Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
1. How M.G.L. c. 93H and 201 CMR 17.00 Will Impact Your Business
2. Enhance awareness of new Mass “Data Security Breach Laws and Regulations” Legal perspectives Practical Tools Technical Issues surrounding compliance Provide up to the minute updates on 201 CMR 17.00 2 Session Objectives
4. $60 billion was lost and 35.6 million consumer records were exposed in 2008 due to data breaches and identity theft, a 47% increase over 2007, according to the Identity Theft Resource Center. The U.S. Department of Justice reports that identity theft has surpassed the illegal drug trade as the number one crime in the nation. 4 Identity Theft & Data Breach
5. Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s (ITRC) 2008 breach report includes 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached data was unprotected by either encryption or even passwords. 5 Data Breaches 2008 – Global View
11. Personal Information is defined as a Massachusetts resident's first and last name, or first initial and last name, along with one or more of the following: Social Security Number, driver's license number or state-issued identification card number, financial account number, or credit or debit card number. Therefore, Personal Information will frequently be included in financial records, employee and possibly candidate HR files, benefits files and certain consumer-related files. 11 What Is Personal Information?
12. By statute a breach of security means: Unauthorized acquisition of unencrypted data, or encrypted electronic data along with confidential process or key, that may compromise the security, confidentiality, or integrity of personal information by a person or entity that creates a material risk of identity theft. What triggers a “notice requirement”? When an entity knows or has reason to know that personal information was acquired or used by an unauthorized person or for an unauthorized purpose. 12 What Is A Security Breach M.G.L. c 93H
13. Notice must be provided to: Resident or residents affected Attorney General & Director of Consumer Affairs If so instructed, consumer reporting agencies and/or identified state agencies 13 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
14. Notice to the resident shall include: Consumer’s right to obtain police report How to request a security freeze from consumer reporting agencies Necessary information to provide when requesting security freeze Any fees required to be paid to the consumer reporting agencies 14 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
15. Notice to the Attorney General & Director of Consumer Affairs shall include: Nature of breach or unauthorized acquisition Number of residents affected Any steps taken by entity relating to the incident 15 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
16. Method of notice: Notify by regular or electronic mail Substitute notice if electronic notice cost exceeds $250,000 Substitute notice is website, newspaper publication, or electronic mail blast Time of notice: As soon as practicable without delay No language about terms of days (although you cannot delay to benefit the company) 16 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
17. Additional provisions: Firms that use personal information for benefit of another firm, must inform corporate clients Corporate clients who “own” the data must inform residents MA firms who suffer a breach affecting residents of other states must comply with that states’ law Firms outside MA who suffer a breach of MA residents must comply with MA notice laws 17 What Actions Are Necessary After A Security Breach? M.G.L. c 93H
19. Minimum standards for proper disposal of records containing personal information are: Paper documents must be redacted, burned, pulverized or shredded Electronic media are to be destroyed or erased 19 How To Dispose Of Records M.G.L. c 93I
21. In the twelve months following the enactment of M.G.L. 93H, the OCABR received reports of over 300 incidents that have compromised or threatened to compromise the personal information of over 600,000 Massachusetts residents. Sixty percent of the cases involved criminal and/or unauthorized acts, with a high frequency of laptops or hard-drives being stolen. The remainder of the breaches resulted from employee error or poor internal handling of sensitive information. Approximately 75% of the reported incidents involved data that was not encrypted or password-protected. 21 Background – OCABR Findings
22. In October of 2008, The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued 2008 a comprehensive set of final regulations establishing standards for how ALL businesses protect and store Massachusetts personal information about a resident of Massachusetts whether or not that business is based in Massachusetts or not. The original regulations were set to take effect on January 1, 2009; however the deadline was extended to January 1, 2010 and on August 17th was extended to March 1, 2010. 22 201 CMR 17.00 Summary
23. Complying with 201 CMR 17.00 Who must comply and penalties for not doing so…. 23
24. Every person that owns or licenses personal information about a resident of the Commonwealth of Massachusetts. OCABR defines “Owns or Licenses” to be: receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. Federally regulated financial and other entities are not exempt from MA law. 24 Who Must Comply With 201?
