3. Massachusetts Data Security Law
• M.G.L. 93H
• 201 CMR 17
• Personal Information
– First name or first initial and last name
AND
1. Government Issues I.D. OR
2. Financial Account Number OR
3. Social Security Number
4. Massachusetts Requirements
• Written Policy
– F9.2 Information Security Policy
• Safeguards
– Administrative
– Physical
– Technical
• Oversight
– Chief Information Officer
5. Massachusetts Requirements
• Identify records with personal information
• Routinely evaluate our safeguards
• Regular employee training
• Contractual assurances
• Share information on a need to know basis
• Document a breach
– Notify Office of the General Counsel
6. Identity Theft
• Federal Trade Commission
– Fair and Accurate Credit Transaction Act
– Red Flag Rules
– 16 C.F.R. 681
• College is a “creditor” with “covered accounts”
– Perkins Loan Program
– Deferred tuition payments
– Invoices to students
7. Identity Theft
• Identity Theft: when a person commits or
attempts to commit a fraud using someone’s
identity.
• Identity Theft Prevention Program
– College written document available online, or
– Request copy from the Office of the General
Counsel
8. Identity Theft
• Identity Theft: when a person commits or
attempts to commit a fraud using someone’s
identity.
• Identity Theft Prevention Program
– College written document available online, or
– Request copy from the Office of the General
Counsel
10. Technical Safeguards
• Antivirus
• Central File Share
– Required for confidential and internal use only
information
• Virtual Private Network (VPN)
• Identity Finder
– Delete (shred to DOD standards)
– Encrypt
• TrueCrypt for Laptops
11. Technical Safeguards
• Passwords
– Minimum length of 8 characters
– At least 4 letters
• Uppercase and lowercase
– Mixture of letters, numbers, and other characters
• Alphanumeric and non-alphanumeric
– Cannot use your account name
– Cannot use your last 6 passwords
– Change them at least every 180 days
This presentation will discuss the College’s polices and protocols concerning information security and explain state and federal requirements that apply to data security and identity theft.
Let’s start with the Massachusetts Data Security law. The Data Security Law is part of the state consumer protection laws and is codified at Chapter ninety three H of the general laws. The corresponding regulations are found at title 201, section 17. This law protects personal information, which the law defines as a person’s first name or initial and their last name in combination with either a government issued identification (like a driver’s license or passport), a financial account number (like a bank account), or their social security number. The law applies to both electronic and paper records. While this presentation will focus more on electronic records and technology, it is important to understand that this law applies equally to a computer file and a physical document.
The law has many requirements that we as employees need to be aware of. The law requires that you have a written security policy. Our written security policy can be found in our on line policy manual. It is policy F nine point two and is entitled Information Security Policy. It is important for employees to be familiar with this policy.The College complies with the law by maintaining administrative, physical, and technical safeguards for protecting personal information. Administrative safeguards mean we have policies and procedures in place. Physical safeguards mean we use reasonable means to limit physical access, for example locks on doors and file cabinets. Technical safeguards mean that we manage our electronic information using reasonable and sound information technology practices; we’ll talk a little more about technical safeguards later in the presentation. The law also requires that we designate someone to oversee this process. The College has designated our Chief Information Officer, who works closely with the Office of the General Counsel to ensure compliance.
Another important requirement of the law is that we need to indentify the records we have that contain personal information. It is important that we are aware of potential security risks and that we routinely evaluate the safeguards we have in place as an individual employee, a department, a division, and as an institution. Regular employee training, like this presentation, is an important part of this process.Protecting personal information is an important part of all of our jobs and it’s a requirement that the College takes seriously. Like other Massachusetts colleges, we have included disciplinary measures within our policies. A violation of the College’s information security policy can result in disciplinary action up to and including termination. For those employees and departments that routinely deal with contracts, the law also requires that we maintain appropriate oversight of our data and ensure that outside vendors that work with our data provide contractual assurances that they can comply with the legal requirements of the data security law. In general, it is a good idea to limit the information you provide to people, even your colleagues in other departments. Information should of course be shared, but we should all be thinking about what information is necessary and avoid sharing more information than is needed. Information should only be shared when it relates to the operations of the College and then only with colleagues that have a legitimate need for the information. If you believe personal information has been compromised, it is very important that we document any breach or potential breach. You should inform your supervisor or your division’s Information Custodian if you suspect a breach. Your supervisor or information custodian will then notify the Office of the General Counsel to ensure that we properly notify the state and the people who may be impacted by the breach.It is important to note that while the Massachusetts law only applies to Massachusetts residents, our policy applies to all people regardless of their residency. For example, even if the breach only involved alumni from New York or prospective students from Vermont, you should report the breach immediately.The law requires that every employee must be trained on these requirements, so thank you for actively listening to this presentation!
