The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Massachusetts Data Protection Regime
1. presented for
Massachusetts Bar Association
at
The Massachusetts Data
Privacy Conference
from
Sheraton Springfield Monarch
Place Hotel
on
Wednesday, January 27, 2010
presented by
Jared D. Correia, Esq.
Law Practice Management Advisor
Law Office Management Assistance Program
31 Milk Street
Suite 815
Boston, MA 02109
Email: jared@masslomap.org
Phone: (857) 383-3252
2. The Massachusetts Data Privacy Regime
o Response to High-Profile Data Breach Cases
o Late 2007: Massachusetts Becomes 39th
State to Enact Data Breach Law
o EFFECTIVE DATE: March 1, 2010
o Laws and Regulation Implicated
o MGL c. 93H: Security Breaches
o MGL c. 93I: Disposition and Destruction of Records
o 201 CMR 17: Standards for the Protection of Personal
Information of Residents of the Commonwealth
o Further Guidance
o Office of Consumer Affairs and Business Regulation website
o under “For Businesses”
o under “Identity Theft”
3. ANY Business/Business Owner
INCLUDING Law Firms and Solo Attorneys
Person: “A Natural Person, Corporation, Association, Partnership
or Other Legal Entity . . .” (MGL c. 93H, sec. 1)
INCLUDING Out-of-State Businesses
IF Those Businesses Keep Massachusetts Resident Information
4. First Name/Last Name OR First Initial/Last Name
AND
Social Security Number
OR
Driver’s License/State-Issued Identification Card Number
OR
Financial Account Number
The Threshold Question:
What Sort of Information Do You Keep?
Piecemeal Compliance versus Compliance In Toto
5. Regulations to Safeguard the Personal Information of Residents
of the Commonwealth, in order to:
o insure the security and confidentiality of customer information
in a manner fully consistent with industry standards;
o protect against anticipated threats or hazards to the security or
integrity of such information;
o protect against unauthorized access to or use of such
information that may result in substantial harm or
inconvenience to the consumer.
6. o WISP (Written Information Security Program)
o Control Over Electronic Information
o Computer System Security Requirements
o Control Over Paper Files
o Totality of (Most of) the Circumstances
o Disposal
7. Think: Your Handbook for Compliance
Write It Down, Get It Right
Sources:
o Check One: 201 CMR 17.03
o Check Two: Resources at the OCABR Website
Some Important Considerations:
o Employee to Maintain and Supervise WISP Performance
o Review WISP Annually AND When Material Change
o Duty to Oversee Third Party Service Providers
8. o To be Established and Maintained “To the Extent Technically
Feasible”, per 201 CMR 17.04:
o Control Over Users/Control Over Passwords (17.04, 1)
o Secure Access Control Measures (17.04, 2)
o Encryption of Data (17.04, 3 and 5)
o Travelling Wirelessly OR Stored on Portable Electronic Devices
o Protection of Systems (17.04, 4 and 6 and 7)
o Firewall
o Security Patches
o System Security Agent Software
o Staff Education/Training (17.04, 8)
o Proper Use of Computer Security
o Importance of Personal Information Security
9. The Threshold Question Is the Same:
What Sort of Information Do You Keep?
Piecemeal Compliance versus Compliance In Toto
How To Comply
o Determine Reasonably Foreseeable Internal and External Risks to Files
o Store Paper Files in “Locked Facilities, Storage Areas or Containers”
o Restrict Access to Persons Who Must Access To Perform Job Functions
o Record Physical Safeguards in WISP
Whither Paper?
10. Requirement of Reasonable Efforts to Comply
o Compliance Judged in Light of/WISP Contains Safeguards Appropriate to:
o Size, Scope and Type of Service Provided
o Amount of Resources Available
o Amount of Stored Data
o Need for Security and Confidentiality of
Both Consumer and Employee Information
11. This is Not JUST About How to Keep Data
This is ALSO About How to Get Rid of Data
Check MGL c. 93I for guidance
o Separate Standards for Disposal of (1) Electronic Media
and (2) Paper Documents (MGL c. 93I, sec. 2)
o Options that Would Make Information
UNREADABLE or UNRECONSTRUCTABLE
*Nota Bene
MGL c. 93I, sec. 1 ADDS a Fourth Category of Protected Information:
First Name/Last Name OR First Initial/Last Name
AND
a Biometric Indicator
12. o Breach of Security
Unauthorized Acquisition/Use of
Unencrypted Data
OR
Encrypted Data PLUS Confidential Process or Key
THAT
Creates a Substantial Risk of Identity Theft or Fraud
13. o Notification of Breach
o When (to Send)
o (To) Whom
o What (to Include)
o What (Kind)
14. WHEN (to Send)
Knowledge of Breach of Security
OR
Knowledge that Personal Information Acquired/Used
by Unauthorized Person/for Unauthorized Purpose
“. . . as soon as practicable and without unreasonable delay . . .”
(MGL c. 93H, sec. 3)
15. (To) WHOM
Own/License:
o to Attorney General’s Office;
o to Director of OCABR;
o to Consumer Reporting Agencies Identified by OCABR; and,
o to Resident(s).
16. WHAT (to Include)
In Notice to Government:
o Nature of Breach;
o Number of Residents Affected; and,
o Steps Taken/To Be Taken to Respond to Incident.
In Notice to Resident:
o Right to Obtain Police Report;
o Process for Requesting Security Freeze; and,
o Any Fees Required to be Paid to Consumer Reporting Agencies.
BUT, DO NOT INCLUDE:
o Nature of Breach; or,
o Number of Residents Affected.
17. WHAT (Kind):
Three Forms of Notice
o Written Notice;
o Electronic Notice
(consistent with Sec. 7001 of Title 15 of the USCS,
MGL c. 110G); or,
o Substitute Notice
(IF cost of providing notice greater than $250,000
OR affected class greater than 500,000
OR insufficient contact information).
18. Violation of MGL c. 93H
o Enforcement via MGL c. 93A
o $5,000 Fine per Violation
o What is a “Violation”?
o A Breach? A Breached Record? An Individual Resident Affected?
Violation of MGL c. 93I
o Not More Than $100 per Resident Affected
o Not to Exceed $50,000 for Each Instance of Improper Disposal
o What is an “Instance”?
o A Record? A Device? A Series of Disposals?
19. Six Questions:
o What Information Do You Keep?
o Are You Careful About How You Keep/Send/Transport Data?
o Have You Created a WISP?
o Do You Limit Access to Your Data?
o Do You Oversee Your Employees and Third Party Providers?
o How Do You Dispose of Your Data?
Three Problems:
o Technology Regime Crafted by Lawyer-Legislators
o Lack of Specific Guidance
o Ad Hoc Decisionmaking
The REAL Question is:
How Do You Comply, Technically (Feasible) Speaking?
20. Contact LOMAP:
Massachusetts Law Office
Management Assistance Program
31 Milk Street
Suite 815
Boston, MA 02109
Email: info@masslomap.org
Phone: (888) 54-LOMAP
Follow LOMAP:
Rodney S. Dowell, Esq.
Director
Jared D. Correia, Esq.
Law Practice Management Advisor
Web: www.masslomap.org
Blog: http://masslomap.blogspot.com
Twitter: www.twitter.com/rodneydowell
Twitter: www.twitter.com/jaredcorreia