1 View the online version at Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs) under the Massachusetts data security regulation (Mass. Regs. Code tit ). The Note also discusses reasons for adopting a WISP, preliminary considerations and enforcement actions by the Massachusetts Attorney General. The Massachusetts data security regulation (Mass. Regs. Code tit ) (Massachusetts Regulation) contains the most stringent and detailed data security requirements for organizations by a state to date. Massachusetts is the first and only state to require covered organizations to adopt a comprehensive written information security program (WISP) incorporating specific security measures. Effective since March 1, 2010, the regulation has extensive reach, purporting to cover every organization, wherever located, that owns or licenses personal information of Massachusetts residents. This Note focuses on developing and implementing WISPs based on the Massachusetts Regulation's requirements. It discusses: Preliminary considerations and steps when developing a WISP. The Massachusetts Regulation's requirements. Massachusetts enforcement actions. Reasons for Adopting a WISP In addition to the Massachusetts Regulation, organizations may be subject to other laws and industry standards requiring them to develop written information security programs and implement reasonable security measures (see Box, Additional Relevant US Laws, Guidance and Industry Standards). However, even where WISPs are not legally required, they are a good business practice for any organization that collects, uses, stores, transfers or disposes of personal information. In February 2012, the Obama administration issued Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, including a Consumer Privacy Bill of Rights setting out the principle that consumers have the right to secure and responsible handling of their personal data. The consumer privacy framework in the Federal Trade Commission's (FTC) March 2012 final privacy report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, describes best practices for organizations to protect consumer privacy, including building privacy protections into everyday business practices (privacy by design). These protections include providing reasonable security for consumer data. Because of the ongoing threat of data breaches and incidents, and the potential for significant associated legal, business and reputational costs, organizations increasingly take steps to ensure their third-party service providers and other business partners have comprehensive written information security programs (see Thirdparty Service Providers). These steps include contractual requirements in relevant agreements (such as purchase agreements or cloud computing services agreements). Organizations are also increasingly seeking cyber liability insurance and therefore may need to provide information about their information security programs to insurers. Preliminary Considerations Preliminary steps in developing and implementing a WISP include: Identifying reasons for adopting the WISP and its objectives (see Reasons for Adopting a WISP). Determining and evaluating the requirements of the Massachusetts Regulation and all other applicable laws, guidance
2 from governmental authorities, enforcement actions and industry standards, including identifying any conflicting requirements. Gathering all relevant information concerning the personal information the organization collects, uses, stores and shares. This includes identifying: the categories and types of personal information; how the organization collects, uses, stores, transfers and destroys the personal information, and the systems and technologies the organization uses for these purposes; the state (and if not the US, country) residences of the individuals whose personal information the organization has; the organization's third-party service providers and other business partners that have or may have access to personal information the organization holds or controls; the organization's current information security procedures, practices and policies; and the employees within the organization who are responsible for developing, implementing and enforcing the WISP. Scope of the WISP The scope and complexity of a WISP will vary depending on the organization's specific circumstances. However, two threshold issues include whether to: Adopt a WISP that applies to personal information of: only Massachusetts residents; or all personal information the organization holds. (See Personal Information Covered by the WISP.) Combine the WISP with other information security policies or maintain separate policies (see Combining with Other Privacy and Information Security Policies). Personal Information Covered by the WISP The organization must initially decide whether the WISP will be created to: Specifically comply with the Massachusetts Regulation and only apply to personal information of Massachusetts' residents. Broadly apply to the collection of personal information from residents of other states. Adopting a WISP that applies to all personal information the organization holds can provide administrative ease. Although not currently required by states other than Massachusetts, a comprehensive WISP reflects best practices and can help reduce the organization's risks. The organization may choose to use the Massachusetts Regulation as a baseline, but it should ensure the WISP takes into account all relevant states' privacy and data security laws, including the various definitions of personal information each state has adopted. However, the organization may want to limit the scope of the WISP to the Massachusetts Regulation to narrow its compliance obligation. For example, where only one business unit of an organization collects Massachusetts residents' personal information, the organization may seek to keep that unit's compliance obligation separate from its other business units' obligations. 2 Combining with Other Privacy and Information Security Policies Where an organization is subject to more than one set of privacy and information security requirements, it can be administratively simpler to consolidate its programs and related policies and procedures into one comprehensive policy. However, the organization may need to consider conflicting legal requirements. For example, organizations subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Gramm-Leach Bliley Act (GLBA) must also comply with the Massachusetts Regulation. Like the Massachusetts Regulation, the GLBA Safeguards Rule requires that financial institutions develop comprehensive written information security programs to protect customer information. However, the GLBA Safeguards Rule and Massachusetts Regulation differ in their specific requirements, for example: The Safeguards Rule applies only to customer information while the Massachusetts Regulation applies to Massachusetts residents' personal information, including both customer and employee information. The Safeguards Rule's requirements are broader and less precise than the Massachusetts Regulation's requirements. One advantage in keeping a WISP developed specifically for the Massachusetts Regulation separate from the organization's other information security policies is that if the Massachusetts Attorney General or another state attorney general or regulator requests a copy of the Massachusetts WISP, the organization may be able to limit its disclosure to the Massachusetts WISP and not its other policies. Massachusetts Regulation: General WISP Requirements The Massachusetts Regulation requires every person that owns or licenses personal information about a Massachusetts resident to develop, implement and maintain a comprehensive written information security program that contains administrative, technical and physical safeguards that are appropriate to: The size, scope and type of the person's business. The person's available resources. The amount of stored data. The need for security and confidentiality of both consumer and employee information. In addition, the safeguards must be consistent with safeguards for protection of similar personal information and information set out in any state or federal regulations that apply to that person. (Mass. Regs. Code tit (1)). The Massachusetts Regulation also includes a set of: Specific WISP requirements (see Massachusetts Regulation: Specific WISP Requirements). Computer system security requirements for organizations that electronically store or transmit personal information (see Massachusetts Regulation: Computer System Security Requirements).
3 Who Must Comply? Covered Persons The Massachusetts Regulation applies to any person (including, for example, a corporation, association, partnership or other legal entity as well as a natural person) that owns or licenses personal information, which includes any organization that receives, stores, maintains, processes or otherwise has access to personal information either for: The provision of goods or services. Employment. (Mass. Regs. Code tit ) The Massachusetts Regulation applies to any person regardless of whether that person is located in Massachusetts or even the US. Persons Covered by HIPAA and GLBA A person who must comply with HIPAA or GLBA also must comply with the Massachusetts Regulation. Definition of Personal Information The Massachusetts Regulation defines personal information as a Massachusetts resident's first name and last name or first initial and last name combined with one or more of that resident's: Social Security number. Driver's license number or state-issued identification card number. Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a Massachusetts resident's financial account. The definition excludes any information lawfully obtained from either: Publicly available information. Federal, state or local government records lawfully made available to the public. (Mass. Regs. Code tit ) Massachusetts Regulation: Specific WISP Requirements The Massachusetts Regulation requires that every WISP include: Designating one or more employees to maintain the WISP (see Program Oversight). Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality or integrity of electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of current safeguards for limiting these risks, including: ongoing employee training, including training for temporary and contract employees; employee compliance with policies and procedures; and means for detecting and preventing security system failures. (See Identifying and Minimizing Reasonably Foreseeable Internal and External Risks.) Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises. Imposing disciplinary measures for violations of the WISP's rules. Preventing terminated employees from accessing records containing personal information. Overseeing service providers by: taking reasonable steps to select and retain third-party service providers capable of maintaining appropriate security measures to protect personal information consistent with the Massachusetts Regulation and any applicable federal regulations; and contractually requiring them to implement and maintain these security measures. (See Third-party Service Providers.) Reasonable restrictions on physical access to records containing personal information, and storage of these records in locked facilities, storage areas or containers. Regular monitoring to ensure that the WISP is operated in a way reasonably calculated to prevent unauthorized access to or unauthorized use of personal information and upgrading information safeguards as necessary to limit risks. Reviewing the scope of the security measures: at least annually; or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information. Documenting: responsive actions taken in connection with an incident involving a security breach; mandatory post-incident review of events; and any actions taken to make changes in business practices relating to protecting personal information. (Mass. Regs. Code tit (2).) Program Oversight The Massachusetts Regulation specifically requires the designation of one or more employees as the data security coordinator or coordinators to maintain the WISP. The data security coordinators are responsible for ensuring that the WISP's specific requirements are carried out, whether by them or others (see Massachusetts Regulation: Specific WISP Requirements). The considerations in designating data security coordinators and their specific responsibilities depend on the organization's specific circumstances and may include: The organization's: size; industry; and regulators. 3
4 The types of personal information that the organization owns or maintains on behalf of another organization. The employees responsible for the organization's compliance with security requirements, including compliance with: internal policies; contracts; and relevant laws and industry standards. The organization should also consider the appropriate business units to involve in program oversight, which may include: Legal. Information technology. Privacy or a broader compliance unit. Identifying and Minimizing Reasonably Foreseeable Internal and External Risks A key requirement of the Massachusetts Regulation is identifying reasonably foreseeable internal and external risks and adopting steps to mitigate those risks. Risks vary depending on the organization's specific circumstances. Examples of common risks include: Inadequate personnel training (see Inadequate Personnel Training). Unencrypted personal information (see Unencrypted Personal Information). Personal information in paper format (see Personal Information in Paper Format). Lack of control over portable devices (see Lack of Control Over Portable Devices). Inadequate Personnel Training Inadequate training and education of an organization's personnel creates a reasonably foreseeable internal risk to the protection of personal information. To minimize risk, organizations should ensure that: Personnel actually receive the training and have access to information about the requirements, and that the organization has the means to identify when personnel miss or fail to complete the training. The training and information provided sufficiently convey the data security requirements so that personnel can comprehend them. It periodically assesses compliance. The organization should provide ongoing training and information and update them as necessary or appropriate. For example, after a data breach or incident, the organization should: Update training and information to include lessons learned. Consider additional or interim training. Unencrypted Personal Information Unencrypted personal information is another reasonably foreseeable external risk. The Massachusetts Regulation requires, to the extent technically feasible, encryption of all: Transmitted records and files containing personal information that will travel across public networks. Data containing personal information to be transmitted wirelessly. Personal information stored on laptops or other portable devices. (See Massachusetts Regulation: Computer System Security Requirements.) To reduce risks caused by unencrypted personal information, an organization can, for example: Conduct an initial inventory of all laptops and other portable devices and continuously maintain the inventory. The inventory should identify whether each device is owned by the organization or the individual. Determine whether personal information is stored on the laptops and other portable devices and, if so, whether and how the information is encrypted. Where technically feasible, implement encryption of personal information when it is stored on portable devices or transmitted over public or wireless networks. Implement tools that flag s containing designated personal information. Conduct ongoing training, make regular assessments and follow up on unsatisfactory results. The Massachusetts Office of Consumer Affairs and Business Regulation advises against sending unencrypted personal information through . It suggests instead using alternative methods to conduct transactions involving personal information, for example, by setting up a secure website that requires safeguards like user names and passwords. Personal Information in Paper Format Creating, maintaining, transferring and disposing of personal information in paper format creates reasonably foreseeable internal and external risks to the organization's protection of personal information. Examples of records containing personal information often maintained in paper format include: Employment-related documents. Customer credit card information. Tax, employee benefit and transaction-related documents for the organization's security holders (for example, stockholders or bondholders). Organizations that handle personal information in paper format must follow appropriate safeguards, which may differ from those for personal information stored in electronic form. These safeguards may include, for example, requiring: Storage of paper records containing personal information in a secure location, for example, locked filing cabinets, and limiting access to these records to specified individuals. Envelopes or mailing covers without transparent windows for mailings involving content containing personal information. Using a cross-cut shredder on paper records before disposal and ensuring disposal is made in accordance with applicable law, 4
5 internal policies and procedures (for example, records retention policies) and any contractual requirements. Lack of Control Over Portable Devices An organization's lack of control over portable devices creates reasonably foreseeable internal and external risks to the organization's protection of personal information. Examples of lack of control over portable devices include: The failure to inventory and account for the portable devices of an organization and of individuals that are used for business ("bring your own device"). Lack of policies and procedures regarding use of portable devices for business purposes. The failure to properly implement and enforce policies and procedures concerning portable devices. The Massachusetts Regulation specifically requires: Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises (see Massachusetts Regulation: Specific WISP Requirements). Creating and maintaining a security system covering its computers (including any wireless system) (see Massachusetts Regulation: Computer System Security Requirements). Third-party Service Providers The Massachusetts Regulation requires that the WISP include the oversight of third-party service providers, including contractually requiring third-party service providers to implement and maintain appropriate measures for protecting personal information. Organizations should: Identify their applicable existing third-party service providers and, if necessary, amend their contracts to ensure compliance (see Amending Existing Contracts). March 1, 2012 was the compliance date for third-party service provider contracts entered into on or before March 1, Contracts entered into after March 1, 2010 must be in compliance immediately. Conduct data security due diligence on their third-party service providers (see Due Diligence). Include specific requirements in new third-party service provider agreements involving personal information that address the Massachusetts Regulation and other data security matters (see Key Contract Requirements). The organization should conduct ongoing training for personnel with responsibility for the organization's third-party service provider contracts to ensure that its personnel are aware of and comply with the Massachusetts Regulation. Amending Existing Contracts The organization may need to amend its existing contracts to ensure compliance with the Massachusetts Regulation. The organization should closely monitor responses to its requests to amend existing contracts to determine which contracts have been amended and track the status of third-party service provider contracts. Due Diligence Organizations should conduct due diligence on their third-party service providers' information security practices. Due diligence should include requesting and reviewing information on: The third-party service provider's data security and disaster recovery policies and procedures. Data security audit reports concerning the third-party service provider's information security program. Details of any actual or potential security breaches or incidents impacting the third-party service provider. The organization should also consider speaking with existing clients of the third-party service provider. Key Contract Requirements The Massachusetts Regulation requires organizations to contractually require their third-party service providers to implement and maintain appropriate measures for protecting personal information. Generally, the organization should consider contract provisions that address: General and specific security requirements and procedures that the third-party service provider must maintain. The third-party service provider's ongoing compliance with applicable privacy and data security laws, including the Massachusetts Regulation. The organization's right to audit the third-party service provider's security procedures and policies. The organization's right to: terminate the contract for material breaches; and other remedies, for example, indemnification for losses arising out of the third-party service provider's failure to comply with its data security obligations. Secure disposal or return of the personal information to the organization on the agreement's termination or