Massachusetts Privacy White Paper

Technology is a set of tools that can increase your company’s profitability, productivity and success or it can be a huge drain on your resources and a headache that won’t go away.

This white paper is by no means a substitute for reading the regulations yourself. However it can be a useful overview that can give you the general outlines and help you determine what steps you need to take.

1. When do the new regulations go into effect?

Mar 1, 2010

2. Where can I find the details of the regulation?

The Office of Consumer Affairs and Business Regulation website
(http://www.mass.gov/consumer) contains the complete text of the regulation
(http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf) as well as a helpful
FAQ and compliance checklist
(http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf). Email us at ISD
and we will be happy to send you a copy of the latest version of these documents.

3. What is the Office of Consumer Affairs and Business Regulation (OCABR) trying to achieve with these new regulations?

According to Shannon Choy-Seymour, Assistant Attorney General in the Consumer Protection Division of the Massachusetts Attorney General’s Office they have 3 goals with these regulations

• Requiring businesses to better protect Massachusetts residents’ personal information
• Requiring businesses to notify consumers if any unauthorized use or access of their personal information occurs
• Giving consumers enhanced safeguards to prevent identification thieves from opening credit accounts in their name – in other words making it easier for consumers to implement a security freeze so no one can open new credit accounts in their name.

4. When do the new regulations go into effect?

Personal Information is defined as “a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

• Social Security number
• Driver’s license number or state-issued identification card number
• Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.”

Important Note: This includes your employees’ information. So even if you don’t acquire personal information from consumers, you probably have your employees’ Social Security Numbers. That information is covered under these regulations.

Important Note: This includes paper records, not just electronic data.

5. What is required of businesses?

• You must create a Written Information Security Policy (WISP)
• You must designate 1 or more employees as the Information Security Manager. This person is responsible for maintaining the information security program.
• You must review the scope of the WISP at least annually and whenever there is a material change in your business practice that may affect the security or integrity of the personal information records.
• You must document responsive actions taken in response to any breach of security, and you must have a post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
• Business must assess reasonably foreseeable security risks. You must know what the risks are and have a plan for protecting against them.

6. What policies are required to be in the WISP?

• The WISP must contain the details of your security processes – what steps you take to protect personal information.
• You must designate 1 or more employees as the Information Security Manager. This person is responsible for maintaining the information security program
• You must assess reasonably foreseeable security risks. You must know what the risks are and have a plan for protecting against them.
• Businesses must have a process for educating their employees about their security policies and practices. This process cannot be a one-time event. You must have an ongoing and recurring process so you can remind people and also educate new employees.
• Businesses must enforce the following of these policies — this means there should be disciplinary measures for violation of the policies.
• Businesses must have procedures for preventing terminated employees from having access to personal information.
• You must place reasonable restrictions upon physical access to personal information.
• You must have some reasonable system for monitoring for unauthorized use.
• Businesses must ensure 3rd party service providers who house personal information have the capacity to properly protect that data.

Important Note: If you already have a contract with a 3rd party provider your relationship with that provider is grandfathered in for 2 years. This means you are not required to require the 3rd party to protect this information for 2 years from the date the regulations go into effect. If you sign a new agreement with a 3rd party you must ensure they can protect this information.

7. What are you required to do if you determine you had a breach?

• Contact the Attorney General’s Office and The Office of Consumer Affairs and let them know the nature of the breach, the number of affected consumers, and the steps you are taking to prevent such a breach from happening again
• Notify the affected consumers of
• Their right to file a police report in county where live or county where the breach occurred
• That they can request a security freeze
• Information they need to provide to credit bureaus for security freeze
• Fees they pay for security freeze (in MA it is $5.00)
• DO NOT include nature of breach and number of affected consumers

8. What will the Attorney General’s Office do if they find you had a breach

If the state learns of a breach they will decide whether to notify the FTC, the US secret service, United States Attorney General’s office, and the cybercrime division of the FBI. They will provide guidance to companies who have had a breach. They will also decide whether to bring enforcement action based on Chapter 93A and 93H of the General Law of Massachusetts. The attorney’s general’s office will look beyond strict compliance. In their own words they are “not out to play gotcha.” They especially look for elements of deceptiveness, unfairness. Some of the questions they will ask are:

• Was the data compromised because it was collected and used for purposes not disclosed to users?
• Did the owner of the data who knew of the breach fail to notify the Attorney General’s office, Office of Consumer Affairs, and consumers of the breach, or of an event wherein personal information was acquired by an unauthorized person or for unauthorized use?
• Did the owner of the data make false or misleading representations of the security of the data?
• Was data stored in a manner that was reasonably protected?
• Did the owner of data have adequate policies in place AND were they followed

The Attorney General’s office will take into account size and nature of the business, the resources available to that business and the nature of data stored.

9. What penalties are defined in the regulations?

There are no specific penalties defined in the new regulations. However under chapter 93A of the Massachusetts General Laws there is a potential penalty of $5,000 per person affected.

10. What are some specific technical requirements in the new regulations?

• Personal Information must be encrypted when it travels outside of your office. So that means if it goes over a wireless network, over the internet, via email, or is stored on a device such as a laptop or other portable devices such as PDAs.

Important Note: The best solution is not to let personal information get out of the office unless absolutely necessary and to restrict the manner in which personal information can leave your office to 1 or possible 2 methods only. For example via encrypted email or on a laptop with an encrypted hard drive. Note the regulations do NOT require that you encrypt the data inside your systems. But ISD recommends it. Think about all the ways electronic information could get out of your office. Here is our partial list: email, FTP, web access, hacker into your network, wireless network, laptop, PDA, external hard drive, thumb drive, internal hard drive from a PC or server, CD, DVD, Desktop PC or server (stolen), Desktop PC or server (taken home for use or repair by an employee), backup tape, and online backups. That is why we feel the best protection is to implement an encryption program for the data while it resides on your systems so that even if it leaves your office, whether intentionally or not, it is still protected.

• Your computers must be protected by “Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions.” So be sure all your systems are protected by AV software. And be sure the SW is automatically downloading and installing updates and new virus definitions. This calls for a way to enforce and monitor AV updates.
• Your computers must be reasonably up to date with operating system updates and security patches. This means just relying on users to remember to update their systems is not good enough. You should enforce and monitor Windows updates.
• Secure user authentication protocols including:

1) Control of user IDs and other identifiers;

2) “a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices”

Important Note: In our experience passwords are the weak link in most security systems. This means no more “everyone has the same password so we can always log into any PC.” And no more passwords that are “password” or “welcome”. This will put a bit more of a burden on your employees and may meet with some resistance so be prepared to explain why this is necessary. Also you must have a good password management process in place so that users are not frequently blocked from accessing systems they need due to password issues.

Important Note: Although the regulations do not specifically call for it having a password policy that requires users to change passwords regularly is a recommended practice. We recommend no more frequently that once per quarter (users get annoyed if it is too frequent) and no less frequently than once every 6 months.

3) “control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect.” In other words it is no good having the secure password assigning process above if you are going to store those passwords unprotected in an easily accessible location.

4) “restricting access to active users and active user accounts only”. Only provide access to people who really need it and once someone is no longer actively requiring access to the personal information you must terminate their access.

5) Blocking access after multiple unsuccessful attempts – in other words a password lockout policy.

6) “Reasonable monitoring of systems, for unauthorized use of or access to personal information.” This is a vague requirement that could mean many things. In our opinion, it doesn’t seem to us that the OCARB is asking every business to implement a full-blown Intrusion Detection System. The logs kept by a commercial-grade firewall such as Cisco or Sonicwall may suffice for many businesses (again the nature of your business, and thus the type, amount, and scope of personal information you keep factor into what level of protection you need).

We at ISD applaud the Office of Consumer Affairs and Business Regulations for taking this step to protect all of our personal information. Complying with these regulations does not have to be difficult or expensive. But it is not free. There will be time and probably some expenditure required. Some of the expense and effort is in the area of technology. But most is actually around your business processes. These regulations force you to take a close look at the data you collect and how you manage access to that data.

Remember the best advice we can give: Don’t collect the personal information in the first place. Do you really need to collect and store that information? If you can find a way to conduct your business normally without collecting personal information then we highly recommend you do that. You will sleep easier at night.