COMMENTARY. Information JONES DAY

Similar documents
201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Employee Security Awareness Training Program

Frequently Asked Question Regarding 201 CMR 17.00

New Data Protection Laws

Data Compromise Notice Procedure Summary and Guide

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Checklist: Credit Union Information Security and Privacy Policies

Regulation P & GLBA Training

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

SECURITY & PRIVACY DOCUMENTATION

Summary Comparison of Current Data Security and Breach Notification Bills

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Presented by: Jason C. Gavejian Morristown Office

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Keeping It Under Wraps: Personally Identifiable Information (PII)

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

University of Pittsburgh Security Assessment Questionnaire (v1.7)

EU Data Protection Agreement

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Annual Report on the Status of the Information Security Program

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Morningstar ByAllAccounts Service Security & Privacy Overview

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Department of Public Health O F S A N F R A N C I S C O

THE CCPA AND PREPARING FOR STATE PRIVACY LEGISLATION. Nathan Taylor Morrison & Foerster LLP

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Integrating HIPAA into Your Managed Care Compliance Program

Department of Public Health O F S A N F R A N C I S C O

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Red Flags Program. Purpose

Why you MUST protect your customer data

01.0 Policy Responsibilities and Oversight

Eco Web Hosting Security and Data Processing Agreement

Privacy & Information Security Protocol: Breach Notification & Mitigation

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Identity Theft Prevention Policy

HPE DATA PRIVACY AND SECURITY

Motorola Mobility Binding Corporate Rules (BCRs)

Terms and Conditions 01 January 2016

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

University Policies and Procedures ELECTRONIC MAIL POLICY

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

ADIENT VENDOR SECURITY STANDARD

IMPROVING COMPLIANCE IN THE FACE OF COMPLEX PRIVACY AND SECURITY REGULATIONS

CALSTRS ONLINE AGREEMENT TERMS AND CONDITIONS

COMMENTARY. The New EU Cybersecurity Directive: What Impact on Digital Service Providers? Relevant Terms

PS Mailing Services Ltd Data Protection Policy May 2018

Element Finance Solutions Ltd Data Protection Policy

VIACOM INC. PRIVACY SHIELD PRIVACY POLICY

Putting It All Together:

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Beam Technologies Inc. Privacy Policy

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Financial Regulations, Enforcement & Cybersecurity

Security Breaches: How to Prepare and Respond

Acceptable Use Policy

Information Security Data Classification Procedure

NY DFS Cybersecurity Regulations August 8, 2017

Learning Management System - Privacy Policy

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

Seven Requirements for Successfully Implementing Information Security Policies and Standards

GM Information Security Controls

FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

Emsi Privacy Shield Policy

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Security and Privacy Breach Notification

IAM Security & Privacy Policies Scott Bradner

New Spanish Regulation Tightens Up Data Protection Requirements RAFI AZIM-KHAN, JOHN NICHOLSON, ALESSANDRO LIOTTA, AND DOMINIC HODGKINSON

Baseline Information Security and Privacy Requirements for Suppliers

Client Alert: Significant WiFi vulnerability exposed

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Commercial Vehicle Mobile ANPR Policy

Privacy Breach Policy

Customer Proprietary Network Information

CD STRENGTH LLC. A MASSACHUSETTS, USA BASED COMPANY

PPR TOKENS SALE PRIVACY POLICY. Last updated:

Acceptable Use Policy

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Cybersecurity in Higher Ed

HIPAA Security Manual

Information Security Policy

by Robert Hudock and Patricia Wagner April 2009 Introduction

Transcription:

February 2010 JONES DAY COMMENTARY Massachusetts Law Raises the Bar for Data Security On March 1, 2010, what is widely considered the most comprehensive data protection and privacy law in the United States 201 C.M.R. 17: Standards for the Protection of Personal Information of Residents of the Commonwealth (the Massachusetts Standards ) will take effect. This regulation issued by the Department of Consumer Affairs and Business Regulation pursuant to Massachusetts General Law Chapter 93H will require every business that licenses or owns personal information of Massachusetts residents to comply with the minimum security standards set forth in the regulation. Although a number of states have enacted legislation that mandates the protection of personal information, the Massachusetts Standards are the most onerous of the state data security regulations and will be the gold standard going forward. Many of the data security regulations of these other states do not even prescribe the standards of security beyond meeting a reasonable standard or what is appropriate to the nature of the information. However, the Massachusetts Standards not only detail the specific elements that each business s information security program should contain, but go one step further to require, where technically feasible, the encryption of personal information stored on portable devices and personal information transmitted across public networks or wirelessly. The floor for data security standards for Massachusetts-based companies and companies that maintain personal information about Massachusetts residents will be set by the Massachusetts Standards. Standards for Protecting Personal Information The Massachusetts Standards require any natural person or entity (excluding the Massachusetts government and any natural person not engaged in commerce) that owns or licenses personal information of a Massachusetts resident to implement a written information security program ( WISP ) with appropriate administrative, technical, and physical safeguards. 1 Such safeguards must be consistent with 2010 Jones Day. All rights reserved. Printed in the U.S.A.

those set forth in state and federal regulations to which a business is subject, including data breach notification laws, HIPAA, and the Gramm-Leach-Bliley Act. The Massachusetts Standards define personal information as a Massachusetts resident s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account. The Massachusetts Standards exclude from the definition any information lawfully obtained from publicly available information or from government records available to the general public. 2 The Massachusetts Standards adopt a risk-based approach to information security, meaning that a business should take into account the particular business [s] size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security in implementing its WISP. 3 The regulation does not prescribe a one-size-fitsall approach and allows small businesses that do not store or transfer large amounts of personal information to adopt less stringent requirements in their WISPs. Written Information Security Program Requirements The Massachusetts Standards set forth the following specific requirements that each WISP should contain: 1. The designation of at least one employee to maintain the WISP; 2. The assessment of risks to the security of records containing personal information, and improvement of safeguards to mitigate such risks, including employee training and detection and prevention of security system failures; 3. Disciplinary measures for violations of the WISP and safeguards for preventing terminated employees from accessing records containing personal information; 4. The development of security policies for the storage, access, and transportation of records containing personal information outside of business premises; 5. The implementation of reasonable restrictions upon physical access to records containing personal information, and the storage of such records and data in locked facilities, storage areas, or containers; 6. Monitoring the WISP s effectiveness in preventing unauthorized access to or use of personal information; 7. The review of the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably affect the security or integrity of records containing personal information; and 8. The documentation of responsive actions to any security breach incidents and of post-incident review of events and actions taken to change business practices. 4 In addition, businesses are required to limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected and to limit the time such information is retained to that reasonably necessary to accomplish such purpose. 5 Computer System Security Requirements and Data Encryption Each business s WISP must also establish a computer security system with minimum standards for information security protocols to the extent technically feasible. The term technically feasible means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used. 6 The information security protocols that must be implemented, if technically feasible, include: 1. Secure control of user identifiers and passwords for authentication purposes; 2

2. Lock-out processes for inactive users or unsuccessful log-in attempts; 3. Limiting access to personal information to those persons who are reasonably required to know such information; 4. Up-to-date firewall protection and operating system security patches for systems connected to the Internet; 5. Up-to-date versions of system security agent software, including malware protection, patches, and virus definitions; and 6. Education and training of employees on the proper use of the computer security system. 7 However, the most significant of these protocols is the requirement to encrypt, where technically feasible, all records and files containing personal information that are transmitted across public networks or wirelessly and all personal information stored on laptops or other portable devices, including backup tapes, on a prospective basis (and existing tapes being transported, if possible). 8 Although Nevada has also adopted regulations that require encryption of transmitted and stored personal information, the scope of the requirement in the Massachusetts regulation is broader than that of Nevada s. The Nevada regulation mandates encryption of personal information on data storage devices that are moved beyond the logical or physical controls of the business, while the Massachusetts Standards require encryption of personal information on portable devices even if such devices do not leave the premises of the business. 9 Both regulations obligate businesses to encrypt personal information when transmitted outside the secure systems of the businesses, but the Massachusetts Standards also require encryption of any personal information transmitted wirelessly in any location. 10 The Massachusetts Standards define encrypted as transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key. 11 The data must be altered into an unreadable form, and mere password protection does not meet this requirement. 12 Any personal information sent via email must be encrypted if technically feasible, and if not, then alternative methods to communicating personal information, such as establishing a secure web site, should be considered. 13 Interestingly, few, if any, generally accepted encryption technologies exist for most portable devices (except laptops), and as a result, businesses arguably have an excuse for not encrypting personal information on such devices until technology catches up with the law. 14 Regardless, businesses should consider ways to prevent personal information from being placed at risk on such devices. Contracts with Third-Party Service Providers Another aspect of the Massachusetts Standards that is garnering some attention is the requirement that all service providers must be contractually bound by March 1, 2012, to maintain appropriate security measures to protect personal information consistent with the Massachusetts Standards and any applicable federal regulations. Contracts that were entered into with service providers prior to March 1, 2010, are not required to include such obligations, but for service providers retained after March 1, 2010, businesses must take reasonable steps to select service providers that are capable of maintaining such security measures. 15 In the near term, this obligation will likely affect the pricing of thirdparty services, as service providers are forced to implement additional safeguards, including encryption technologies, to comply with the Massachusetts Standards and future similar regulations. This service provider provision in the Massachusetts Standards is modeled after the service provider provision in the FTC s Safeguards Rule. 16 Enforcement Enforcement of the Massachusetts Standards will be carried out by the Attorney General of Massachusetts. Actions for injunctive relief and civil penalties of not more than $5,000 per violation (plus the reasonable costs of investigation and litigation) may be brought for any violations of the regulation. 17 Enforcement is less likely against businesses that promptly and fully cooperate following a security incident, that can prove the incident was inadvertent, and that can demonstrate compliance with industry best practices for data protection. 18 Factors that the 3

Attorney General s office will consider in determining whether to take enforcement action include the specifics of the breach, how many Massachusetts residents may be affected, signs of intentional criminal theft, the size of the business and resources available to it, adherence to the business s WISP, and the technical feasibility of implementing measures to prevent the breach. 19 Future Implications The Massachusetts Standards will have a widespread effect on how business is conducted by companies throughout the United States and how services are provided by thirdparty vendors. Even though the regulation only reaches to the personal information of Massachusetts residents, many businesses operating outside of Massachusetts possess such information. And, although it will directly affect the way data is protected, perhaps the most far-reaching effect that this regulation will have is serving as a watershed for similar legislation to be adopted in other states. By joining Nevada in adopting laws that mandate the encryption of personal information, Massachusetts is creating momentum that other states may ride to enact their own encryption laws. States like Michigan, Washington, and New York have considered, or are currently considering, data security legislation with encryption requirements. If the adoption of encryption regulations follows the same course as that of data breach regulations, it will not be long before many more states follow the lead of Nevada and Massachusetts, and the result could have lasting repercussions on the day-to-day operations of virtually every business. Lawyer Contacts For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our Contact Us form, which can be found at www.jonesday.com. Kevin D. Lyles +1.614.281.3821 kdlyles@jonesday.com Mauricio F. Paez +1.212.326.7889 mfpaez@jonesday.com Alfred Cheng +1.214.969.3723 acheng@jonesday.com 4

Endnotes 1 201 Mass. Code Regs. 17.03(1) (2009). 2 201 Mass. Code Regs. 17.02 (2009). 3 Commonwealth of Massachusetts Office of Consumer 4 201 Mass. Code Regs. 17.03(2) (2009). 5 Commonwealth of Massachusetts Office of Consumer 6 Id. 7 201 Mass. Code Regs. 17.04 (2009). 8 Commonwealth of Massachusetts Office of Consumer 9 Compare S.B. 227, 2009 Leg., 75th Sess. (Nev. 2009), with 201 Mass. Code Regs. 17.04(5) (2009). 10 Compare S.B. 227, 2009 Leg., 75th Sess. (Nev. 2009), with 201 Mass. Code Regs. 17.04(3) (2009). 11 201 Mass. Code Regs. 17.02 (2009). 12 Commonwealth of Massachusetts Office of Consumer 13 Id. 14 Id. 15 201 Mass. Code Regs. 17.03(2)(f)(2) (2009). 16 Commonwealth of Massachusetts Office of Consumer 17 Mass. Gen. Laws ch. 93A 4 (2006). 18 Eric B. Parizo, MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation, SearchSecurity.com, Jan. 28, 2010, available at http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1379916,00.html. 19 Id. Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form, which can be found on our web site at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback