National Data Privacy Laws Move Forward

I'm just a bill from Schoolhouse Rock

With last week’s further revisions to the Massachusetts Data Privacy Law [Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)], people are wondering if the federal government is going to step into the space and create a national standard. Most states have enacted some form of data breach or data privacy law, crating patchwork of laws across the country.

I found three separate bills moving through the legislative process: Data Accountability and Trust Act (H.R. 2221), Personal Data Privacy and Security Act of 2009 (S.1490), and The Data Breach Notification Act (S. 139)

Data Accountability and Trust Act (H.R. 2221)

This bill was in the House Committee on Energy and Commerce and referred to the Subcommittee on Commerce, Trade and Consumer Protection. They recommended it be considered by the House as a whole on September 30.

This act would requires the Federal Trade Commission to promulgate regulations requiring each person engaged in interstate commerce that owns or possesses electronic data containing personal information to establish security policies and procedures.

Personal Data Privacy and Security Act of 2009 (S.1490)

Last week, the Senate Judiciary Committee approved the Personal Data Privacy and Security Act of 2009 by a vote of 14-5, sending the bill to the full Senate for consideration.

This act would amends the federal criminal code to: (1) make fraud in connection with the unauthorized access of sensitive personally identifiable information (in electronic or digital form) a predicate for racketeering charges; and (2) prohibit concealment of security breaches involving such information.

This law would preempt state regulation in this area.

The Data Breach Notification Act (S. 139)

Last week, the Senate Judiciary Committee approved the Data Breach Notification Act by a vote of 14-2, sending the bill to the full Senate for consideration.

This act would requires any federal agency or business entity engaged in interstate commerce that uses, accesses, or collects sensitive personally identifiable information, following the discovery of a security breach, to notify: (1) any U.S. resident whose information may have been accessed or acquired; and (2) the owner or licensee of any such information that the agency or business does not own or license.  The notice must be given “without unreasonable delay” following discovery of the breach.

It also authorizes civil actions by state attorneys general to enforce the act. This act would supersede any other provision of federal law or any provision of law of any state law relating to notification by a business entity engaged in interstate commerce or an agency of a security breach.

These are just bills, so it’s hard to tell what may happen to them. The clock is ticking. The Massachusetts data security law goes into effect on March 1, 2010.

Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)

Massachusetts-State-House

Massachusetts has revised its data privacy regulations one more time. The revised regulations are less demanding that the original version released over a year ago. But this law is the strictest in the country and will be the de facto law of the land for many companies.

Office of Consumer Affairs and Business Regulation released a press release announcing that revised regulations have been filed with the Secretary of State and published on the OCABR website.

Fortunately, Gabriel M. Helmer of Foley Hoag’s Security & Privacy practice produced a redline showing the changes.

There are very few changes to the regulations that were released in August:

  • The Massachusetts Data Privacy regulations apply to anyone who “stores” personal information, in addition to those who receive, maintain, process, or otherwise have access to personal information.
  • Service Providers include anyone who “stores” personal information through their provision of services to anyone is subject to the regulations, in addition to those who receive, maintain, process, or otherwise are permitted access to personal information.
  • The U.S. Postal Service is no longer expressly excluded from the definition of “Service Providers.”
  • Service Provider agreements entered into before March 1, 2010 do not have to be amended to comply with these regulations until March 1, 2012.

The effective date is still March 1, 2010.

The regulations apply to personal information of Massachusetts residents. The reach of the regulations is not limited to businesses in Massachusetts.

References:

Privacy on Both Sides of the Atlantic

North_Atlantic_crust_age

Here is the United States we are mostly talking about financial information and medical information when it comes to privacy and  data security. The state data privacy laws focus on social security numbers and financial account information. HIPPA created a federal regulatory regime for medical information.

Europe has been focused less on financial information and much more on personal information when it comes to data security. The EU regulators are much more protective of the information about where you live, your race and your religion.

I thought this quote summed up the different approaches quite nicely:

Europe: You don’t understand privacy until they come for your neighbor in the middle of the night.

That came from Kim Howard the Editor of ACC Docket through a Twitter update. Memories of the Holocaust still drive regulations in the EU.

Massachusetts Amends Strict Data Privacy Law (Again)

Massachusetts-State-House

UPDATE: Another revision was published on November 5, 2009. See: Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)

The Massachusetts’ Office of Consumer Affairs and Business Regulation has decided to amend the strict data privacy law and extend the deadline for compliance. This is yet another amendment to the regulations. The last amendment had extended the compliance deadline to January 1, 2010.

In keeping with Governor Deval Patrick’s commitment to balancing consumer protection with the needs of small business owners, the adjustments to Massachusetts’ identity theft regulations allow some flexibility in compliance by small businesses. The regulations now have a risk-based approach that may make it easier on small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, can take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

Key amendments to 201 CMR 17.00 include:

Section 17.01 (1) Purpose of the regulation was amended to include language from M.G.L. 93H.

Section 17.01 (2) Scope of the regulations was revised to cover “persons who own or license personal information”. Section removes previous regulatory language related to those that “store or maintain personal information”.

