Understanding New Data Privacy Laws
Until recently, most data privacy laws were limited to notification when a breach occurred. In the past six months, however, the landscape has changed dramatically:
- Massachusetts has enacted a law that goes further -- requiring organizations to take proactive measures to prevent breaches from occuring in the first place. Several other states have similar pending data privacy bills.
- The new American Recovery and ReInvestment Act of 2009 (ARRA) requires all entities which do business with healthcare organizations to abide by HIPAA regulations, which mandate the protection of health information, including the encryption of content sent over the Internet.
Massachusetts earlier this year established strict standards for protection of personal information about Massachusetts residents. The regulation applies to companies even if they are not located in Massachusetts. Those standards include encryption of electronic data when stored or transmitted and are set to take effect January 1, 2010. Nevada and Connecticut enacted similar laws in October 2008.
" Breach-notification laws deal with what happens after the horse leaves the barn. The new regulation is intended to prevent the horse from getting out of the barn in the first place. " --- Daniel Crane, Undersecretary of the Massachusetts OCABR
Under Massachusetts law 201 CMR 17.00, companies handling personal information for any Massachusetts residents must protect and encrypt that personal information whenever it is stored on portable devices, transmitted wirelessly or shared on public networks. This applies not just to companies doing business in the state, but to any organization which has customers in Massachusetts.The Massachusetts regulation, 201 CMR 17.00, defines personal information as a person’s first and last name or first initial and last name in combination with one or more of the following:
- Social Security Number
- Driver’s license or state ID card number
- Financial account number
- Credit card number
- Debit card number
(Note that Massachusetts Senate Bill 173, under consideration by the Massachusetts Senate, would change some of the specific encryption requirements detailed in the Mass data privacy law 201 CMR 17.00.)
Key Requirements of Mass. 201 CMR 17.00
The requirements are divided into two groups:
- Information Security Program - The processes and policies defined within a company to protect the personal information
- Computer Systems Security - The devices and technology protocols used to protect the information
Information Security Regulations
The law, passed by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), has identified specific areas for organizations’ information security program:
| Adopt a written comprehensive Information Security Program that contains administrative, technical and physical safeguards consistent with industry standards |
| Identify one or more employees to maintain the security program |
| Evaluate internal and external risks and improve current safeguards against such risks |
| Develop policies regulating employees’ ability to keep, access and transport records outside of the workplace |
| Create and execute employee training |
| Implement disciplinary measures for violations |
| Prevent terminated employees from accessing records containing personal information (PI) by removing their accounts from security access and information systems |
| Ensure third-party service providers with access to PI can protect the information |
| Only collect the amount of PI necessary to accomplish the legitimate purpose. And only retain it for the time necessary |
| Identify all forms (paper, electronic, etc) of storage that contain PI |
| Restrict physical access to records containing PI |
| Regularly monitor and enhance the Information Security Program to ensure that it is being followed and will prevent unauthorized access |
| Review the program at least annually or when there is a significant business change |
| Document actions taken in response to any breach of security and the changes made in the program from the post-incident review |
| Secure user authentication protocols such as user IDs and password, blocking on failed attempts and removing terminated user IDs |
| Secure access control measures to those that need the information |
| Encrypt all records that are transmitted over public or wireless networks |
| Monitor PI systems for unauthorized access |
| Encrypt all PI stored on laptops or other portable devices |
| Obtain firewall protection and implement operating system security patches for devices connected to the Internet |
| Install up-to-date security agents, including malware protection, virus definitions and security patches |
| Perform employee training on the proper use of the computer systems and the criticality of PI security |
Computer Systems Security
Below is an inventory of areas on a network that may require solutions to meet the Massachusetts law.
| Device Protection and Encryption |
Laptops, workstations and servers
Mobile devices and PDAs
Anti-malware/virus
Security patches
Firewalls
Password policies management |
| Protocol and Transmission Protection |
Private circuits -- MPLS or Legacy Frame or DSL
VPNs -- Site-to-site
VPNs -- End-user
Wireless -- Wireless access points
Wireless -- Cellular/wireless-handled
Wireless -- Cellular modems/wireless network cards
Backup -- Workstation
Backup -- Server
email off-net transmissions
email on-net transmissions
email OWA (Outlook Web Access)
email https/RPC access
Physical access to data center
|
What You Should Do to Comply with the New Mass. Data Privacy Law
To address the requirements of this new data privacy law, you should:
- review and understand the law
- seek guidance from your legal counsel
- develop and implement internal processes and procedures for information security
- evaluate and address financial, HR, CRM and other systems that may house credit card or employee or customer personal information
- engage with a reputable IT service provider for device protection and encryption as well as protocol and transmission protection
Resources
mindSHIFT managed services today – which include numerous protection and encryption solutions -- will enable you to meet many of the new law’s requirements. For more information, contact mindSHIFT at 877-227-5054.