Webinar Materials for: Preparing for the strictest privacy law in the nation

INSIGHT_headerforweb3

As a follow up to Wednesday’s lunchtime webinar sponsored by Knowledge Management Associates, I wanted to post some materials for those of you that missed it and for those looking for notes and details.

The slidedeck:

 

Massachusetts General Laws Chapter 93H
http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm

201 CMR 17.00

Click to access 201CMR17amended.pdf

Compliance Building Posts on Mass. Data Privacy
https://www.compliancebuilding.com/tag/mass-data-privacy-law/

2009 Data Breach Investigations Report

verizon-report

285 Million records were compromised in 2008. The Verizon Business RISK Team conducted a study of first hand evidence collected during data breach investigations of 90 confirmed breaches as part of their caseload. This 2008 caseload of more than 285 million records, exceeded the combined total from 2004 to 2007.

2009 Data Breach Investigations Report pdf_logo.

Investigators concluded that 87 percent of breaches could have been avoided through the implementation of simple or intermediate controls. All of these were the standard practices in the industry. In only 13 percent of cases were costly controls (in terms of effort and expense) recommended as the most efficient and effective means of avoiding the breach. Most of these were standard security controls, even though they are costly.

They conclude with these recommendations:

Align process with policy: Many organizations set security policies and procedures yet fail to implement them consistently. Controls focused on accountability and ensuring that policies are carried out can be extremely effective in mitigating the risk of a data breach.

Achieve essential, and then worry about excellent: We find that many organizations achieve very high levels of security in numerous areas but neglect others. Criminals will almost always prefer the easier route. Identifying a set of essential controls and ensuring their implementation across the organization without exception, and then moving on to more
advanced controls where needed is a superior strategy against real-world attacks.

Secure business partner connections: Basic partner-facing security measures as well as security assessments, contractual agreements, and improved management of shared assets are all viewed as beneficial in managing partner-related risk.

Create a data retention plan: Clearly, knowing what information is present within the organization, its purpose within the business model, where it flows, and where it resides is foundational to its protection. Where not necessitated by valid business needs, a strong effort should be made to minimize the retention and replication of data.

Control data with transaction zones: Based on data discovery and classification processes, organizations should separate different areas of risk into transaction zones. These zones allow for more comprehensive control implementations to include but not be limited to stronger access control, logging, monitoring, and alerting.

Monitor event logs: All too often, evidence of events leading to breaches was available to the victim but this information was neither noticed nor acted upon. Processes that provide sensible, efficient, and effective monitoring and response are critical to protecting data.

Create an Incident Response Plan: If and when a breach is suspected to have occurred, the victim organization must be ready to respond. An effective Incident Response Plan helps minimize the scale of a breach and ensures that evidence is collected in the proper manner.

Increase awareness: Delivered effectively, training that educates employees about the risks of data compromise, their role in prevention, and how to respond in the event of an incident can be an important line of defense and discovery.

Engage in mock incident testing: In order to operate efficiently, organizations should undergo routine IR training that covers response strategies, threat identification, threat classification, process definition, proper evidence handling, and mock scenarios.

Join me at 12:30 (July 29, Boston Time) for a free webinar on Preparing for the Strictest Privacy Law in the Nation: MA Privacy Law 201 CMR 17 hosted by Knowledge Management Associates.
INSIGHT_headerforweb3

Ten of the Most Embarrassing Data Breaches

data-theft

I gathered some notable data breaches in preparation for my presentation on the Massachusetts Data Privacy Law as part of my webinar on Wednesday: Preparing for the strictest privacy law in the nation: MA Privacy Law 201 CMR 17. If you wondered why there are so many state laws on data breaches, just take a look at some of these embarrassing data breaches.

Royal Navy

Imagine losing information on everyone who had applied to join the armed forces including passport numbers, medical histories, and bank details. Of course, it was not encrypted. It was just sitting in a laptop in the back of a car. That’s what happened Jan. 9, 2008, in Birmingham, U.K., when a Royal Navy Officer left the laptop in his car and it was promptly stolen.

BBC: Police probe theft of MoD laptop

UK’s Child Benefits Records

Her Majesty’s Revenue and Customs sent discs containing the entire child benefit database unregistered and unencrypted to the National Audit Office. There was no evidence that the discs fell into the wrong hands, but millions of families were told to be on alert for attempts to fraudulently use their details, which include addresses, bank account and National Insurance numbers, as well as children’s names and dates of birth.

BBC: Discs ‘worth £1.5bn’ to criminals

Veteran’s Affairs

The computer and hard drive was stolen from the home of an employee of the Department of Veterans Affairs. It contained details on no less than 26.5 million veterans. The laptop was stolen May 3rd and turned up two months later on the black market only four miles away. The purchaser bought both the laptop and the hard drive off the back of a truck.

New York Times: V.A. Laptop Is Recovered, Its Data Intact

TJX

The retailer had over 45 million customer records compromised. The current theory is that the thieves sat in the company parking lot and tapped into an unsecured wireless router.

Boston Globe:  TJX faces scrutiny by FTC

Ameriprise

Lists containing the personal information of about 230,000 customers and advisers were compromised after a company laptop was stolen from an employee’s parked car. The laptop contained a list of reassigned customer accounts that were unencrypted.

New York Times: Ameriprise Says Stolen Laptop Had Data on 230,000 People

Verisign

Digital certificate issuing company VeriSign suffered a data breach when an employee’s laptop was stolen from their car last month. The laptop contained names, social security numbers, dates of birth, salary details, phone numbers and addresses of of VeriSign employees.

The Gap

A laptop containing unencrypted personal information for 800,000 people who applied for jobs with clothing retailer Gap Inc. was stolen. The laptop was stolen from the offices of a third-party vendor the Gap hired to manage applicant data.

The Register: Data for 800,000 job applicants stolen

Boston Globe

Instead of reporting on data breaches, the Boston Globe and The Worcester Telegram & Gazette suffered their own credit card breach.  The credit card information for as many as 240,000 subscribers might have been inadvertently released.

The New York Times: Credit Data Breach at Two Newspapers

Hannaford Supermarkets

Unauthorized software that was secretly installed on servers in Hannaford Bros. Co.’s supermarkets  enabled a massive data breach that compromised up to 4.2 million credit and debit cards.

Forbes: Malware cited in supermarket data breach

IBM

A vendor lost lost tapes containing sensitive information on IBM employees. The tapes contained sensitive information including dates of birth, Social Security numbers, and addresses. Some of the tapes were not encrypted

InfoWorld: IBM contractor loses employee data

Any others that you think should be on this list? Join the webinar and let us know.

Image is by d70focus: Credit Card Theft http://www.flickr.com/photos/23905174@N00/ / CC BY 2.0

The HITECH Act

Pillsbury Winthrop Shaw Pittman LLP

I sat in a webinar on CyberSecurity Law: The Best Offense is a Good Defense sponsored by Pillsbury Winthrop Shaw Pittman LLP.  One aspect of the presentation was the Health Information Technology for Economic and Clinical Health Act.

This created the first federal data breach notification law.  It also substantially revised HIPAA regulations regarding privacy and security.

A “Breach” means:

  • Unauthorized access, use or disclosure of Public Health Information
  • That compromises the security, privacy or integrity of the Public Health Information
  • Does not include unintentional disclosures if made in good faith and within course and scope of employment or business associate relationship, provided that the Public Health Information is not further acquired, accessed used or disclosed

The difference between the HITECH Act and the state date breach notification laws deals with encryption, not security. It focuses on medical information, not just financial/identification information. Only California and Texas include medical information in data breach notification law.