Section 17.02 Encryption definition was amended to be technology neutral. A definition for the term “owns and licenses” was added to focus the protection of personal information in “connection with the provision of goods or services or in connection with employment”. A new definition for the term “service provider” was added.

Section 17.03 (1) Duty to protect rules look to address size and scope of a firm within the development and implementation of a written information security plan. (2) Amends and removes some requirements for the written information security plan. (f) Amends third party vendor rules and provides a two year window relative to contracts and requirements for compliance.

Section 17.04 Amends computer requirements for persons that own or license personal information to develop a written information security plan “that at a minimum, and to extent technologically feasible, shall have the following elements”.

Section 17.05 Amends the effective date of the regulations to March 1, 2010.

There will be a hearing on the revised regulations commencing at 10:00 a.m. on Tuesday September 22, 2009, in Room No. 5-6, Second Floor of the Transportation Building, Ten Park Plaza Boston, Massachusetts 02116. Interested parties will be afforded a reasonable opportunity at the hearing to present oral or written testimony. Written comments will be accepted up to the close of business on September 25, 2009. Such written comments may be mailed to: Office of Consumer Affairs and Business Regulation, 10 Park Plaza, Suite 5170, Boston, MA 02116, Attention: Jason Egan, Deputy General Counsel, or e-mailed to [email protected].

References:

National Data Privacy Law Proposed

Image by Johnny Grim (CC BY-NC-ND 2.0)

With a multitude of states trying to protect their citizens when it comes to breaches of personal data security, it is becoming increasingly difficult to manage compliance with this patchwork of laws.  The Data Accountability and Trust Act (H.R. 2221) proposed in Congress proposed to preempt state laws and make regulation of data security a matter of federal regulation.

If passed in its current form, the procedure and time frame for notifications in the event of data breach would be standardized instead of the differing requirements from state to state. It would also required the Federal Trade Commission to regulate the security practices around personal data.

The most controversial part seems to be the provisions around information brokers (companies that gather personal information about people that are not their customers to sell to third parties.)  It would require these brokers to establish reasonable procedures to verify the accuracy of the personal information it collects. They would also have to provide consumers with access to that information.

Although it is still working its way through the system, it has already been forwarded by the subcommittee to the full House Energy and Commerce Committee.

References:

Webinar Materials for: Preparing for the strictest privacy law in the nation

INSIGHT_headerforweb3

As a follow up to Wednesday’s lunchtime webinar sponsored by Knowledge Management Associates, I wanted to post some materials for those of you that missed it and for those looking for notes and details.

The slidedeck:

 

Massachusetts General Laws Chapter 93H
http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm

201 CMR 17.00

Click to access 201CMR17amended.pdf

Compliance Building Posts on Mass. Data Privacy
https://www.compliancebuilding.com/tag/mass-data-privacy-law/

Preparing for the strictest privacy law in the nation: MA Privacy Law 201 CMR 17

INSIGHT_headerforweb3

Join me for a webinar on the Massachusetts Data Privacy Law.

Knowledge Management Associates, LLC is sponsoring a webinar on Preparing for the Strictest Privacy Law in the Nation: MA Privacy Law 201 CMR 17.

  • I will provide an overview of the law.
  • Roberty Boonstra will share some of his best practices around implementation and compliance with the law.
  • Sean Megley, of Knowledge Management Associates, will provide a look at their SharePoint-based compliance management solution to to address 201 CMR 17.00

The webinar will be on July 29, 2009 from 12:30pm – 1:30pm (Boston time). And it’s free. You can register on their webinar registration page.

Amendment to Mass. Data Privacy Law

goodwinprocter_logoGoodwin Procter has published a client alert describing the amendments to the Massachusetts Data Privacy Law (my posts on this topic).

They detail three changes.  First is pushing bck the complaince deadline to January 1, 2010. Second, theyhave lifted some of the contract amendments and certifications from vendors. Third, they clarified the  wireless encryption requirement.

The text of the amended regulations (.pdf).

Decoding the Science of Compliance — Are you Ready for 201 CMR 17.00?

Compliance Week broadcast a webcast on the new Massachusetts data privacy regulations: Decoding the Science of Compliance — Are you Ready for 201 CMR 17.00? (and sponsored by Iron Mountain).

Garry Watzke, Esq., Senior Vice President Legal & Business Development at Iron Mountain, Inc. started with the basics which I have noted in several other places:

John Jamison, Vice President Consulting Services at Iron Mountain, Inc. moved on to implementation challenges. He points out that this is not a pure IT project. There is no single tool that provides coverage across the multiple platforms in most businesses. There is IT, but there is also a business-wide program that needs to be in place and maintained.

Garry points out that you need to maintain employee compliance and have a way to detect and prevent system failures.

See also these prior posts:

Data Breach at Heartland Payment Systems

Heartland Payment Systems (HPY) disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants.  The company said it couldn’t estimate how many customer records have been compromised, but said the data compromised include the information on a card’s magnetic strip  that could be used to duplicate a card.

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland’s check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

Avivah Litan, an analyst at research company Gartner, called it the largest card-data breach ever. before this breach, the largest known breach occurred when around 45 million card numbers were stolen from retail company TJX Cos.

See also: