© Copyright 2010 Hemenway & Barnes LLP H&B 641682 1.

Slides:



Advertisements
Similar presentations
Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.
Advertisements

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA Regulations What do you need to know?.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Springfield Technical Community College Security Awareness Training.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.
SC Identity Theft Act and Red Flag Rules Stephanie O’Cain, CPA Municipal Association of SC October 6, 2009.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
An Act Relative to Security Freezes and Notification of Data Breaches Chapter 82 of the Acts of 2007 Massachusetts Digital Government Summit Securing Private.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Why Comply with PCI Security Standards?
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
NEGASC NEW ENGLAND GRADUATE ACCOUNTING STUDY CONFERENCE 2014.
New Data Regulation Law 201 CMR TJX Video.
1 1 MA201 CMR John Hally January 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN, GPEN.
Protecting Sensitive Information PA Turnpike Commission.
1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
HIPAA PRIVACY AND SECURITY AWARENESS.
PCI COMPLIANCE Compliance is mandatory for all organizations that accept credit cards.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Florida Information Protection Act of 2014 (FIPA).
© 2011 Foley Hoag LLP. All Rights Reserved. 1 What Law Applies In “the Cloud”? And how far into the Cloud does Massachusetts law extend? A CloudCamp Boston.
February 16, Massachusetts’ New Data Security Regulations And Their Impact On Businesses Amy Crafts February 16, 2009.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
What are the rules? Information technology is available to every student, faculty and staff member in support of the essential mission of the University.
AICP New England 13 th Annual Education Day PRIVACY Jenny Erickson Vice President, Legislative and Regulatory Affairs The Life Insurance Association of.
SPH Information Security Update September 10, 2010.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
HIPAA Health Insurance Portability and Accountability Act of 1996.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Nassau Association of School Technologists
Payment Card Industry (PCI) Rules and Standards
Best Practices for Data Security and Protecting Personal Information
Protection of CONSUMER information
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
Florida Information Protection Act of 2014 (FIPA)
Data Security Policies
Florida Information Protection Act of 2014 (FIPA)
Chapter 3: IRS and FTC Data Security Rules
Move this to online module slides 11-56
Red Flags Rule An Introduction County College of Morris
Alabama Data Breach Notification Act: What 911 Districts Need to Know
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Move this to online module slides 11-56
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

© Copyright 2010 Hemenway & Barnes LLP H&B

© Copyright 2010 Hemenway & Barnes LLP H&B Massachusetts Data Security Regulations Teresa A. Belmonte, Esquire Hemenway & Barnes LLP 60 State Street Boston, MA (617) March 23, 2010

© Copyright 2010 Hemenway & Barnes LLP H&B What Are They?  Regulations enacted by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) pursuant to M.G.L. ch. 93H  Effective March 1, 2010

© Copyright 2010 Hemenway & Barnes LLP H&B Overview of Requirements  Every “person” who “owns or licenses” “personal information” of a Massachusetts resident must have a comprehensive written information security program (WISP) to protect personal information

© Copyright 2010 Hemenway & Barnes LLP H&B Overview of Requirements ● Risk-based approach to what is required--not a one-size fits all requirement ● It depends on the size of your organization, financial resources available, and how much personal information your organization has

© Copyright 2010 Hemenway & Barnes LLP H&B Personal Information ● A Massachusetts resident’s first name or first initial and last name together with one of the following: social security number, or driver’s license number or state issued identification number, or financial account number, or credit or debit card number

© Copyright 2010 Hemenway & Barnes LLP H&B “Person” ● Defined as a natural person or any private legal entity

© Copyright 2010 Hemenway & Barnes LLP H&B “Owns or Licenses” ● Stores, receives, maintains or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment

© Copyright 2010 Hemenway & Barnes LLP H&B If your organization has employees who are Massachusetts residents, you have personal information, and you must comply with these regulations

© Copyright 2010 Hemenway & Barnes LLP H&B How to Comply with 201 CMR 17 ● Determine what personal information you have and where it is located what form it is in--paper or electronic

© Copyright 2010 Hemenway & Barnes LLP H&B How to Comply with 201 CMR 17 ● Determine what are the risks to the security of personal information what you can do to protect it ● Create and implement a WISP

© Copyright 2010 Hemenway & Barnes LLP H&B What should your WISP contain? ● Designating one of your employees as a data security coordinator to maintain the WISP ● Requiring employee training ● Imposing disciplinary measures on employees for violations of your WISP

© Copyright 2010 Hemenway & Barnes LLP H&B What should your WISP contain? ● Limiting access to personal information to those employees who need access to it

© Copyright 2010 Hemenway & Barnes LLP H&B WISP Requirements ● Preventing terminated employees from accessing personal information ● Storing records containing personal information in locked facilities, storage areas, or containers

© Copyright 2010 Hemenway & Barnes LLP H&B WISP Requirements ● Regular monitoring of the WISP to ensure compliance ● Imposing reasonable restrictions on access to records containing personal information ● Annually reviewing your WISP ● Reporting any suspicious or unauthorized use of personal information to the data security coordinator

© Copyright 2010 Hemenway & Barnes LLP H&B WISP Requirements ● Documenting responsive actions taken in connection with a breach of security, including mandatory post-incident review of events and actions taken

© Copyright 2010 Hemenway & Barnes LLP H&B What this means for paper documents containing personal information ● Don’t leave documents with personal information on your desk if you’re not there ● Place personal information in locked cabinets at the end of the day

© Copyright 2010 Hemenway & Barnes LLP H&B What this means for paper documents containing personal information ● If discarding paper documents containing personal information, you must shred them--M.G.L. ch. 93I requires that ● Limit access to personal information

© Copyright 2010 Hemenway & Barnes LLP H&B Computer System Requirements ● If you electronically store or transmit personal information, to the extent “technically feasible”, defined as “if there is a reasonable means through technology to accomplish a desired result,” you must ensure that your computer system

© Copyright 2010 Hemenway & Barnes LLP H&B Computer System Requirements has reasonably up-to-date firewall protection, malware, patches and virus protection requires unique user IDs plus passwords, which are not vendor supplied default passwords

© Copyright 2010 Hemenway & Barnes LLP H&B Computer System Requirements blocks access after multiple unsuccessful attempts to log in

© Copyright 2010 Hemenway & Barnes LLP H&B Encryption Encryption means “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key”

© Copyright 2010 Hemenway & Barnes LLP H&B Encryption ● To the extent “technically feasible”, you must encrypt all transmitted records and files containing personal information that travel across a public network or are transmitted wirelessly all personal information stored on laptops or other portable devices--such as a blackberry

© Copyright 2010 Hemenway & Barnes LLP H&B Third Party Service Providers ● If you give personal information to any of your service providers, you must take reasonable steps to select third party service providers capable of maintaining personal information in accordance with 201 CMR 17

© Copyright 2010 Hemenway & Barnes LLP H&B Third Party Service Providers contractually require third party service providers to maintain personal information in accordance with 201 CMR 17 –for all new contracts –for contracts entered into before March 1, 2010, you have until March 1, 2012 to amend those contracts to require that third party service providers comply with 201 CMR 17

© Copyright 2010 Hemenway & Barnes LLP H&B Penalties for failing to comply with 201 CMR 17 ● Massachusetts Attorney General may bring an action under M.G.L. ch. 93A §4 civil penalties of up to $5,000 per violation reasonable cost of investigation and litigation

© Copyright 2010 Hemenway & Barnes LLP H&B Penalties for failing to comply with 201 CMR 17 ● Under M.G.L. ch. 93I--which regulates destruction of records containing personal information, you could be fined $100 per data subject affected, up to $50,000 ● Possible common law claims and private right of action under Chapter 93A

© Copyright 2010 Hemenway & Barnes LLP H&B Breach Notification Requirements Under M.G.L. ch. 93H, if someone in your organization knows or has reason to know of the unauthorized use or acquisition of personal information or data that is capable of compromising the security of personal information, you are required to notify, “as soon as practicable, and without unreasonable delay”

© Copyright 2010 Hemenway & Barnes LLP H&B Breach Notification Requirements the person affected the AG the OCABR

© Copyright 2010 Hemenway & Barnes LLP H&B Massachusetts OCABR Website - Contains helpful information to prepare a WISP a small business guide to formulating a WISP FAQs about 201 CMR CMR 17 Compliance Checklist the regulations themselves

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.