA SECURITY IN THE VIRTUAL PRACTICE OF LAW.
New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Configuring Electronic Health Records Privacy and Security in the US Lecture c This material (Comp11_Unit7c) was developed by Oregon Health & Science University.
© Copyright 2010 Hemenway & Barnes LLP H&B
The Internet of Things and Consumer Protection
1 PARCC Data Privacy & Security Policy December 2013.
HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
The Health Information Protection Act. What is the Health Information Protection Act (HIPA)? HIPA is legislation that speaks to access to, and protection.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Federal Information Security Management Act (F.I.S.M.A.) [ Justin Killian ]
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA.
Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.
Regulatory Compliance
The E-Rate Program CIPA Update Fall 2011 Applicant Trainings.
Obligations of Educational Agencies: Parents’ Bill of Rights
HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.
Consideration of Final Rulemaking
Chapter 3: IRS and FTC Data Security Rules
#IASACFO.
Alabama Data Breach Notification Act: What 911 Districts Need to Know
Disability Services Agencies Briefing On HIPAA
UCA Gramm-Leach Bliley Act (GLBA) Safeguards Rule Compliance Training Effective June 12, 2018 Adapted from materials published by the Federal Trade Commission.
HIPAA Security Standards Final Rule
Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP
National Congress on Health Care Compliance
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
TRTR Briefing September 2013
JUSTICE ADMINISTERED FUND BILL [B ] BRIEFING OF THE SELECT COMMITTEE ON SECURITY AND JUSTICE ON 8 NOVEMBER 2016.
Rider
 The Executive President shall represent
Presentation transcript:

AICP New England 13 th Annual Education Day PRIVACY Jenny Erickson Vice President, Legislative and Regulatory Affairs The Life Insurance Association of Massachusetts

Massachusetts General Laws Chapter 93H Security Breaches Approved by the Governor, August 2, 2007

Ch. 93H, Section 2(a) The department of consumer affairs and business regulation shall adopt regulations relative to any person that owns or licenses personal information about a resident of the commonwealth. Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated. The objectives of the regulations shall be to: insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. The regulations shall take into account the person’s size, scope and type of business, the amount of resources available to such person, the amount of stored data, and the need for security and confidentiality of both consumer and employee information.

Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated. The objectives of the regulations shall be to: insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. The regulations shall take into account the person’s size, scope and type of business, the amount of resources available to such person, the amount of stored data, and the need for security and confidentiality of both consumer and employee information.

Standards for the Protection of Personal Information of Residents of the Commonwealth 201 CMR 17

Office of Consumer Affairs and Business Regulation Daniel C. Crane, Undersecretary

Timeline OCABR Public Hearing – 1/ 11/08 OCABR Final Regulation – 9/ 08 Timeline OCABR Public Hearing – 1/ 11/08 OCABR Final Regulation – 9/ 08 OCABR Compliance Time Extension – 11/08 Joint Committee on Consumer Protection Informational Hearing – 11/08 OCABR Emergency Regulation Hearing – 1/16/2009 OCABR Emergency Regulation Hearing – 1/16/2009 OCABR Final Regulation, as amended – 2/2009

Concerns Raised by Businesses of all types and sizes Educational Institutions Non Profits Internet Security Experts

Major Issues Inconsistent with Federal Rules Inconsistent with Federal Rules EncryptionInventory 3 rd Party Certification Compliance Time

Encryption Final regulation contains a more flexible definition of encryption but still requires it, even when other methods of securing data may work just as well or better

Inventory Final regulation changed the requirement from “inventorying” records to “identifying” records and adds a provision that it is not required if all records are handled as though they contain personal information

3rd Party Certification “Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information, including (i) selecting and retaining service providers that are capable of maintaining safeguards for personal information; and (ii) contractually requiring service providers to maintain such safeguards. Prior to permitting third-party service providers access to personal information, the person permitting such access shall obtain from the third-party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations.” CHANGED TO: “Taking all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17; and taking all reasonable steps to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.”

Compliance Time Final regulation requires compliance by January 1, 2010

BUT … Pending legislation would amend 93H Insurers would be deemed in compliance New Head of OCABR Will she rethink the regulation?

S. 173 (Morrissey) The department of consumer affairs and business regulation shall may adopt regulations relative to any person that owns or licenses personal information about a resident of the commonwealth. Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated. The objectives of the regulations shall be to: insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

S. 173 (Morrissey), continued The regulations shall take into account the person’s size, scope and type of business, the amount of resources available to such person, the amount of stored data, and the need for security and confidentiality of both consumer and employee information. Notwithstanding the rules adopted by the department pursuant to the provisions above, said department shall create separate regulations for small businesses covered by this chapter that reflect said small businesses unique situation and resources. Any person who is required to comply with federal laws, rules, regulations, guidance or guidelines safeguarding personal information is deemed to be in compliance with this chapter.

New Undersecretary of the Office of Consumer Affairs and Business Regulation Barbara Anthony Former Northeast Regional Director, Federal Trade Commission Former Chief of Public Protection Bureau, Massachusetts Attorney General’s Office

Conclusion We will continue to push for changes with the Massachusetts legislature and the OCABR. Outcome is uncertain... Thus, proceed with your compliance plan. Deadline is 1/1/10.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.