Agency Data Breach Responsibilities: MGL ch. 93H and Executive Order 504 Massachusetts Digital Government Summit October 20, 2008
Summary MGL 93H (brief review) Executive Order 504
MGL 93H 93H – Security Breaches/Unauthorized Access (effective 10/31/07) – Note 93I: Data destruction and disposition (not the subject of this presentation)
93H Applicability: A limited data set: “personal information” Personal information (PI) = – [(a resident’s first name + last name) or (first initial and last name)] – in combination with any 1 or more of the following: (a) SSN, (b) drivers license or Mass ID card or (c) financial account number, credit or debit card number, with or without required security access code, personal ID number, or password that would permit account access – BUT NOT information lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. Narrowly defined No biometric identifiers included
93H Applicability: Private Sector plus Agencies Agency broadly defined: – any executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof
93H: Two Basic Rules: Triggering Events Require Notice Agencies must Protect PI
Triggering Events, cont. Two types of Triggering Events involving personal information (PI) – Security breaches OR – PI acquired or used by an unauthorized person or used for an unauthorized purpose
Triggering Events, Cont. First Type of Triggering Event: Breach of Security – unauthorized acquisition or unauthorized use of unencrypted data or encrypted electronic data and the confidential process or key -capable of compromising the security, confidentiality or identity of PI -Note that the unauthorized acquisition or use doesn’t have to be of the PI itself -creates a substantial risk of identity theft or fraud against a resident of the commonwealth. Exception: Good faith but unauthorized acquisition of PI by an agency or its employees or agents for the lawful purposes of such person or agency, is not a breach of security unless the PI is used in an unauthorized manner or subject to further unauthorized disclosure.
Triggering Events, cont. Second Type of Triggering Event: PI Acquired or used by Unauthorized Person or used for an unauthorized purpose – No further definition – Unlike security breach, must pertain to the PI itself, not just to data that may result in compromise of PI
Triggering Events, cont. What Form of Notice do Agencies Have to Provide when a Triggering Event Occurs? – Written OR – Electronic if provided consistent with E-SIGN consumer protection provisions (for pre-existing electronic relationship with consumer, see 15 USC 7001(c)) OR – “Substitute notice” if the agency required to provide notice demonstrates that: cost of providing written notice > $250,000 affected class of Mass. residents to be notified > 500,000 residents or agency does not have sufficient contact information to provide notice
Triggering Events Require Notice Substitute Notice: Agency must engage in ALL, not just one, of the following: – if agency has addresses for members of the affected class AND – Clear and conspicuous posting of the notice on the home page of the agency if agency has a website AND – Publication in or broadcast through media or medium that provides notice throughout the commonwealth
Triggering Events Require Notice Supervisor of Public Records must issue rules regarding reporting and investigating triggering events – Status: rules have not yet been issued, SPR Bulletin to come – But agencies already subject to rules regarding reporting and investigating included in ITD Cybercrime and Security Incident Policy; go to click on Policies and Standards; Click on Securitywww.mass.gov/itd
Triggering Events Require Notice When do agencies have to provide notice of triggering events? – When agency knows or should have known of triggering events: – “As soon as practicable and without unreasonable delay” Notice may be delayed if law enforcement agency – determines that provision of notice will impede criminal investigation – has notified AG in writing thereof – informs the agency of such determination. Once law enforcement agency informs agency that notification no longer poses a risk, notification must be provided.
Triggering Events Require Notice To whom does the agency need to provide notice? – Notice requirements differ depending on whether agency – Maintains and stores data for owner or licensor (1 notice) – Is the owner or licensor of data (6 notices)
Triggering Events Require Notice. Agency that maintains, stores, but does not own or license data that includes PI about state residents must provide notice to – Owner or licensor of data
Triggering Events Require Notice. Agency that owns or licenses data that includes PI about a resident must provide notice to – AG – OCA, which must provide notice to agency of any relevant consumer reporting agency or state agency – Resident – Relevant Consumer Reporting Agency (see information on OCA sites) – ITD (if Executive Department Agency) – Supervisor of Public Record (If Executive Department Agency)
Triggering Events Require Notice. What content must agencies include in notice? – Notice to owner or licensor of data Triggering event (later, cooperate with owner or licensor and inform them of the date of the triggering event and the nature thereof, and steps the agency has taken or will take related to the incident) See OCA website, Notice to resident: –Consumers right to obtain police report –How to request a security freeze (OCA has posted online on its website a Consumer Advisory with specific information about how to contact the three consumer reporting agencies) –Fees required to be paid to consumer reporting agencies –But not the nature of the breach or unauthorized acquisition or use or the number of residents of the commonwealth affected by it.
