emerging issues in data security and an overview of the massachusetts data security law l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Emerging Issues in Data Security and an Overview of the Massachusetts Data Security Law PowerPoint Presentation
Download Presentation
Emerging Issues in Data Security and an Overview of the Massachusetts Data Security Law

Loading in 2 Seconds...

play fullscreen
1 / 47

Emerging Issues in Data Security and an Overview of the Massachusetts Data Security Law - PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on

Emerging Issues in Data Security and an Overview of the Massachusetts Data Security Law. March 27, 2008. David Szabo, Nutter, McClennen & Fish David A. Holley, Kroll Scott Schafer, Office of the Attorney General Art Crow, Millennium Pharmaceuticals. Introductory Comments: David S. Szabo

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Emerging Issues in Data Security and an Overview of the Massachusetts Data Security Law' - idalee


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
emerging issues in data security and an overview of the massachusetts data security law

Emerging Issues in Data Security and an Overview of the Massachusetts Data Security Law

March 27, 2008

David Szabo, Nutter, McClennen & Fish

David A. Holley, Kroll

Scott Schafer, Office of the Attorney General

Art Crow, Millennium Pharmaceuticals

slide2

Introductory Comments:

David S. Szabo

Nutter, McClennen & Fish

key points
Key Points
  • New State Data Breach Law Effective October 1, 2007
  • New State Data Disposal Law Effective February 3, 2008
  • Other States’ Laws Must be Observed, Too
  • Proposed Information Security Regulations
other states laws
Other States Laws
  • At least 38 States have enacted data breach notification laws
  • Most of these protect financial (identity theft) information, but some also protect medical information (e.g. new California amendments)
  • The states have differing notice requirements in regards to timing, content and the like.
other states laws5
Other States’ Laws
  • Are you subject to those laws? You should find out now, not later.
  • You must coordinate notices and other compliance issues across jurisdictions.
  • Responses can be complex, as laws may conflict
other laws may apply
Other Laws May Apply?
  • HIPAA
  • GLB
  • EU Data Directive
in event of trouble
In Event of Trouble
  • Read your data breach policy (you do have one, don’t you?)
  • Investigate and determine the facts
  • Call your insurance carrier
  • Notify counsel
  • Notify, as required by law
  • Notify, as required by contracts
  • Mitigate, as needed
slide8

What the numbers look like:

David A. Holley

Kroll Worldwide

identity theft and fraud
Identity Theft and Fraud
  • Numbers
    • Attrition.org: 2006 – 326/45,538,298 vs. 2007 – 275/126,231,985 – a 277% increase
    • ITRC: 2006 – 392/49,000,000 vs. 2007 – 443/127,369,523 – a 260% increase
  • Cost to Organizations
    • Average Cost of a data breach - $197/record (increase of 8% over 2006, 43% over 2005) *
    • Cost of lost business - $128/record (increase of 30% over 2006) *
    • Costs organizations expended for legal defense and PR (8% and 3% of total breach costs, respectively) *
    • Cost of a data breach for financial services organizations was $239/record (21% higher than average) *

* Source: Ponemon Institute – November 2007

cost and commerce
Cost and Commerce
  • Industry Issues
    • FTC Estimates nearly 10 Million victims per year
    • Many victims don’t know or don’t report
    • Fastest growing white collar crime in America
    • Average 175 hours and $1,500 to resolve
    • 49% of data breaches were due to lost or stolen laptops or other devices (i.e. USB) *
  • Common Types of Fraud
    • Current Credit – Credit Card, Debit Card, Phone Card
    • Identity Fraud using:
      • Your name and SS# to:
        • Establish new credit
        • Commit other criminal activity
  • Only 21% of ID theft is credit related
  • Consumer claims, blogging sites, class action
  • Tangible loss of credibility in your community
    • Lost business accounts for 65% of breach costs. (increase of 30% over 2006) *

* Source: Ponemon Institute – November 2007

addressing the risk
Addressing the Risk
  • Avoidance - No
    • Not really an option
  • Mitigation - Absolutely
    • The possibility of risk of breach can be reduced before an incident
  • Insurance - Absolutely
    • Regular commercial insurance programs do not cover data breaches
    • Cyber Risk policies can be customized to insure liability and costs of notification and compliance
slide12

Data Protection: Concepts and Practice

Art Crow

Millennium Pharmaceuticals

considerations
Considerations
  • What information do I need to protect?
  • How and where do I store this information?
  • Who should have access to the information?
  • How do I protect my information from theft or wrongful use?
integrated security approach
Integrated Security Approach
  • Risk Assessment
  • Information Technology Controls
  • Physical Security Controls
  • Procedural Controls
information technology controls
Information Technology Controls
  • Network – Servers – Computers – Software
  • Change manufacturer’s default passwords!
  • If it doesn’t have anti-virus/anti-spam/anti-spyware software, it doesn’t go on the network (i.e., lab equipment computers)
information technology controls16
Information Technology Controls
  • Encrypted hard drives on all laptops – encryption software is not enough
  • Not everyone needs a laptop
  • Limit remote network access to only those people who require it in the performance of their job
  • Anti-theft/recovery software
physical security controls
Physical Security Controls
  • Install your own physical security system
  • Use a card access system and CCTV cameras
  • An alarmed door does no good if someone doesn’t respond to the alarm
  • Lock the server and network gear rooms
  • Restrict access to sensitive areas – the CFO does not need access to the data center
  • One key should not unlock all doors
company policies
Company Policies
  • Passwords
    • Minimum 8 characters
    • Combination of letters, numbers and symbols
    • Change every 90 days
  • Acceptable Use
    • Business purposes only
    • No downloading of software/programs from the internet
company policies19
Company Policies
  • No Shareware
  • No non-business related software on any computer or server
  • Screen savers and passwords are a must – no exceptions
  • Store sensitive data in a server file – not on the laptop or a CD
conclusion
Conclusion
  • Good IT and physical security controls can reduce the risk of data theft
  • In order for security to be effective it must be an integral part of the company culture
  • All employees and vendors should receive training in company IT and physical security policies
  • Monthly security briefs will reinforce company security policies and help to alert people to emerging threats
  • Social engineering – The Art of Deception
slide21

Overview of Massachusetts Data Security Laws

Scott D. Schafer

Assistant Attorney General

Consumer Protection Division

Office of Massachusetts

Attorney General Martha Coakley

massachusetts identity theft legislation
Massachusetts Identity Theft Legislation

August 3, 2007

Massachusetts adopts comprehensive identity theft legislation

Becomes the 39th state to protect residents by requiring that they be notified in the event of a data security breach or unauthorized access or use of their personal information.

massachusetts identity theft legislation23
Massachusetts Identity Theft Legislation

Major Provisions of the Legislation

1) Establishes a consumer’s right to request a security freeze (G.L. ch. 93, §§56 and 62A);

2) Establishes requirements for notification to state government and consumers in the event of a data breach (G.L. ch. 93H); and

3) Establishes requirements for destruction and disposal of records containing a consumer’s personal information (G.L. ch. 93I).

security breaches g l ch 93h
Security BreachesG.L. ch. 93H

Who does the law apply to?

Any individual, business or governmental agency that owns, licenses, maintains or stores data whose unauthorized access or use is capable of compromising a Massachusetts resident’s personal information.

security breaches g l ch 93h25
Security BreachesG.L. ch. 93H

What is personal information?

First name and last name or first initial and last name of a resident in combination with one or more of the following:

1. SSN;

2. driver's license number or state-issued card id number; or

3. financial account, debit or credit card number.

security breaches g l ch 93h26
Security BreachesG.L. ch. 93H

Massachusetts law protects personal information regardless of form – paper or electronic.

Protected personal information does not include information that is lawfully obtained from publicly available information.

security breaches g l ch 93h27
Security BreachesG.L. ch. 93H

When is notice triggered?

1. Breach of security

2. Personal information acquired or used by an unauthorized person; or

3. Personal information used for an unauthorized purpose.

security breaches g l ch 93h28
Security BreachesG.L. ch. 93H

Definition of “Breach of Security”

Unauthorized acquisition or use of unencrypted data or, encrypted electronic data and the confidential process of key that is capableof compromising the security, confidentiality of personal information, maintained by a person or agency that creates a substantial risk or identity theft or fraud against a Massachusetts resident.

security breaches g l ch 93h29
Security BreachesG.L. ch. 93H

Definition of “Breach of Security”

Broader definition -- Breach need not involve “personal information” as defined in statute

Notice triggered if there is a substantial risk of ID Theft or fraud

security breaches g l ch 93h30
Security BreachesG.L. ch. 93H

Personal Information Notification Triggers

Personal information acquired or used by unauthorized person

Personal information used for unauthorized purpose

security breaches g l ch 93h31
Security BreachesG.L. ch. 93H

Personal Information Notification Triggers

No “substantial risk of harm” calculus.

