Download
aicp new england 13 th annual education day n.
Skip this Video
Loading SlideShow in 5 Seconds..
AICP New England 13 th Annual Education Day PowerPoint Presentation
Download Presentation
AICP New England 13 th Annual Education Day

AICP New England 13 th Annual Education Day

101 Views Download Presentation
Download Presentation

AICP New England 13 th Annual Education Day

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. AICP New England13th Annual Education Day PRIVACY Jenny Erickson Vice President, Legislative and Regulatory Affairs The Life Insurance Association of Massachusetts

  2. Massachusetts General LawsChapter 93H Security Breaches Approved by the Governor, August 2, 2007

  3. Ch. 93H, Section 2(a) The department of consumer affairs and business regulation shall adopt regulations relative to any person that owns or licenses personal information about a resident of the commonwealth.  Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated.  The objectives of the regulations shall be to: insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. The regulations shall take into account the person’s size, scope and type of business, the amount of resources available to such person, the amount of stored data, and the need for security and confidentiality of both consumer and employee information.

  4. Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated.  The objectives of the regulations shall be to: insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. The regulations shall take into account the person’s size, scope and type of business, the amount of resources available to such person, the amount of stored data, and the need for security and confidentiality of both consumer and employee information.

  5. Standards for the Protection of Personal Information of Residents of the Commonwealth 201 CMR 17

  6. Office of Consumer Affairs and Business RegulationDaniel C. Crane, Undersecretary

  7. TimelineOCABR Public Hearing – 1/ 11/08 OCABR Final Regulation – 9/ 08 OCABR Compliance Time Extension – 11/08 Joint Committee on Consumer Protection Informational Hearing – 11/08 OCABR Emergency Regulation Hearing – 1/16/2009 OCABR Final Regulation, as amended – 2/2009

  8. Concerns Raised by Businesses of all types and sizes Educational Institutions Non Profits Internet Security Experts

  9. Major Issues Inconsistent with Federal Rules Encryption Inventory 3rd Party Certification Compliance Time

  10. Encryption Final regulation contains a more flexible definition of encryption but still requires it, even when other methods of securing data may work just as well or better

  11. Inventory Final regulation changed the requirement from “inventorying” records to “identifying” records and adds a provision that it is not required if all records are handled as though they contain personal information

  12. 3rd Party Certification “Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information, including (i) selecting and retaining service providers that are capable of maintaining safeguards for personal information; and (ii) contractually requiring service providers to maintain such safeguards.  Prior to permitting third-party service providers access to personal information, the person permitting such access shall obtain from the third-party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations.” CHANGED TO: “Taking all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17; and taking all reasonable steps to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.”

  13. Compliance Time Final regulation requires compliance by January 1, 2010

  14. BUT … Pending legislation would amend 93H Insurers would be deemed in compliance New Head of OCABR Will she rethink the regulation?

  15. S. 173 (Morrissey) The department of consumer affairs and business regulation shall may adopt regulations relative to any person that owns or licenses personal information about a resident of the commonwealth.  Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated.  The objectives of the regulations shall be to: insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

  16. S. 173 (Morrissey), continued The regulations shall take into account the person’s size, scope and type of business, the amount of resources available to such person, the amount of stored data, and the need for security and confidentiality of both consumer and employee information. Notwithstanding the rules adopted by the department pursuant to the provisions above, said department shall create separate regulations for small businesses covered by this chapter that reflect said small businesses unique situation and resources. Any person who is required to comply with federal laws, rules, regulations, guidance or guidelines safeguarding personal information is deemed to be in compliance with this chapter.

  17. New Undersecretary of the Office of Consumer Affairs and Business Regulation Barbara Anthony Former Northeast Regional Director, Federal Trade Commission Former Chief of Public Protection Bureau, Massachusetts Attorney General’s Office

  18. Conclusion We will continue to push for changes with the Massachusetts legislature and the OCABR. Outcome is uncertain ... Thus, proceed with your compliance plan. Deadline is 1/1/10.