6. Who Cares? Consequences for non-compliance: AT LEAST: Increased risk of government enforcement or private litigation 93H § 6 incorporates 93A, § 4 93A, § 4 $5,000 per occurrence Attorneys fees Cost of Investigation/Enforcement AT WORST: Enforcement PLUS Bad PR then Compliance and oversight
7. Enforcement Litigation and enforcement by the Massachusetts Attorney General Massachusetts law requires notice to Attorney General of any breach, in addition to affected consumers Attorney General likely to investigate based on breach reports No explicit private right of action or penalties
9. Scope of Rules Covers ALL PERSONS that own or license personal information about a Massachusetts resident Need not have operations in Massachusetts Financial institutions, health care and other regulated entities not exempt
10. Scope of Rules “Personal information” Resident’s first and last name or first initial and last name in combination with SSN Driver’s license or State ID, or Financial account number or credit/debit card that would permit access to a financial account
11. Three Requirements 1.Develop, implement, maintain and maintain a comprehensive, written information security program that meets very specific requirements (cWISP) 2.Heightened information security meeting specific computer information security requirements 3.Vendor Compliance (Phase-in)
12. Evaluating Compliance(not Evaluating Applicability) Appropriate Size of business Scope of business Type of business Resources available Amount of data stored Need for security and confidentiality Consumer and employee information
13. Evaluating Compliance(not Evaluating Applicability) “The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”
15. Information SecurityProgram “[D]evelop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards” Sample cWISP
16. Comprehensive Information Security Program (a) Designate an employee to maintain the WISP. (b) Identify and assess reasonably foreseeable risks (Internal and external). (c) Develop security policies for keeping, accessing and transporting records. (d) Impose disciplinary measures for violations of the program. (e) Prevent access by terminated employees. (f) Oversee service providers and contractually ensure compliance. (g) Restrict physical access to records. (h) Monitor security practices to ensure effectiveness and make changes if warranted. (i) Review the program at least annually. (j) Document responsive actions to breaches. Sample cWISP
17. Comprehensive Information Security Program Third Party Compliance 1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and 2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information Sample cWISP
18. Comprehensive Information Security Program Third Party Compliance Contracts entered “no later than” March 1, 2010: Two – year phase-in. Contracts entered into “later than” March 1, 2010: Immediate compliance. Sample cWISP
163. Breach Reporting Breach of security – “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”
164. Breach Reporting Possessor must give notice of Breach of Security Unauthorized Use or Acquisition To Owner/Licensor of Information Owner/Licensor must give notice of Breach of Security Unauthorized Use or Acquisition To – Attorney General Office of Consumer Affairs Resident
165. Breach Reporting “The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to: the nature of the breach of security or the unauthorized acquisition or use; the number of Massachusetts residents affected by such incident at the time of notification; and any steps the person or agency has taken or plans to take relating to the incident.”
169. Data Destruction (93I) Paper documents/ electronic Media: Redact, Burn, Pulverize, Shred So that Personal Information cannot be read or reconstructed
