Download presentation
Presentation is loading. Please wait.
Published byRandolph McCarthy Modified over 9 years ago
1
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 1
2
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 2 Massachusetts Data Security Regulations Teresa A. Belmonte, Esquire Hemenway & Barnes LLP 60 State Street Boston, MA 02109 (617) 227-7940 March 23, 2010
3
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 3 What Are They? Regulations enacted by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) pursuant to M.G.L. ch. 93H Effective March 1, 2010
4
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 4 Overview of Requirements Every “person” who “owns or licenses” “personal information” of a Massachusetts resident must have a comprehensive written information security program (WISP) to protect personal information
5
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 5 Overview of Requirements ● Risk-based approach to what is required--not a one-size fits all requirement ● It depends on the size of your organization, financial resources available, and how much personal information your organization has
6
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 6 Personal Information ● A Massachusetts resident’s first name or first initial and last name together with one of the following: social security number, or driver’s license number or state issued identification number, or financial account number, or credit or debit card number
7
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 7 “Person” ● Defined as a natural person or any private legal entity
8
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 8 “Owns or Licenses” ● Stores, receives, maintains or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment
9
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 9 If your organization has employees who are Massachusetts residents, you have personal information, and you must comply with these regulations
10
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 10 How to Comply with 201 CMR 17 ● Determine what personal information you have and where it is located what form it is in--paper or electronic
11
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 11 How to Comply with 201 CMR 17 ● Determine what are the risks to the security of personal information what you can do to protect it ● Create and implement a WISP
12
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 12 What should your WISP contain? ● Designating one of your employees as a data security coordinator to maintain the WISP ● Requiring employee training ● Imposing disciplinary measures on employees for violations of your WISP
13
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 13 What should your WISP contain? ● Limiting access to personal information to those employees who need access to it
14
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 14 WISP Requirements ● Preventing terminated employees from accessing personal information ● Storing records containing personal information in locked facilities, storage areas, or containers
15
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 15 WISP Requirements ● Regular monitoring of the WISP to ensure compliance ● Imposing reasonable restrictions on access to records containing personal information ● Annually reviewing your WISP ● Reporting any suspicious or unauthorized use of personal information to the data security coordinator
16
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 16 WISP Requirements ● Documenting responsive actions taken in connection with a breach of security, including mandatory post-incident review of events and actions taken
17
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 17 What this means for paper documents containing personal information ● Don’t leave documents with personal information on your desk if you’re not there ● Place personal information in locked cabinets at the end of the day
18
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 18 What this means for paper documents containing personal information ● If discarding paper documents containing personal information, you must shred them--M.G.L. ch. 93I requires that ● Limit access to personal information
19
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 19 Computer System Requirements ● If you electronically store or transmit personal information, to the extent “technically feasible”, defined as “if there is a reasonable means through technology to accomplish a desired result,” you must ensure that your computer system
20
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 20 Computer System Requirements has reasonably up-to-date firewall protection, malware, patches and virus protection requires unique user IDs plus passwords, which are not vendor supplied default passwords
21
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 21 Computer System Requirements blocks access after multiple unsuccessful attempts to log in
22
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 22 Encryption Encryption means “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key”
23
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 23 Encryption ● To the extent “technically feasible”, you must encrypt all transmitted records and files containing personal information that travel across a public network or are transmitted wirelessly all personal information stored on laptops or other portable devices--such as a blackberry
24
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 24 Third Party Service Providers ● If you give personal information to any of your service providers, you must take reasonable steps to select third party service providers capable of maintaining personal information in accordance with 201 CMR 17
25
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 25 Third Party Service Providers contractually require third party service providers to maintain personal information in accordance with 201 CMR 17 –for all new contracts –for contracts entered into before March 1, 2010, you have until March 1, 2012 to amend those contracts to require that third party service providers comply with 201 CMR 17
26
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 26 Penalties for failing to comply with 201 CMR 17 ● Massachusetts Attorney General may bring an action under M.G.L. ch. 93A §4 civil penalties of up to $5,000 per violation reasonable cost of investigation and litigation
27
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 27 Penalties for failing to comply with 201 CMR 17 ● Under M.G.L. ch. 93I--which regulates destruction of records containing personal information, you could be fined $100 per data subject affected, up to $50,000 ● Possible common law claims and private right of action under Chapter 93A
28
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 28 Breach Notification Requirements Under M.G.L. ch. 93H, if someone in your organization knows or has reason to know of the unauthorized use or acquisition of personal information or data that is capable of compromising the security of personal information, you are required to notify, “as soon as practicable, and without unreasonable delay”
29
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 29 Breach Notification Requirements the person affected the AG the OCABR
30
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 30 Massachusetts OCABR Website - www.mass.gov/consumer Contains helpful information to prepare a WISP a small business guide to formulating a WISP FAQs about 201 CMR 17 201 CMR 17 Compliance Checklist the regulations themselves
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.