Notification is triggered by the breach itself rather than the likelihood of harm or misuse of personal information.

Entities are therefore not exempt from providing notice if a breach does not create a risk of harm.

security breaches g l ch 93h32
Security BreachesG.L. ch. 93H

Who must be notified?

1. The Attorney General;

2. Director of Consumer Affairs and Business Regulation; and

3. Affected Residents

security breaches g l ch 93h33
Security BreachesG.L. ch. 93H

What must the notice say?

Massachusetts law has different content requirements depending on the

recipient of the notice.

security breaches g l ch 93h34
Security BreachesG.L. ch. 93H

Notice to the Attorney General and Director of Consumer Affairs and Business Regulation

1. Nature of the breach of security or the unauthorized access or use of personal information;

2. Number of Massachusetts residents affected; and

3. Steps the notifying entity is taking, or plans to take, relating to the incident.

security breaches g l ch 93h35
Security BreachesG.L. ch. 93H

Notice to Affected MA Residents

1. Consumer’s right to obtain police report;

2. How a consumer requests a security freeze;

G.L. 93, §§ 56 and 62A

3. Information consumer will need to provide to request security freeze; and

4. Disclosure of fees associated with placing, lifting or removing a security freeze

security breaches g l ch 93h36
Security BreachesG.L. ch. 93H

Notice to Affected MA Residents

Notice to the affected residents shall not include:

1. Nature of the breach or unauthorized access or use; or

2. The number of residents affected.

security breaches g l ch 93h37
Security BreachesG.L. ch. 93H

Common Mistakes Made in

Notices to Affected MA Residents

1. Notice is too general and fails to include

the four (4) Massachusetts specific requirements

2. Fraud Alert vs. Security Freeze

security breaches g l ch 93h38
Security BreachesG.L. ch. 93H

Common Mistakes Made in

Notices to Affected MA Residents

3. References to websites rather than providing information in letter itself – thereby putting burden on affected residents to find information

4. Provides a range of fees relating to security freeze when in fact amount is set by statute (G.L. ch. 93, §62A)

security breaches g l ch 93h39
Security BreachesG.L. ch. 93H

Notice to Affected MA Residents

Law provides for direct notice to affected consumers unless:

1. More than 500,000 affected MA residents; or

2. Costs of providing written notice shall exceed $250,000.

“Substitute” notice consists of: 1) email notice to affected consumers; 2) clear and conspicuous notice on the company’s home page; and 3) publication in statewide media.

security breaches g l ch 93h40
Security BreachesG.L. ch. 93H

When must notice be provided?

“As soon as practicable and without unreasonable delay”

Massachusetts permits a delay where law enforcement determines notification would hinder a criminal investigation -- provided that the law enforcement agency notifies the Attorney General of that determination.

most common causes of data breaches
Most Common Causes of Data Breaches

Stolen Laptops

Rogue Employees

Inadvertent Disclosure

Intra-company Email

Hacking

data disposal g l ch 93i
Data DisposalG.L. ch. 93I

Scope of the Law

Requires individuals, businesses and governmental agencies to employ certain safeguards when disposing of or destroying records containing personal information – regardless of form.

data disposal g l ch 93i45
Data DisposalG.L. ch. 93I

Minimum standard for disposal/destruction of records

Destruction of records containing personal information must be done in such a manner so that personal information "cannot practically be read or reconstructed."

Paper records shall be burned, redacted, pulverized or shredded so that personal information cannot be read or reconstructed.

Electronic records and other non-paper media shall be destroyed or erased so that personal information cannot be read or reconstructed.

data disposal g l ch 93i46
Data DisposalG.L. ch. 93I

Third-party Disposal

May use third parties provided that the third parties adopt and monitor compliance with policies and procedures that prohibit unauthorized access to or use of personal information in the course of the collection, transportation or disposal of the information.

Entities employing such third-party services should obtain written assurances from the third party that its disposal practices are in compliance with the law.

data disposal g l ch 93i47
Data DisposalG.L. ch. 93I

Penalties

$100 per individual affected

Maximum of $50,000 per instance of improper disposal