Triggering Events Require Notice Notice to AG, OCA, consumer reporting agencies or other agencies must include: – Nature of the triggering event – Number of residents affected – Steps the agency has taken or plans to take Notice to ITD and SPR must include nature and circumstances of the triggering event
Triggering Events Require Notice SPR must adopt rules regarding reporting and investigation of incidents – Status: Not yet issued.
Protect PI. The Supervisor of Public Records, with the advice and consent of ITD insofar as ITD sets IT standards for the Exec Department, must establish rules or regs – Applicable to executive offices and authorities, designed to safeguard PI; ensure PI security, confidentiality, integrity; protect against unauthorized access to or use of PI that could result in substantial harm or inconvenience to any resident of the Commonwealth. -Status: Not yet issued.
Protect PI. Don’t wait for the SPR Rules to start protecting your PI!; Exec Department Agencies already subject to ITD standards and policies regarding data security and incident reporting. See ITD website, under “Policies, Standards and Guidance” and “Security”. Topics: –Attack Intrusion Notification –Cybercrime and Security Incidents –Electronic Messaging Communications Security –Information Security Policy –Data Classification –Public Access and E-Government Applications –Remote Access –Wireless Also, agencies are already subject to EO 504
Security Breaches, cont. Conflict of Laws: The Mass. ID Theft law does not override other state and federal laws regarding protection and privacy of PI to which an agency is subject Safe Harbor: A person (not agency) who maintains procedures for responding to a breach pursuant to federal laws, rules, regs, guidance or guidelines is in compliance with this chapter if they – notify affected Mass. residents in accordance with the maintained or required procedures when a breach occurs, and – notify AG and OCA as well. – Omission of agencies in safe harbor language may be drafting error
Penalties Civil money penalties for violation of sections of act pertaining to security breaches
Executive Order 504
Before Executive Order (E.O.) 504 Requirements What’s new? Next Steps
Before EO 504 ITD’s Enabling Legislation enables ITD to set information technology standards for the Executive Department Executive Department budget language annually gives ITD authority over IT projects $200,000 and over. Enterprise Security Board (ESB) voluntarily created by ITD under CIO’s general authority in 2001 With the advice of ESB, ITD has issued enterprise security policies addressing – Attack intrusion notification – Cybercrime and security incidents – Electronic messaging communications security – Information security policy – Data classification – E-government apps public access policy and standards – Remote access – Wireless implementations
Before EO 504, cont. Agencies subject to contractual security requirements. Examples: – Payment Card Industry (PCI) Data Security Standards certain data security standards mandated by the credit card industry for all Commonwealth entities that process, transmit, or store cardholder data – Social Security Administration Information Exchange Agreement governs the transmission of data files received from and sent to the Social Security Administration
Before EO 504, cont. Law breaks down along two lines: – Privacy (rules about who gets to see sensitive data – broader than security) Examples: –see HIPAA privacy rule; –main sections of FIPA (Fair Information Practices Act, MGL. Ch. 66A); exemptions to public records law –CORI Principles governing protection of privacy data –Notice; –Purpose; –Consent; –Security; –Disclosure; –Access; and –Accountability – Security (rules about the physical, technical, administrative methods of limiting access -- a means to effectuate privacy rules) see HIPAA security rule; one section of FIPA; Internal Revenue Manual Security of Confidential Information
Before EO 504, cont. Executive Order 412 – Review policies and practices regarding information related to individuals – Determine minimum quantity of personal information need to collect, and reform policies and practices regarding dissemination and security – Adopt a policy regarding employee expectations of privacy
Executive Order Summary Revokes EO 412 (but reinstates many of its terms) Doesn’t change – Pre-existing contractual requirements imposed on the state – Pre-existing security or privacy laws Requirements Imposed On: – Executive Department Agencies (not Ex. Branch, Leg., Jud., or Authorities) – ITD and the CIO – Enterprise Security Board
Executive Department Agencies Must… “Adopt and implement the maximum feasible measures reasonably needed to ensure the security, confidentiality and integrity of” Personal Information: as defined in the Security Freezes and Notification of Data Breaches Statute (G.L. 93H) Personal Data: as defined under FIPA Personal Information (G.L. 93H): – Resident’s first name (or initial) and last name in combination with Social security number; Drivers license (or state issued i.d.) number; or Financial account number Personal Data under FIPA – Any information which, because of name, identifying number, mark or description can be readily associated with a particular individual. Except information that is contained within a public record (G.L. c. 4 § 7(26)).
Develop, implement and maintain written information security programs – Collect minimum quantity of personal information reasonably needed to accomplish legitimate purpose for which information being collected – Securely store and protect against unauthorized access destruction use modification disclosure loss – Disclose on a need to know basis – Destroy information as soon as it is no longer needed or required to be maintained under state or federal law – Address administrative, technical, and physical safeguards – Comply with Federal and state privacy and security laws and regs Executive Department Agencies Must….
Develop and implement written information security programs… – Cover all personal information (not restricted to electronic information) – Electronic personal data must be addressed in a subset of the Information Security Program (ISP) called an “electronic security plan” (ESP) Personal Information: Information Security Program Electronic Security Plan
Executive Department Agencies Must…. Appoint an Information “Security” Officer (really a Security and Privacy Officer) – Reports directly to Agency head – Sign agency ISP and its ESP – Coordinate Agency’s compliance with E.O. 504 Federal and state laws and regulations (presumably privacy and security) ITD security standards and policies Have Agency Head Certify all Programs, Plans, Self-Audits and Reports By September, 2009, attend mandatory security training for – all agency heads, managers, supervisors, employees (including contract employees) – Re: how to identify, maintain and safeguard records and data Incorporate required contract language regarding security in all contracts entered post January ; breach constitutes breach of contract. Fully cooperate with ITD, including ITD requests for information, in connection with ITD fulfillment of responsibilities
ITD and the CIO: Authority and Oversight CIO shall have the authority, re: Electronic Security Plans (ESPs) (NOT agencies’ entire Information Security Program) to: – Issue guidelines, standards, and policies about development, implementation and maintenance of ESPs; – Require that agencies submit ESPs to ITD for review – Specify when agencies must submit supplemental or updated ESPs – Establish and oversee periodic self-audit reporting requirements (but must require self-audit no less than annually). Self-audits against ITD standards ESPs Federal and state privacy and security laws [Presumably only e- related] – Conduct reviews to assess agency compliance – Issue MGL 93H “report to ITD” policy – How this authority is enforced? With approval of ANF, determine remedial action for non-compliant agencies and impose terms and conditions on agency’s IT related expenditures and IT capital funding
ITD and the CIO: Authority and Oversight, cont. Procurement: – Develop mandatory standards and procedures for agencies to follow before entering contracts that will allow third party access to – Standards must require that measures be taken to – Draft, with OSC and OSD, contract provisions including certification that contractor has Reviewed and will comply with information security programs, plans, guidelines, standards and policies Communicate and enforce those provisions against their subcontractors’ Implement any other reasonable and appropriate measures to protect personal information
Enterprise Security Board Enterprise Security Board (ESB) has operated for 7 years solely at ITD’s discretion EO 504 gives legal footing to ESB – Acts as a “consultative body to advise the CIO” – Advises CIO in developing guidelines, standards and policies governing implementation of EO 504 CIO shall determine members and makeup of ESB, but membership shall be drawn from – State employees from Executive Department – Experience in IT, privacy, and security – Representatives from Judicial and Legislative Branches – Other constitutional offices – Quasi-public authorities
EO 504 Summary— What’s New? Requirement for agency security officers (addressing both Privacy and Security) and written information security plans (including ESPs) Requirement for agency at least annual ESP self audit, sent to ITD Additional ANF/ITD authority over agency IT spending based on agency compliance with ESP self audit Less uncertainty regarding ESB survival in the future Focus on data destruction (also required under G.L. c. 93I) Agencies must give full cooperation, and information, to ITD
Linda Hamel General Counsel ITD (617) Acknowledgments to Stephanie Zierten, ITD Deputy General Counsel, for EO 504 Slides and graphics throughout