Now let’s talk a little about identity theft. The Federal Trade Commission, as part of the Fair and Accurate Credit Transaction Act, has issued the red flag rules. These rules require financial institutions and creditors with covered accounts to have an identity theft program. You might be wondering how that applies to colleges. It applies to colleges because they way the law defines a creditor and a covered account is very broad. And because it is broad most colleges in the country are impacted by the law. For example, we participate in the Federal Perkins Loan Program, so the law is triggered for us in that respect. We offer deferred tuition payments, that’s another reason that the law applies to us, and we also provide invoices for certain transactions with our students.
The red flag rules are identity theft rules. Identity theft is when a person commits or attempts to commit a fraud using someone’s identity. As a covered institution, we need to take reasonable steps to make sure that we know the identity of a person. For example, if a student comes into an office and says they want some information, maybe they’re looking for a transcript or some other document that might have personal information about that student, we have to check and confirm the student’s identity. If the identification they present looks suspect, or if they have no identification, or refuse to show us identification, then the red flag rules will be triggered and you need to report that up the chain to your supervisor or directly to the General Counsel’s office. The College has an Identify Theft Prevention Program. The document explaining our program is available on the College website as well as from the General Counsel’s office. It is a good idea to review this document periodically.
The red flag rules are identity theft rules. Identity theft is when a person commits or attempts to commit a fraud using someone’s identity. As a covered institution, we need to take reasonable steps to make sure that we know the identity of a person. For example, if a student comes into an office and says they want some information, maybe they’re looking for a transcript or some other document that might have personal information about that student, we have to check and confirm the student’s identity. If the identification they present looks suspect, or if they have no identification, or refuse to show us identification, then the red flag rules will be triggered and you need to report that up the chain to your supervisor or directly to the General Counsel’s office. The College has an Identify Theft Prevention Program. The document explaining our program is available on the College website as well as from the General Counsel’s office. It is a good idea to review this document periodically.
Let’s revisit for a moment the requirement that we safeguard our data and let’s focus on how we do this with regard to our technical safeguards. The College tries to adhere to established best practices for the protection of all personal information. Here are some of the ways that we do this:
The College deploys an enterprise solution for antivirus protection called LANDesk. LANDesk is currently installed on all Stonehill computers and provides optimized virus and spyware detection.The College uses a Central File Share service. The service enables secure file storage on the College network for employees. Use of the service is required for confidential and internal use only information, as those terms are defined in our Information Security Policy. It offers convenience, mobility and flexibility by making files centrally accessible on campus or remotely through a virtual private network. A virtual private network is a secure encrypted network connection.Identity Finder is an application used to find and protect personal information stored on your computer. The Identity Finder software has been chosen by the College as the solution for employees to protect against possible identity theft. Identity Finder will search your computer, file shares, and personal media for vulnerable personal information such as social security numbers, credit card numbers, passwords, employee identification numbers, and maiden names. When Identity Finder locates such data, it will then allow a user to completely delete or encrypt it, protecting it from unwanted third party access. Our Information Technology Department also recommends the use of Microsoft Office encryption, available for Word, Excel, or PowerPoint files that contain sensitive or private information.Employees should also note that we use an encryption application for all laptops called True Crypt, which encrypts the entire laptop.
The College also maintains a password policy. Our password policy requires:A minimum length of eight characters; at least 4 letters in a mixture of uppercase and lowercase; that passwords cannot contain parts of your account name or your full name; that you cannot use your previous six passwords; and passwords must contain a mixture of letters, numbers, and other characters.Passwords should not be shared, written down, or sent to others. Our password policy requires a password to be changed at least every 180 days.
So, remember, it is all of our jobs to make sure we protect the information of our students, our employees, our alumni, and of anyone that the College comes in contact with. We want to protect the College and prevent data security breaches.This concludes our presentation.