25. 45 states, District of Columbia, Puerto Rico and the US Virgin Islands have similar legislation but Mass is most rigid 25 Is Massachusetts the Only State with such a law
26. A civil penalty of $5,000 may be levied for each violation of M.G.L. 93H 201 CMR 17.00. In addition, under the portion of M.G.L. 93I concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal. Failure to comply with Chapter 93H or 93I may subject the offender to a suit by the Attorney General under Chapter 93A, the consumer protection law. Violations may mean triple damages, as well as attorneys’ fees and legal costs. Penalties for Non-Compliance
27. There are many additional business impacts, including: Costs associated with legal actions: Legal battles with issuing banks Lawsuits from states and the FTC Class-action lawsuits from consumers Brand impact resulting in loss of consumer and stockholder confidence Impact to customer relationships, possibly resulting in a loss of business Increased oversight internally and from external entities Costs of a public relations 27 Consequences of Compromise
28. In addition to the penalties levied by the state you must also consider the actual costs of a data breach. The following items should be considered in calculating costs. Costs
29. Companies experiencing a data breach spent an average of $14 million on recovery costs, including unbudgeted spending for outside legal counsel, mail notification letters, calls to individual customers, increased call center support and discounted product offers. Even more significantly, businesses that experience a data breach lose an average of 2.6% of their total customer base. Costs
30. In 2007 lost business was 54 percent of data breach costs. A poll of more than 2,000 North American and European consumers conducted by Opinion Research Corporation found that 59% of consumers would either strongly consider or definitely take their business elsewhere if their personal information was compromised. The real punishment is brand diminishment Costs to Brand Integrity
31. Media coverage of security breaches is also affecting brand integrity. According to Factiva, media coverage of companies that suffered a security breach accounted for more than half the stories written about those companies. Brand Diminishment
32. Most significantly, an Emory University study recently confirmed that security breach events directly affect stock performance. When such events are reported, companies lose an average of 0.63% to 2.1% value in stock price – equivalent to a loss in market capitalization of $860 million to $1.65 billion per incident!(7) Brand Diminishment
33. Most business owners are unaware of how Information Security lapses can negate their coverage entirely. This gap in coverage has the ability to put your company out of business. Failure to follow or document due care and due diligence is evidence of negligent behavior. Will my Business Insurance cover this?
34. Your ability to show documentation that your business is doing what is required will mean the difference between having insurance cover the costs or a data breach and going bankrupt from having to pay out of pocket costs. Will my Business Insurance cover this?
35. According to Joel Winston of the FTC, the commission is currently filing cases against companies that do not utilize reasonable measures to secure privacy data. The FTC is employing numerous strategies to get the message to the business community about the importance of protecting consumers from privacy information and identity theft. 35 FTC and Privacy Protection
37. The Massachusetts regulation imposes a duty to protect personal information and provides administrative standards as well as computer security requirements. Administratively, each entity holding personal information is required to enact a Comprehensive Information Security Program (CISP) compliant with the regulations. 37 201 CMR 17.00
38. The minimum requirements for an information security program are broken down into two main categories: requirements applicable to personal information generally and requirements applicable to personal information in electronic form. 38 201 CMR 17.00 - Overview
39. All comprehensive information security programs must include the following: Designated employee. Identify risks. Off-premises access practice. Disciplinary measures. Terminated employee policy. Third-party service providers policy. Limited access. Physical access. Review of information security program. Addressing data incidents. 39 Requirements Applicable To Personal Information Generally
40. All information security programs must include the following, as it relates to electronic personal information: User authentication protocols. Authentication must involve: the control of user IDs, use of passwords, control of password data, restricting access to active users on active accounts. blocking access after multiple incorrect login attempts. Secure access control measures. Encryption of transmitted records. Monitoring of systems. Laptop encryption. Security patches and firewall protection. Anti-virus software. Education and training. 40 Requirements Applicable To Personal Information In Electronic Form
41. Develop a security program, designate an employee to manage it, and discipline employee violators; Assess internal and external security risks and the effectiveness of current safeguards, upgrading as necessary; Train employees regarding security; Institute security policies for employees that meet certain specified standards; Prevent terminated employees from gaining access to personal information; 41 Comprehensive Information Security Program Requirements (CISP)
42. Ensure that service providers are capable of protecting personal information. Limit the amount of personal information collected, how long it is kept, and restrict access on a need-to-know basis; Identify records containing personal information, or treat all records as if they did; Regularly monitor employee access to personal information; Review security measures annually, take corrective action when necessary and document action taken in response to security breaches; and Restrict physical access to records containing personal information. 42 Comprehensive Information Security Program Requirements (CISP)
43. Establish user authentication protocols that include control of user IDs and a secure method of assigning passwords (including prohibiting use of vendor-supplied default passwords) or other unique identifiers such as token devices; Make sure password location does not compromise the security of the data it protects, restrict access to active users only and block access after multiple unsuccessful attempts; Restrict access to personal information on a need-to-know basis; Periodic system monitoring for signs of unauthorized use or access; Reasonably up-to-date malware protection and virus definitions. 43 Additional Elements for Electronic Records
45. Every comprehensive information security program shall include, but shall not be limited to: Designating one or more employees to maintain the comprehensive information security program; Identifying and assessing reasonably foreseeable internal and external risks to the security. Developing security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records. Imposing disciplinary measures for violations of the comprehensive information security program rules. Preventing terminated employees from accessing records containing personal information. Taking all reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information. 45 M.G.L. c. 93H 201 CMR 17.00 Details
46. Limiting the amount of personal information collected. Reasonable restrictions upon physical access to records containing personal information,. Regular monitoring to ensure that the comprehensive information security program is operating. Reviewing the scope of the security measures at least annually. Documenting responsive actions taken in connection with any incident involving a breach of security. 46 M.G.L. c. 93H 201 CMR 17.00 Details
47. Computer System Security Requirements: Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements: Secure user authentication protocols including: control of user IDs and other identifiers; a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; restricting access to active users and active user accounts only; and blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system; 47 M.G.L. c. 93H 201 CMR 17.00 Details
48. Secure access control measures that: restrict access to records and files containing personal information to those who need such information to perform their job duties; and assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls; Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. Reasonable monitoring of systems, for unauthorized use of or access to personal information. Encryption of all personal information stored on laptops or other portable devices. 48 M.G.L. c. 93H 201 CMR 17.00 Details
49. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. Education and training of employees on the proper use of the computer security system and the importance of personal information security. 49 M.G.L. c. 93H 201 CMR 17.00 Details
50. Under the new deadline structure: The general compliance deadline for 201 CMR 17.00 has been extended to March 1, 2010. 50 Compliance Deadline
51. It is not yet clear how the state will approach enforcement initially, although in similar circumstances (including the passage of Chapter 93H itself), government officials have expressed a willingness to become increasingly stringent about enforcement with the passage of time. Businesses that miss the deadline or otherwise fall short of the standard set by the regulations will run a considerable and steadily increasing risk. 51 201 CMR 17.00: Enforcement
53. TBG Security consultants have years of experience helping customers comply with State and Federal business and privacy regulations. We are able to assist your organization with all aspects of compliance with these and other information security-related business regulations. 53 Your Partner For Success
54. Performing an audit to determine your current level of compliance with these new business regulations Creating a Comprehensive Information Security Policy Advising you on specific steps needed to achieve compliance Deploying and supporting security infrastructure to automatically encrypt email messages. Perform initial setup and training on software to encrypt your laptops and other mobile devices Update and support your primary security infrastructure, including firewalls, VPN access, anti-phishing, and tools to protect against malicious code Identify and recommend remediation for vulnerabilities present in your systems. 54 TBG Security Will Help By..
57. Kevin Gorsline VP Business Development O: 877.223.6651 X 707 C: 781.820.9032 E: kgorsline@tbgsec.com TBG Security 31 Hayward Rd Franklin, MA 02038 www.tbgsec.com Contact Info 57