An Act Relative to Security Freezes and Notification of Data BreachesChapter 82 of the Acts of 2007 Massachusetts Digital Government Summit Securing Private Information Session December 11, 2007
One More Addition to Existing Data Security Rules • HIPAA Security Rule • Fair Information Practices Act • Social Security Administration Agreements • PCI-DSS Requirements • And now, the Commonwealth’s Identity Theft Act….
Summary • Credit Report Freeze: Effective October 31, 2007 • Security Breaches: Effective October 31, 2007 • Disposition and Destruction of Records: Effective February 3, 2008
Credit Report Freeze, Sections 1 through 16 of the Act • Chapter 93, s. 62(A) • If identity stolen, consumer has right to control who has access to credit report, except under certain circumstances, including • State agencies, law enforcement agencies, or trial court acting under court order, warrant or subpoena • The Massachusetts child support agency (DOR) • EOHHS when investigating Medicaid fraud • DOR investigating or collecting delinquent taxes unpaid court orders or to fulfill other statutory responsibilities
Security Breaches, Section 16 of the Act • Creates MGL ch. 93H • Key definitions • Agency broadly defined to include among others all exec department agencies
Security Breaches, cont. • Agencies will have a notice obligation when: • Breach of Security re: PI OR • PI Acquired or used by an unauthorized person OR • PI used for unauthorized purpose
Security Breaches, cont. • Breach of Security = unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality or identity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. • A good faith but unauthorized acquisition of PI by a person or agency or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the PI used in an unauthorized manner or subject to further unauthorized disclosure.
Security Breaches, cont. • Personal information (PI) = • [(first name + last name) or (first initial and last name)] • in combination with any 1 or more of the following: • SSN • drivers license or Mass ID card • financial account number, credit or debit card number, with or without required security access code, personal ID number, or password that would permit account access • BUT NOT information lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. • (No biometric identifiers included)
Security Breaches, cont. • Encrypted = transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of confidential process or key, unless further defined by regulation of the Department of Consumer Affairs and Business Regulation (OCA).
Security Breaches, cont. • Data = any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics • Electronic = relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities
Security Breaches, cont. • Notice [to consumers]: • Written • Electronic if provided consistent with E-SIGN consumer protection provisions (15 USC Section 7001(c)) and UETA consumer protection provisions (MGL ch. 110G) • “Substitute notice” if the agency required to provide notice demonstrates that: • cost of providing written notice will exceed $250,000 • affected class of Mass. residents to be notified exceeds 500,000 residents or • agency does not have sufficient contact information to provide notice
Security Breaches, cont. • Substitute Notice [to consumers] is all of the following: • Email if the agency has email addresses for the members of the affected class • Clear and conspicuous posting of the notice on the home page of the agency if the agency has a website AND • Publication in or broadcast through media or medium that provides notice throughout the commonwealth
Security Breaches • The supervisor of public records, with the advice and consent of ITD insofar as ITD sets IT standards for the Exec Department, must establish rules or regs designed to safeguard the PI of residents of the Commonwealth that is owned or licensed. • Purpose of rules: • Insure security and confidentiality of PI • Protect against anticipated threats or hazards to security or integrity of such information; • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any resident of the Commonwealth. • Take into account size, scope and type of services provided by agencies; • Legislature, judiciary, and constitutional offices to adopt their own rules • Status: ITD working on an SPR Bulletin with Supervisor of Public Records
Security Breaches • Notice obligation triggered when agency knows or should have known: • Of breach of security or • that the PI was acquired or used by an unauthorized person or for an unauthorized purpose • Notice must be provided “as soon as practicable and without unreasonable delay” • Notice requirements differ depending on whether agency • Maintains and stores data for owner or licensor • Is the owner or licensor of data [use defined notice and substitute notice terms]
Security Breaches, cont. • Agency that maintains, stores, but does not own or license data that includes PI about state residents must provide notice to owner or licensor of data
Security Breaches, cont. • In addition, such agency must cooperate with owner or licensor of PI, including informing them of: • breach of security or unauthorized acquisition or use, • date of incident • nature thereof • steps agency has taken or plans to take relating to the incident
Security Breaches, cont. • Agency that owns or licenses data that includes PI about a resident must provide notice to AG, OCAand resident. • Upon receipt of notice, OCA must provide notice to the reporting agency of any relevant consumer reporting agency or state agency, and the agency must provide notice to relevant consumer reporting agency.
Security Breaches, cont. • Notice to resident must include: • Consumers right to obtain police report • How to request a security freeze • Fees required to be paid to consumer reporting agencies • But not the nature of the breach or unauthorized acquisition or use or the number of residents of the commonwealth affected by it.
Security Breaches, cont. • Exec department agencies must also provide written notification of the nature and circumstances of the breach or unauthorized acquisition or use to • ITD • supervisor of public records and must comply with all policies and procedures adopted by them pertaining to reporting and investigating the incident.
Security Breaches, cont. • ITD Enterprise Cybercrime & Security Incident Response Policy and Procedures. • Required notification: • To CommonHelp via • 1-866-888-2808 • CommonHelpServiceDesk@MassMail.state.ma.us • Then CSIRT (Cybercrime Incident and Response Team at CSIRT@state.ma.us
Security Breaches, cont. • Other requirements of the CSIP • Event log • Investigate • Identify risk • Snapshot of files within first half hour of investigation • Confer with CSIRT and network manager • Response plan • Monitor and evaluate • Preliminary and final report to file with agency and CSIRT • Preserve evidence • Post mortem; lessons learned
Security Breaches, cont. • Notice may be delayed if law enforcement agency determines that provision of notice will impede criminal investigation and has notified AG in writing thereof and informs the agency of such determination. Once law enforcement agency informs agency that notification no longer poses a risk, notification must be provided. • Agency must cooperate with law enforcement in its investigation of breach
Security Breaches, cont. • Safe Harbor: The Mass. ID Theft law does not preempt other state and federal laws regarding protection and privacy of PI; however, person who maintains procedures for responding to a breach pursuant to federal laws, rules, regs, guidance or guidelines is in compliance with this chapter if they • notify affected Mass. residents in accordance with the maintained or required procedures when a breach occurs, and • notify AG and OCA as well.
Disposition and Destruction of Records, Section 17 of the Act • Creates MGL ch. 93I • Data must contain Personal information = • [(first name + last name) or (first initial and last name)] • in combination with any 1 or more of the following: (a) SSN, (b) drivers license or Mass ID card ( c ) financial account number, credit or debit card number, with or without required security access code, personal ID number, or password that would permit account access or (d) biometric indicator • Ex: JSmith plus SS# 35423-0972 • Note biometric indicators are NOT included in security breach section of law, and that exception to definition of PI in security breach section for publicly available information is also NOT included here.
Disposition and Destruction, cont. • Applies to agencies, broadly defined
Disposition and Destruction • When disposing of records, each agency or person must at a minimum do the following: • Paper docs containing PI redacted, burned, pulverized or shredded so PI cannot practicably be read and reconstructed • Electronic media and other non-paper media containing PI shall be destroyed or erased so that PI cannot be practicably read or reconstructed • What does “cannot be practicably read or reconstructed” mean? Does it mean not susceptible to the nontechnologist? To the teenage hacker? To the forensic specialist? • See new National Institute of Standards and Technology Standard 800-88 Guidelines for Media Sanitization • ESB Media Sanitization Project
Disposition and Destruction, cont. • An agency disposing of PI may contract with a 3rd party to dispose of PI according to this chapter. • 3rd party must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of PI during collection, transportation and disposal of PI
Penalties • Civil money penalties for violation of sections of act pertaining to security breaches and disposition and destruction of data
Identity Theft Bill: Agency CIO To Do List • Ensure all agency counsel aware of ID theft bill if your agency holds PI (Techlaw training for counsel in January ‘08) • Review the regulations that will be adopted by OCA and SPR and analyze their impact on your agency • Determine if Federal laws to which your agency is subject preempt • Identify key players in agency • Identify and notify key players in your agency • Adopt policies and procedures consistent with law and OCA/SPR regulation. • Monitor and enforce against employees, contractors and agents.
Linda HamelGeneral CounselITD Linda.email@example.com (617) 626 4404