The regulations from the FTC are very detailed. You must notify each US citizen and resident whose information was acquired by an unauthorized person and FTC. The Burden is on the company to demonstrate that all required notifications are made

Sending the breach notification:

  • By 1st class mail to last known address
  • By email “if specified as preference by the individual” (express affirmative consent required – pre-checked boxes and disclosures in TOS/Privacy Policy are NOT sufficient)
  • May provide notice via telephone or other means if Breach is deemed to require urgency (e.g.,due to possible imminent misuse of PHI)

Notification may be delayed for law enforcement purposes consistent with HIPAA Privacy Rule

If more than 10 individuals, Covered Entity must:

  • post notice on home page (and “landing pages” for existing account holders (FTC))
  • provide notice to major print/broadcast media in relevant geographic area, including tollfree phone number
  • must be prominent, clear and conspicuous, stated in plain language and run multiple times

Jurisdiction is split between the FTC and Health and Human Services. You are still subject to state enforcement of data breaches under state law.

Complying with Massachusetts Data Protection Regulations

searchcompliance

The current deadline for complying with the Massachusetts Data Privacy Law is January 1, 2010. Since the law protects personal data of the citizens of the Commonwealth of Massachusetts, its reach extends well beyond the state borders. TechTarget  recently held a  seminar on 201 CMR 17.

It is tough law to deal with. Even its creators are unsure about what it actually says. At the Compliance Decisions conference, a presenter from the state government overstated the requirements of the law: No easy answers for complying with data protection regulations.

Based on some coverage of the seminar, some interesting items came out.

When it comes to wireless standards: “You have to look at what is considered industry back practices. Specific to a wireless control, don’t go out and look at WEP. Don’t go out and look at WPA. Both of those protocols have been breached. You’ve got to go to WPA2.”

When it comes to compliance and enforcement: “It is true that the attorney general is going to decide what is in compliance or not.”

References:

Preparing for the strictest privacy law in the nation: MA Privacy Law 201 CMR 17

INSIGHT_headerforweb3

Join me for a webinar on the Massachusetts Data Privacy Law.

Knowledge Management Associates, LLC is sponsoring a webinar on Preparing for the Strictest Privacy Law in the Nation: MA Privacy Law 201 CMR 17.

  • I will provide an overview of the law.
  • Roberty Boonstra will share some of his best practices around implementation and compliance with the law.
  • Sean Megley, of Knowledge Management Associates, will provide a look at their SharePoint-based compliance management solution to to address 201 CMR 17.00

The webinar will be on July 29, 2009 from 12:30pm – 1:30pm (Boston time). And it’s free. You can register on their webinar registration page.

Identity Theft Program Template for Low-Risk Entities

The Federal Trade Commission published a compliance template designed to assist financial institutions and creditors “at low risk for identity theft” in developing the Identity Theft Prevention Program required by the FTC’s Identity Theft Red Flags and Address Discrepancies Rule: Complying with the Red Flags Rule: A Do-It-Yourself Prevention Program for Businesses and Organizations at Low Risk for Identity Theft (.pdf)

The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program to detect the “red flags” of identity theft in their operations. By focusing on red flags, you should be better able to spot an imposter using someone else’s identity. The Rule applies to companies that provide products or services and bill customers later. To find out if the Red Flags Rule applies to your business, read Fighting Fraud with the Red Flags Rule: A How-To Guide for Business (.pdf).

The FTC has designed the compliance template to help businesses  at low risk for identity theft design their own Identity Theft Prevention Program. In Part A, you determine whether your business or organization is at low risk. In Part B, if your business is in the low risk category, the template helps you to design your written Identity Theft Prevention Program.

Privacy Notices – Testing Effectiveness

privacy
Its great that regulators come up with privacy disclosure forms, but are they effective?

The Securities and Exchange Commission has reopened the period for public comment on proposed amendments to Regulation S-P, which implements the privacy provisions of the Gramm-Leach-Bliley Act. [15 U.S.C. §§6801 – 6809] They opened back up for comment because they tested the model notices and found weaknesses with the current form.

The proposed amendments were designed to create a safe harbor for a model form that financial institutions may use to provide disclosures in initial and annual privacy notices required under Regulation S-P. Based on the field research, it sounds like the model notice needs some more work.

See:

Waiving the Attorney-Client Privilege By Seeking Tax Advice

john-adams-courthouse for the Mass SJC

The Massachusetts Supreme Judicial Court focused on the issue of whether the attorney-client privilege protected  communications between an in-house corporate counsel and outside tax accountants. Commissioner of Revenue v. Comcast Corporation, et al., SJC-10209 (March 3, 2009). The general rule is that the voluntary disclosure of privileged information to a third party consultant for the company’s business purposes will be deemed to waive the privilege.

We saw a similar issue addressed in the context of SEC filings in the case of  Roth v Aon. In the Roth case, they were trying to compel the release of draft SEC filings. That court rejecting the request and recognized that the process of preparing SEC filings involves legal judgments throughout, even where the disclosure in question concerns operational rather than legal matters.

In Comcast, Corporate counsel retained two Massachusetts-based Arthur Andersen partners to provide Massachusetts tax law advice in connection with a proposed stock sale. The Andersen partners spoke with in-house counsel and prepared several memoranda discussing options for the company relating to the stock sale. Litigation ensued concerning the tax implications of the stock sale. The Commissioner of Revenue sought production of the Arthur Andersen memoranda, which Comcast withheld on the basis of the attorney-client privilege and/or work product doctrine.

The SJC held that the memoranda were not protected by the attorney-client privilege.

In addressing whether the attorney-privilege exists, Comcast bears the burden of proof and needed to show:

“(1) the communications were received from a client during the course of the client’s search for legal advice from the attorney in his or her capacity as such; (2) the communications were made in confidence; and (3) the privilege as to these communications has not been waived.”

Comcast argued that the memoranda fell within the “derivative privilege” recognized in United States v. Kovel, 296 F.2d 918 (2d Cir.1961). In the Kovel decision, the Second Circuit held that the attorney-client privilege is not waived when disclosure to a third party consultant is necessary to facilitate communication between the attorney and the client and assist the attorney in rendering legal advice to the client. One example of the derivative privilege is that of an interpreter brought in to translate for a client and his attorney who speak different languages.

With respect to accountants, the Court in Kovel held that the privilege is waived unless the communication is made for the specific purpose of the client obtaining legal advice from the lawyer. The privilege is waived if  (a) what is sought is not legal advice but only accounting services, or (b) if the advice sought is the accountant’s rather than the lawyer’s . In Comcast, the SJC agreed that the Kovel doctrine applies only when the accountant’s role is to clarify or facilitate communications between attorney and client. The majority of courts take the same position.

Lesson? Tax advice from your accountant is unlikely to be protected by attorney-client privilege.

Before disclosing attorney-client communications to a third party, ask yourself whether the third party is being consulted in order to (a) simply to provide her own advice, or (b) facilitate communication between the attorney and the client. If your answer is (b), disclosure of the confidential information will likely waive the attorney-client privilege.

See also:

Ex-Employees Admit to Stealing Company Data

symantecYou ex-employees are probably stealing your company’s data on their way out the door.  In a study by Symantec Corp. and Ponemon Institute, they found that 59 percent of ex-employees admit to stealing confidential company information: More Than Half of Ex-Employees Admit to Stealing Company Data According to New Study.

That employees are taking data is not surprising. That the percentage is this large may be a surprise to some of you. (It also not a surprise that Symantec also has a product to help limit this kind of data loss.) But in these economic times with many company’s downsizing, it is important to think about possible data loss.

Additional Survey Findings:

  • 53 percent of respondents downloaded information onto a CD or DVD.
  • 42 percent downloaded information onto a USB drive.
  • 38 percent sent attachments to a personal e-mail account.
  • 82 percent of respondents said their employers did not perform an audit or review of paper or electronic documents before the respondent left his/her job.
  • 24 percent of respondents had access to their employer’s computer system or network after their departure from the company.

The Ponemon Institute conducted the web-based survey in January 2009, polling nearly 1,000 adult participants located in the United States who left an employer within the past 12 months.

See also: