Amendment to Mass. Data Privacy Law

goodwinprocter_logoGoodwin Procter has published a client alert describing the amendments to the Massachusetts Data Privacy Law (my posts on this topic).

They detail three changes.  First is pushing bck the complaince deadline to January 1, 2010. Second, theyhave lifted some of the contract amendments and certifications from vendors. Third, they clarified the  wireless encryption requirement.

The text of the amended regulations (.pdf).

Massachusetts Amends and Extends Its Data Privacy Law

According to this press release from the Massachusetts Office of Consumer Affairs and Business Regulation, they have once again extended the deadline for complying the with the regulations. Now the regulations will take effect Jan. 1, 2010.

I have not had a chance to analyze the differences yet, but here are the amended regulations under 202CMR 17.00 (.pdf).

Data Breach Costs $202 per Customer Record

datbreachPGP Corporation and Ponemon Institute issued their fourth annual U.S. Cost of a Data Breach Study. The study examined 43 organizations across 17 different industry sectors with a range of 4,200 to 113,000 records that were affected. According to the report,  data breach incidents cost U.S. companies $202 per compromised customer record in 2008, compared to $197 in 2007. Within that number, the largest cost increase in 2008 concerns lost business created by abnormal churn of customers. Since the study’s inception in 2005, this cost component has grown by more than $64 on a per victim basis, nearly a 40% increase.

Decoding the Science of Compliance — Are you Ready for 201 CMR 17.00?

Compliance Week broadcast a webcast on the new Massachusetts data privacy regulations: Decoding the Science of Compliance — Are you Ready for 201 CMR 17.00? (and sponsored by Iron Mountain).

Garry Watzke, Esq., Senior Vice President Legal & Business Development at Iron Mountain, Inc. started with the basics which I have noted in several other places:

John Jamison, Vice President Consulting Services at Iron Mountain, Inc. moved on to implementation challenges. He points out that this is not a pure IT project. There is no single tool that provides coverage across the multiple platforms in most businesses. There is IT, but there is also a business-wide program that needs to be in place and maintained.

Garry points out that you need to maintain employee compliance and have a way to detect and prevent system failures.

See also these prior posts:

International Data Privacy Day

data-privacy-day09-logo-web-resJanuary 28, 2009 is International Data Privacy Day. [Intel’s Collection of data privacy materials]. The United States, Canada, and 27 European countries will celebrate Data Privacy Day together for the second time. One of the primary goals of Data Privacy Day 2009 is to promote privacy awareness and education among teens across the United States. Data Privacy Day also serves the important purpose of furthering international collaboration and cooperation around privacy issues.

What can you do?:

  • Show a recent theater movie that addresses the issue of privacy, such as “The Net,” “Swordfish,” or any of a large number of others, then afterward discuss the privacy and information security issues from within the movie and how they relate to your employees’ lives and/or work.
  • Make a podcast available to your personnel that discusses privacy in general, or a specific privacy issue.
  • Have a contest for your employees that incorporates privacy. For example give an award/prize to the person who can identify the most significant employee privacy concern within your organization
  • Hold a “Privacy Jeopardy” event on 1/28 during lunchtime, perhaps right outside your cafeteria, and give small prizes or recognitions to the people who correctly answer a privacy related question.
  • Distribute some privacy related articles, or make them available on your information security and privacy intranet sites.

Data Breach at Heartland Payment Systems

Heartland Payment Systems (HPY) disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants.  The company said it couldn’t estimate how many customer records have been compromised, but said the data compromised include the information on a card’s magnetic strip  that could be used to duplicate a card.

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland’s check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

Avivah Litan, an analyst at research company Gartner, called it the largest card-data breach ever. before this breach, the largest known breach occurred when around 45 million card numbers were stolen from retail company TJX Cos.

See also:

The New Massachusetts Data Security Regulations

goodwinprocter_logoGoodwin Procter sponsored a webinar on the new Massachusetts date security rules

Deb pointed out that you may now need to collect the state of residence of the client to figure out if they are in Massachusetts. That may have the perverse effect of collecting additional information about the person.

Deb points out that “financial account” is not well defined. She looks back to the statute and sees that it is focused on identity theft. If the “financial account” can lead to identity theft or the loss of money from that account then it would probably be a financial account.

In evaluating compliance you can include these factors:

  • size, scope and type of business,
  • entity’s resources,
  • amount of stored data, and
  • seed for security and confidentiality of both consumer and employee information.

Deb points out that the Massachusetts regulators think the rules align with the federal data breach notification requirements. The regulators also think the rules are merely applying more detailed requirements to the broad principles under the federal rules.

The regulators are deferring to the Attorney General for enforcement. The new rules do not provide a private right of action.

The Written Information Security Program has four main groups.

Implementation

  • identify all records use to store information. The rules do not require an inventory. The regulators want you to know the answer. They suggest an information flow to see where information is gathered, where it goes and where it gets stored.
  • Identify and assess risk.
  • Evaluate and improve safeguards. This includes the security system and compliance training.
  • Limit collection and use. Personal information should only be available to those who need it and then only the information they need. Don’t gather it if you do not need it and don’t keep it if you do not need it.

Administrative

  • designate a responsible employee
  • develop security policies
  • verify the capacity of service providers to protect personal information
  • The certification must specifically address the Massachusetts rules and must state that the signatory was authorized to sign it.

Technical and Physical

  • establish a security system
  • restrict physical access
  • prevent access by former employees
  • document responsive actions in event of data breach

Maintain and Monitor

  • post-incident review
  • disciplinary measures for violations
  • regular monitoring
  • annual review (if not more often)

Jacqueline Klosek focused on the computer system requirements. She put together specific requirements:

  • encryption – of stored information on portable devices and information in transit. Portable memory sticks are a big problem.
  • secure user authentication protocols
  • reasonable monitoring of systems
  • firewall
  • malware and virus protection
  • education and training

Agnes laid out 3 things to get done by May 1, 2009:

  • Implement internal policies and practices
  • encrypt company laptops
  • amend contracts with service providers to incorporate data security requirements

By January 1, 2010:

  • obtain written certifications form service providers
  • encrypt other portable devices (non-laptops)

Bingham Presentation on Massachusetts Data Security Law

bingham_logoBingham McCuthen LLP put together a panel presentation on the Complying with Massachusetts New Data Security Regulations.

Mark Robinson, a partner at Bingham, started with an introduction of the law and panel. He called the law “perilous.”

Beth Boland, a partner at Bingham, went through the requirements of the new law. OCBR and the business community seem to be at a disconnect over the law. OCBR thinks that they are not a big deal. They cite a statistic that there were over 318 reported breaches that affects more than 500 Massachusetts residents during a 10 month period when they were considering the law. [See Report of M.G.L. Chapter 93h Notifications (.pdf)]

Beth highlighted the limitation that data should only be collected that is “reasonable necessary to accomplish the legitimate purpose for which it is collected” 201 CMR §17.03(g) is unique to Massachusetts.

Beth highlights one of the pitfalls being the cascading certifications. First, there is no standard for certification. She expects there will be some battle over acceptable forms. Second, you need to folow the certification process all the way down the chain of custody to your providers, the sub-providers, the sub-sub providers, etc.

Beth highlighted that May 1, 2009 is deadline for getting contractual agreement that service providers will comply and January 1, 2010 is the deadline for getting a compliance certification.

Doug Schwarz, a partner at Bingham,  pointed out that in some organizations, the requirements will mostly affect Human resources and that HR may end up driving the process instead of IT.

New York Social Security Number Protection Law

The New York Social Security Number Protection Law went into effect on January 3, 2009.  Under New York Labor Law §203-d:

Employers may not, unless otherwise required by law:

1. Publicly post or display an employee’s SSN;
2. Visibly print a SSN on any ID badge or card, including time card;
3. Place a SSN in files with unrestricted access; or
4. Communicate an employee’s personal identifying information to the general public.

The statute broadly defines “personal identifying information” to include an employee’s SSN, home address or phone number, personal e-mail address, Internet ID or password, parent’s surname prior to marriage, or driver’s license number

AICPA’s Generally Accepted Privacy Principles

The AICPA and Canadian Institute of Chartered Accountants formed a privacy task force and developed the ten principles of the Generally Accepted Privacy Principles:

Principle 1: Management
The first principle of the Generally Accepted Privacy Principles (GAPP) is Management. This principle requires that the entity define, document, communicate, and assign accountability for its privacy polices and procedures. [More Detail]

Principle 2: Notice
The second principle of the Generally Accepted Privacy Principles (GAPP) is Notice. This principle requires that the entity provide notice about its privacy policies and procedures and identify the purpose for which personal information is collected, used, retained, and disclosed. [More Detail]

Principle 3: Choice and Consent
The third principle of the Generally Accepted Privacy Principles (GAPP) is Choice and Consent. This principle requires that the entity describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information. [More Detail]

Principle 4: Collection
The fourth principle of the Generally Accepted Privacy Principles (GAPP) is Collection. This principle requires that the entity collect personal information only for the purposes identified in the notice. [More Detail]

Principle 5: Use and Retention
The fifth principle of the Generally Accepted Privacy Principles (GAPP) is Use and Retention. This principle requires that the entity limit the use of personal information to the purpose identified in the notice and for which the individual has provided implicit or explicit consent. [More Detail]

Principle 6: Access
The sixth principle of the Generally Accepted Privacy Principles (GAPP) is Access. This principle requires that the entity provide individuals with access to their personal information for review and update. [More Detail]

Principle 7: Disclosure to Third Parties
The seventh principle of the Generally Accepted Privacy Principles (GAPP) is Disclosure to Third Parties. This principle requires that the entity disclose personal information to third parties only for the purposes identified in the notice and only with the implicit or explicit consent of the individual. [More Detail]

Principle 8: Security for Privacy
The eighth principle of the Generally Accepted Privacy Principles (GAPP) is Security for Privacy. This principle requires that the entity protect personal information against unauthorized access (both physical and logical). [More Detail]

Principle 9: Quality
The ninth principle of the Generally Accepted Privacy Principles (GAPP) is Quality. This principle requires that the entity maintain accurate, complete, and relevant personal information for the purposes identified in the notice. [More Detail]

Principle 10: Monitoring and Enforcement
The tenth principle of the Generally Accepted Privacy Principles (GAPP) is Monitoring and Enforcement. This principle requires that the entity monitor compliance with its privacy policies and procedures and have procedures to address privacy-related inquiries and disputes. [More Detail]