Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
New Data Security Regulations Have Sweeping

New Data Security Regulations Have Sweeping



|Views: 417|Likes:
Published by gesmer

More info:

Published by: gesmer on Nov 08, 2008
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





New Data Security Regulations Have SweepingImplications For Massachusetts Businesses
40 Broad Street, Boston, MA 02109 • 617.350.6800 •Gesmer.com
November 2008
Table o Contents
About the
Massachusetts LawAbout the New
Massachusetts’ Data Security BreachNotifcation Law, Chapter 93H
ctober 31, 2008 marked the one-year anni-versary of the Massachusetts law requir-ing notication of individuals victimizedby data security breaches. The statute, Chapter93H of the Massachusetts General Laws, is one of 46 such laws in the UnitedStates, and its terms arelargely consistent withother states’ laws.Chapter 93H generallyrequires an individual,business or governmen-tal agency with “personalinformation” relating to astate resident to providenotice in the event of adata security breach.“Personal information” isdened as the name of a Massachusetts residentin combination with her Social Security num-ber; driver’s license or state ID number; nancialaccount number; credit card number or debit cardnumber. Basically, notication is required whenpersonal information (either in unencryptedform, or in encrypted form with its key) has beenused for an unauthorized purpose, or has beenacquired by an unauthorized person. The statute also calls for the implementation of regulations for the purpose of protecting thesecurity, condentiality and integrity of Massa-chusetts residents’ personal information.
New Regulations To ProtectPersonal Inormation
he Massachusetts Department of Con-sumer Aairs and Business Regulationsrecently issued regulations in response toChapter 93H’s edict. Unlike the Commonwealth’sapproach to the statute itself, however, the regu-lations represent a substantial departure fromwhat has come before, and they impose poten-tially signicant requirements that in many wayssurpass what is required elsewhere in the coun-try. These regulations, which may be found at 201Code of Massachusetts Regulations (CMR) 17
, are
presently scheduled to become eective on Janu-ary 1, 2009.At their core, the newregulations call for anyperson (which includescorporations and part-nerships, but not govern-ment bodies) who “owns,licenses, stores, or main-tains personal informa-tion” about a Massachu-setts resident to developand implement a writ-ten “comprehensive datasecurity program.” This ominous-sounding “infor-mation security program” requirement is notmerely an amorphous obligation to be proactivein the care and maintenance of personal data. The regulationsprovide an extensive (thoughnot exhaustive) list of itemsthat must be included in theprogram. They provide that themanner in which these itemsare implemented is dependentupon the following factors:
the size, scope and typeof business involved;
the resources available to it;
the amount of stored data;
the need for securityand condentiality.
[T]he regulations representa substantial departure fromwhat has come before, andthey impose potentially sig-nicant requirements thatin many ways surpass whatis required elsewhere in thecountry.
In the abstract, this makes sense. But, as is evidentfrom the detailed standards imposed for suchinformation security programs, even the smallestbusinesses must shoulder a considerable load insafeguarding personal data. Those who believethat they can safely ignore the regulatory regimenbecause only a modest amount of personal datais at issue, or because few employees are availableto specically focus on this new mandate, do so atgreat risk. Those minimum require-ments for an informationsecurity program are bro-ken down into two maincategories: requirementsapplicable to personalinformation generally,and requirements appli-cable to personal informa-tion in electronic form.
General Inormation SecurityProgram Requirements
ll information security programs mustinclude the following:a.
Designated employee.
 The program mustdesignate one or more employees to maintainthe information security program. We recom-mend that a single individual be designated,although multiple persons may well be taskedwith responsibilities relating to its imple-mentation. Note that the requirement is notpurely a technical one; smaller organizationsmay want to think twice before simply assign-ing this to the person with the most techni-cal expertise. The role is, at its core, a policycreation and implementation one, and eec-tively requires even the most modest organi-zations to create a position resembling a Chief Privacy Ocer.b.
Identiy risks.
The program must identifyand assess “reasonably foreseeable internaland external risks to the security, condenti-ality, and/or integrity of…personal informa-tion.” In addition it must provide for evaluat-ing and improving the eectiveness of thoseeorts. This section must involve employeetraining, as well as methods of detecting andpreventing security system failures. While thethreat analysis will vary widely from one situa-tion to the next, the regulations give insight towhat the government expects in the mitiga-tion of risk. Here, particular attention shouldbe given to how each and every employee (orcontractor) will be included in the program’simplementation, whether through training orotherwise. Training pro-grams should be formal-ized, and records kept toevidence full participationof the workforce.c.
The informa-tion security programmust include policies foraddressing whether andhow employees are permitted to use personalinformation “outside of business premises.” Ingeneral, the best approach here is to prohibitall but specied classes of employees fromaccessing or transporting personal informa-tion from the eld. Those with particularizedneeds should be allowed such access only tothe extent necessary for them to perform anecessary job function. Such records (whetherin paper or electronic form) should be physi-cally kept with and by the employee, locked ina secure cabinet or room, or maintained elec-tronically in an encrypted form. In the tele-commuting context, companies should givethought to VPN, Citrix or other technologiesthat secure electronic access between on-siteand o-site computing devices. While thesemeasures impose an added cost, providingunencrypted transmission of personal infor-mation data over the Internet is problematic,and at odds with the regiment mandated bythe state.d.
Disciplinary measures
The program mustprovide that employees are subject to dis-ciplinary measures for violations of the pro-gram rules. This is intended to ensure thatall employees take the policy seriously, and
[T]hose who believe thatthey can safely ignore theregulatory regimen becauseonly a modest amount of personal data is at issue...doso at great risk.
3disciplinary measures should be consistentwith that goal. The manner in which this isincorporated into the information securityprogram should allow for signicant exibil-ity, however, in terms of the specic actionsthat will be taken in the event of violation.e.
Terminated employees.
Terminated employ-ees must be prevented from accessing per-sonal information “by immediately terminat-ing their physical and electronic access to suchrecords.” This is generally self-explanatory.Care must be taken in those situations wherean employee is separated from employment,but continues to provide transition assistance.Either employment must be extended, or safe-guards imposed so that the former employeedoes not have directaccess to the personalinformation at issue.f.
Third-party service providers
must verify that ser-vice providers “havethe capacity to pro-tect…personal infor-mation.” This involves
inserting appropriate
language into vendor agreements which (a)obligate the service provider to appropriatelysafeguard the information; and (b) maintainits own written information security program.While such requirements will become partof the standard boilerplate, complicated sce-narios may arise in connection with existinglong-term contracts that lack such terms, andwith out-of-state service providers that havenot yet assembled their own written infor-mation security programs. These must beapproached on a case-by-case basis, and therelative bargaining power of the parties maywell dictate the relative risk that the partieswill ultimately bear here. A review of vendorcontracts is essential, and should be under-taken by all businesses.g.
Limited access.
The information security pro-gram must limit (a) the amount of personalinformation collected; (b) the length of timesuch information is kept; and (c) persons per-mitted to access such information. Informa-tion may only be kept to the extent necessaryto accomplish its “legitimate purpose” or com-ply with applicable governmental require-ments. While this concept is understandablein the abstract, implementation may wellprove tricky. For example, in completing aretail transaction, may the retailer collect per-sonal information for a legitimate but unre-lated purpose? Is access by an employee forlegitimate purposes unrelated to the ratio-nale for the collection of the data permit-ted? Given the somewhat restricted deni-tion of “personal information,” however, themost common question may be the extentto which persons may bepermitted to retain creditand debit card numbersof customers. “Inde-nitely” does not appear tobe an acceptable answerany longer.h.
Identiying per- sonal inormationrecords
The writteninformation security pro-gram must provide for a method of identify-ing records and devices used to store personalinformation (unless
records are treatedas personal information). Carefully imple-mented systems used to segregate personalinformation address this require-ment. This may well requirea reworking of databases
and other established
data processes, however,and must be carefullyconsidered on a pro-cess-by-process basis.i.
Physical access.
must impose reason-able restrictions onphysical access torecords containingpersonal information.
[C]omplicated scenarios mayarise in connection...without-of-state service provid-ers that have not yet assem-bled their own written infor-mation security programs

Activity (2)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->