expiration. Requirements if the third-party service provider suspects or experiences a breach or an incident, such as immediately notifying the organization. For sample contract clauses, see Standard Clauses, Data Security Contract Clauses for Service Provider Arrangements (Pro-customer ( Massachusetts Regulation: Computer System Security Requirements The Massachusetts Regulation sets out additional requirements for computer security that, as a practical matter, apply to most organizations. If the organization stores or transmits personal information electronically, the WISP must include the establishment and maintenance of a security system covering its computers (including any wireless system) that at a minimum includes, to the extent technically feasible: Secure user authentication protocols, including: control of user IDs and other identifiers; 5
6 a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, like biometrics or token devices; control of data security passwords to ensure they are kept in a location or format that does not compromise the security of the data they protect; restricting access to active users and active user accounts only; and blocking access to user identification after multiple unsuccessful attempts to gain access or limiting access for the particular system. Secure access control measures that: restrict access to records and files containing personal information to those who need the information to perform their jobs; and assign unique identifications and passwords that are not vendor-supplied default passwords to each person with computer access that are reasonably designed to maintain the integrity of the security of access controls. Encryption of all: transmitted records and files containing personal information that will travel across public networks; data containing personal information to be transmitted wirelessly; and personal information stored on laptops or other portable devices. Reasonable monitoring of systems for unauthorized use of or access to personal information. Reasonably up-to-date firewall protection and operating system security patches for files containing personal information on systems that are connected to the internet, reasonably designed to maintain the integrity of the personal information. Reasonably up-to-date versions of system security agent software that includes malware protection and reasonably up-to-date patches and virus definitions, or a version of this software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. Employee education and training on the proper use of the organization's computer system security and the importance of personal information security. (Mass. Regs. Code tit ) Meaning of "Technically Feasible" The Massachusetts Regulation requires implementation of its computer system security requirements only if they are "technically feasible." According to guidance from the Massachusetts Office of Consumer Affairs and Business Regulation, this means that if there is a reasonable means through technology to accomplish a required result, the organization must use it. Encryption Under the Massachusetts Regulation, encryption means the transformation of data into a form where meaning cannot be assigned without the use of a confidential process or key. The data must be altered into an unreadable form. Password protection that does not alter the condition of the data is not encryption. The definition of encryption is intended to be technology neutral and take into account new developments in encryption technology. Additional Relevant US Laws, Guidance and Industry Standards Other relevant US laws, guidance, enforcement actions and industry requirements include: GLBA. The GLBA Safeguards Rule requires financial institutions to develop a comprehensive written information security program to protect customer information. HIPAA. The Security Rule establishes standards to protect electronic protected health information that is created, received, used or maintained by a covered entity or a business associate. State security procedures laws. In addition to Massachusetts, several other states (for example, California and Texas) have laws requiring organizations to implement and maintain reasonable security practices and procedures regarding personal information. State guidance. In 2014, the California Attorney General issued a guide titled Cybersecurity in the Golden State with recommendations for small to mid-sized businesses about managing cybersecurity risks. FTC enforcement actions. The FTC has brought data security enforcement actions under Section 5 of the Federal Trade Commission Act against organizations for failing to take reasonable security measures. As part of its settlements of these enforcement actions, the FTC has required the organizations to implement comprehensive information security programs. FTC guidance. In 2007, the FTC issued guidance entitled Protecting Personal Information: A Guide for Business, which describes steps for organizations to take to protect personal information and the principles for sound data security plans. National Institute of Standards and Technology (NIST) Guidance. In 2014, NIST issued the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, a voluntary risk-based set of industry standards and best practices that organizations can use in managing cybersecurity risks. Payment Card Industry Data Security Standard (PCI DSS). This is a data security standard for all organizations that process, store or transmit cardholder data. These requirements include protecting cardholder data and maintaining an information security policy. 6
7 For more information on the additional laws, guidance and industry standards, see Practice Note: Overview, Privacy and Data Security Law: Overview ( Massachusetts Attorney General Enforcement Actions If an organization experiences a data breach involving a Massachusetts resident's personal information, it must provide written notification of the data breach to: The Massachusetts Attorney General. The Massachusetts Office of Consumer Affairs and Business Regulation. The affected Massachusetts resident. The Massachusetts Attorney General can request a copy of the organization's WISP. The Massachusetts Attorney General's enforcement actions involving data breaches show the importance of having a WISP in place and ensuring compliance. Each enforcement action resulted in a settlement with the Massachusetts Attorney General. The Briar Group The Briar Group enforcement action involved the alleged violation of the Massachusetts Consumer Protection Act based on the organization's failure to: Implement basic computer system security measures to protect consumer credit card and debit card information. Comply with the PCI DSS. As part of its settlement, the Briar Group agreed to: Implement, maintain and adhere to a WISP under the Massachusetts Regulation. Provide the Massachusetts Attorney General's office with a copy of the WISP. Comply with PCI DSS and verify its compliance with the Massachusetts Attorney General's office. Pay a civil penalty to Massachusetts. (Commonwealth v. Briar Grp. LLC, CIF. No B, Consent Judgment (Mass. Sup. Ct. Mar. 28, 2011).) Belmont Savings Bank and Maloney Properties The Belmont Savings Bank and Maloney Properties enforcement actions concerned allegations that each organization violated the Massachusetts Regulation and the Massachusetts Consumer Protection Act. Belmont Savings Bank maintained personal information on unencrypted back-up tapes and did not follow its own WISP. Maloney Properties maintained personal information on an unencrypted laptop and did not follow its own WISP. As part of their settlements, each agreed to: Comply with the Massachusetts Regulation, including encrypting, to the extent technically feasible, all personal information stored on laptops or other portable devices, including backup data tapes. Comply with their own WISPs. Pay a civil penalty. (In the Matter of Belmont Sav. Bank, CIF. No , Assurance of Discontinuance (Mass. Sup. Ct. July 28, 2011) and In the Matter of Maloney Props., Inc., CIF. No , Assurance of Discontinuance (Mass. Sup. Ct. Mar. 21, 2012).) South Shore Hospital The South Shore Hospital enforcement action involved allegations that South Shore Hospital violated the Massachusetts Consumer Protection Act and HIPAA by failing to protect consumers' personal and confidential health information. South Shore Hospital: Shipped unencrypted back-up computer tapes with personal information and protected health information off-site without appropriate safeguards to protect the information. Did not have a business associate agreement in place as required by HIPAA. Did not properly train its workforce regarding health data privacy. As part of its settlement, South Shore Hospital agreed to: Take certain steps to comply with state and federal data security laws and regulations. Undergo a review and audit of certain security measures. Report the results of the audit and any corrective actions to the Massachusetts Attorney General. Pay $750,000, including $250,000 in civil penalties and $225,000 for an education fund for use by the Massachusetts Attorney General's office to promote education about the protection of personal information and protected health information. The remaining amount was satisfied by security measures it took after the data breach. Goldthwait Associates and Pathology Groups This enforcement action involved allegations that former owners of a medical billing practice known as Goldthwait Associates and four pathology groups that used Goldthwait as their service provider violated: The Massachusetts Regulation. The Massachusetts Security Breach Act. The Massachusetts Consumer Protection Act. The enforcement action also alleged that: The former owners violated the Massachusetts Data Disposal and Destruction Act. The pathology groups violated HIPAA. 7
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP
MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
International Association of Privacy Professionals Practical Privacy Series New York City MASSACHUSETTS OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION AND DATA SECURITY LAW Barbara Anthony Undersecretary
Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,
Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) May 15, 2009 LLP US Information Security Framework Historically industry-specific HIPAA Fair Credit Reporting
The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide Practising Law Institute January 9, 2012 Melissa J. Krasnow, Partner, Dorsey & Whitney LLP, and Certified Information Privacy Professional
Massachusetts Identity Theft/ Data Security Regulations Effective March 1, 2010 Are You Ready? SPECIAL REPORT All We Do Is Work. Workplace Law. In four time zones and 45 major locations coast to coast.
SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 email@example.com Each business is required by Massachusetts law
Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR
MFA Perspective 201 CMR 17.00: The Massachusetts Privacy Law Compliance is Mandatory... Be Thorough but Be Practical DEADLINE FOR FULL COMPLIANCE HAS BEEN EXTENDED FROM JANUARY 1, 2010 TO MARCH 1, 2010
MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009 Current Laws: Identity Crime: A person is guilty of identity
Navigating the New MA Data Security Regulations Robert A. Fisher, Esq. 2009 Foley Hoag LLP. All Rights Reserved. Presentation Title Data Security Law Chapter 93H Enacted after the TJX data breach became
IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS Daniel J. Blake, Esq. Vijay K. Mago, Esq. LeClairRyan, A Professional Corporation LeClairRyan, A Professional Corporation One International Place, Eleventh Floor
Page 1 Page 2 Page 3 Agenda Defining the Massachusetts Personal Data Security Law Becoming Compliant Page 4 Massachusetts Privacy Law Defining the Massachusetts Personal Data Security Law - 201 CMR 17.00
ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 OBJECTIVE This Security Plan (the Plan ) is intended to create effective administrative, technical and physical safeguards for the protection
A Practical Guide to Understanding and Complying with Massachusetts Data Security Regulations February 2010 Table of Contents Background... 1 Are You Required to Comply?... 1 What You Need to Do...2 Reference
PRIVACY & DATA SECURITY LAW JOURNAL MASSACHUSETTS On September 22, 2008, Massachusetts adopted regulations that will require businesses, wherever located, that own, license, store, or maintain information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
The Massachusetts Data Security Law and Regulations November 2, 2009 Boston Brussels Chicago Düsseldorf Houston London Los Angeles Miami Milan Munich New York Orange County Rome San Diego Silicon Valley
Valdosta Technical College Information Security 4.4.2 VTC Information Security Description: The Gramm-Leach-Bliley Act requires financial institutions as defined by the Federal Trade Commision to protect
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
Identity Theft & Fraud Protection for Identity Theft & Fraud Protection for Massachusetts Residents Copyright Notice November 2009 Joe Burns All rights reserved This PowerPoint presentation is a part of
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: firstname.lastname@example.org Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
Data Privacy: What your nonprofit needs to know Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015 Overview 2 Data privacy versus data security Privacy polices and best practices Data security
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
Minnesota Society for Healthcare Risk Management September 22, 2011 Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Melissa Krasnow, Partner, Dorsey & Whitney, and Certified Information
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services email@example.com April 23, 2012 Overview Technology
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern
Doing Business in Oregon Under the Oregon Consumer Identity Theft Protection Act and Related Privacy Risks Privacy Data Loss www.breachblog.com Presented by: Mike Porter March 10, 2009 2 Privacy Data Loss
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
The Matrix Reloaded: Cybersecurity and Data Protection for Employers Jodi D. Taylor Why Talk About This Now? Landscape is changing Enforcement by federal and state governments on the rise Legislation on
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
PII = Personally Identifiable Information EMU is committed to protecting the privacy of personally identifiable information of its students, faculty, staff, and other individuals associated with the University.
Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Legal Disclaimer This information
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
How Much Do I Need To Do to Comply? Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda Background Requirements and you Risk language Risk Factors Assessing risk Program elements and
HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group firstname.lastname@example.org
Massachusetts MA 201 CMR 17.00 Best Practice Guidance on How to Comply Massachusetts MA 201 CMR 17.00 Best Practices for Compliance 1 Overview MA 201 CMR 17.00 has been in the news for the last 18 months.
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
COUNCIL POLICY NO. C-13 TITLE: POLICY: Identity Theft Prevention Program See attachment. REFERENCE: Salem City Council Finance Committee Report dated November 7, 2011, Agenda Item No. 3 (a) Supplants Administrative
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the
USNH Payment Card Industry Data Security Standard (PCI DSS) Version 3 Administration and Department Policy Draft Revision 3/12/2013 1. Purpose. The purpose of this policy is to assist the University System
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
WHITEPAPER Automation Suite for Assurance with LogRhythm The Massachusetts General Law Chapter 93H regulation 201 CMR 17.00 was enacted on March 1, 2010. The regulation was developed to safeguard personal
STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE
Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS
CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could
Privacy Law Basics and Best Practices Information Privacy in a Digital World Stephanie Skaff email@example.com What Is Information Privacy? Your name? Your phone number or home address? Your email address?
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
AUBURN WATER SYSTEM Identity Theft Prevention Program Effective October 20, 2008 I. PROGRAM ADOPTION Auburn Water System developed this Identity Theft Prevention Program ("Program") pursuant to the Federal
PII Personally Identifiable Information Training and Fraud Prevention Topics What is Personally Identifiable Information (PII)? Why are we committed to protecting PII? What laws govern us? How do we comply?