Archives: 201 CMR 17.00

If you have had to provide data breach notices across any number of states (and who hasn’t….), you would know that they vary widely in how those notices must be provided to state regulators.   In some states (for example, California, North Carolina, Indiana, and New York), the Attorney General’s office has established an online portal that must be used for breach notices.    In still other states, notice letters must be sent to one or multiple regulators.

Pursuant to the Massachusetts data breach notification statute, M.G.L. 93H, notices must be provided to the affected resident, the Attorney General’s office and to the Office of Consumer Affairs and Business Regulation (OCABR).    It is not enough that Massachusetts has a sui generis breach notice content statutory requirement (you must tell affected residents of the breach, but you can’t tell them about the breach), now the OCABR has created its own notice submission portal that is a separate form and not just a place to upload a copy of the AG notice.  A letter sent out earlier this month also says “It is important to note that this electronic submission form only satisfies the notification requirement for OCABR.  The submission does not relieve businesses of their legal obligation to separately notify the AGO and the affected Massachusetts residents.”

Make sure you update your incident response plan to account for this additional notice requirement.

many more than six different hacks…….and headaches……

Written by Jonathan Ursprung

With the holiday season in full swing, many of us are struggling with that age-old question: “what do you get for the person who has everything?”  Well, if that person happens to be your supreme leader, the answer may very well be “a massive download of electronic dirty laundry on their sworn enemy”.

In late November of this year, the disturbing outline began to form of a massive data breach at Sony Pictures. Early indications suggested that the perpetrators may have been acting on behalf of, or to curry favor with, Kim Jong-un of North Korea; Sony Pictures had been promoting its upcoming film “The Interview”, which features a fictional assassination plot targeting the head of state. While North Korea has since denied involvement, the possibility that state-sponsored hackers had carried out this attack was both credible and, ultimately, unsurprising. Continue Reading On the Sixth Day of Privacy, the hackers gave to Sony……

Privacy goofs, gaffes and tidbits for the last Monday in July —

 

NSA Surveillance Causes More Grief –Germany Calls for a Stop to Safe Harbor:  Time for Binding Corporate Rules?

 According to news sources the federal and state German data protection commissioners late last week sent a letter to German Chancellor Angela Merkel, requesting the suspension of the U.S.-EU Safe Harbor regime (the press release is available in German here).   The commissioners argue that mass surveillance conducted by the U.S. National Security Agency (NSA) prevents US companies from protecting personal data of Germans in compliance with data protection law.

The European Commission’s data protection directive prohibits the transfer of personal data to non-E.U. countries that do not meet the EU “adequacy” standards for privacy protection. To allow exchange of personal data with U.S. organizations, the U.S. Department of Commerce and the European Commission developed the “Safe Harbor” framework, allowing the transfer of personal data from the EU to the US as long as specified standards in notice, choice, onward transfer, access, security, data integrity and enforcement are met.

“The Safe Harbor agreement may not be so safe after all,” said Viviane Reding, vice president of the European Commission.  “U.S. data protection standards are lower than our European ones. I have informed ministers that the Commission is working on a solid assessment of the Safe Harbor Agreement which we will present before the end of the year.”

The Commissioners have stopped issuing approvals for international data transfers pending the German government’s demonstration that the processing of German citizens’ personal data by foreign national intelligence services is in line with the requirements of the data protection law.  The Commissioners argue that extent of the surveillance conducted by the NSA makes interception of personal data routine and that is not in compliance with the Safe Harbor framework.

If the German government agrees with the Commissioners and suspends Safe Harbor all companies relying on Safe Harbor for the legal transfer of personal data from the EU to the U.S. would either have to suspend such transfers or face fines by the data protection authorities.

With elections approaching, this has become a heated political debate in Germany.  Chancellor Merkel has supported the U.S. surveillance and echoed President Obama’s claims that surveillance prevents terrorist attacks and protects American and Germans alike, but according to a news source Merkel pushed back last week calling for the U.S. to respect German data privacy on German soil.

We will keep you updated on developments in this area.  In the meantime one way for multinational companies to circumvent the effects of a suspended Safe Harbor program is to develop binding corporate rules, which satisfy EU standards and are an alternative means of authorizing transfers of personal data outside of Europe.  Contact the Mintz Levin privacy team for more information.

 

SEC Employees Victimized by Thumb Drive Data Breach:  “You ARE the Weakest Link”

A serious data breach at the Securities and Exchange Commission transferred  personal data about current and former employees into the computer system of  another federal agency, a letter sent by the SEC to staff reveals.

The July 8 letter, obtained by The Hill, is from Thomas Bayer, the SEC’s  chief information officer and senior agency official on privacy. It warned that  personal employee data had been discovered on the networks of another, unnamed  federal agency.  SEC employees’ Social Security numbers were exposed after a former worker unwittingly downloaded sensitive human resources data to a thumb drive, underscoring privacy risks posed by the ubiquitous devices.

Mintz Levin’s Cynthia Larose is quoted in Law 360 (registration required):  “Talk to most security people and they will say that the USB port is the biggest ‘You are the weakest link’ problem in corporate networks, and the government is no exception to that, obviously,” she said. “Allowing files of any kind of size whatsoever to be downloaded to a USB drive is trouble.”

Read more: http://thehill.com/blogs/on-the-money/1007-other/313387-staff-data-leaks-out-of-the-sec#ixzz2aRpuQj5c

Tech Companies Want Federal Data Breach Notification Law

Will the fourth time be the charm?   For the fourth time in eight years, the U.S. House of Representatives is considering a federal law requiring companies to notify customers in the event of a data breach.   Tech companies have weighed in on the side of such legislation, hoping to put an end to the “crazy quilt” problem currently facing companies experiencing a data breach.  Corporate general counsels look for some compliance assistance in such a “breach notification standard.”

Read more:   Corporate Counsel (registration required)

Comprehensive Security Plans Should be the Rule, Not the Exception

The deadline for compliance with the HIPAA Omnibus Rule is fast approaching and the stakes will be rising. 

Not only have the threats increased for healthcare organizations, but so have the government fines as well. One-time violations stay under $50,000, but repeat violations within the same year can carry a fine of $1.5 million across all HIPAA violation categories (up substantially from the previous $250K minimum). The average economic impact of a data breach has also increased by $400K to a total of $2.4 million since 2010. Investigation and legal efforts, business downtime and decreased credibility all drive up costs beyond those of fines.   As we have been preaching for many years (at least since the implementation of the Massachusetts Security Regulations (201 CMR 17)), a comprehensive security plan is the best offense — for every sector, and now particularly for those businesses dealing with protected health information.   The plan should address hardware, software, paper records, training — and it should be in writing.

Read more:  HealthIT Security

We have two “Save the Date” announcements today – for registration information click on the links below:

October 18, 2012 — San Diego — The Era of Big Data — Governance, Risk and Compliance

October 25, 2012 — Webinar — Data Privacy and Security Issues for the Nonprofit

Join the Mintz Levin Privacy team at one of these upcoming events!

 

Written by Cynthia J. Larose and Adam Veness

 

Last October, a Maloney Properties, Inc. (“MPI”) company laptop was stolen containing unencrypted personal information, including social security numbers, for over 600 Massachusetts residents.  Shortly after the incident, MPI sent letters to customers alerting them of the incident and related data breach.  As a result of that data breach, Massachusetts Attorney General Martha Coakley conducted an investigation into the acts and practices of MPI in protecting the personal information of its customers, as defined by G.L. c. 93H, § 1.  Based on her investigation, Coakley alleged that MPI violated G.L. c. 93H et seq., the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00 et seq., and the Massachusetts Consumer Protection Act (G.L. c. 93A, § 2) by (a) maintaining personal information on an unencrypted laptop, and (b) failing to follow its own Written Information Security Program, as required by 201 CMR 17.03.

To settle the investigation, MPI entered into an Assurance of Discontinuance with the AG on March 21, 2012.  Pursuant to the Assurance of Discontinuance, MPI has agreed to pay a civil penalty of $15,000, and has further agreed that it will:

  • ensure that personal information is not unnecessarily stored on portable devices, including laptops
  • ensure that all personal information stored on portable devices is properly encrypted;
  • ensure that all portable devices containing personal information are stored in a secure location;
  • effectively train employees on the policies and procedures with respect to maintaining the security of personal information; and
  • perform an audit of its compliance with its Written Information Security Program at least annually.

The Assurance of Discontinuance also requires that, for the years 2012 and 2013, MPI submit the results of its audit to the Attorney General’s office within 14 days of completion.  Given that the audit requirement says “on at least an annual basis,” it is conceivable that the Attorney General’s office could require MPI to conduct additional audits if the results are less than satisfactory.

Interestingly, this settlement has gone unreported by local media.  It is the third breach-related enforcement action by the Massachusetts Attorney General’s office.  In August 2011, the AG reached a settlement with Belmont Savings Bank for $7,500 and in March 2011, the AG reached a settlement with Briar Group, LLC for $110,000.   None of the settlements provide any guidance as to what kinds of reported breaches – or activity that relates to a breach – raise red flags at the Massachusetts AG’s office.    In all cases, however, the data was unencrypted in transit (Briar Group) and at rest (MPI and Belmont Savings).

Important Takeaway

If your business owns, stores, or licenses the personal information of Massachusetts residents, as of March 1, 2010, you must have a written information security program — and that program must be appropriately vetted, implemented with proper training of employees, and it must be revisited from time to time to ensure that it is still consistent with your operations.   Say what you do and make sure that you do what you say.

Contact a member of the Mintz Levin Privacy team for more information related to compliance with the Massachusetts data protection regulations, and for more information related to the legal requirements for when and how you must notify customers of a data security breach.   We’ve written extensively about compliance with the Massachusetts regulations, here.

 

For further information about the MPI settlement:

Attorney General Press Release

Maloney Properties, Inc. Letter to Affected Customers

 

Just a reminder that March 1 is an important deadline with respect to the Massachusetts data privacy and security regulations (the “Regulations”).  As a refresher, the Regulations require all entities that “own or license” personal information of Massachusetts residents — wherever the entity is located — to comply with provisions requiring specific administrative, physical and technical safeguards in respect of the personal information.   To reduce the risk of data breaches involving third-party service providers who will have access to personal information in some way, the Regulations require companies covered by the Regulations to take reasonable measures to select vendors capable of “maintaining appropriate security measures to protect such personal information consistent with [the] regulations and any applicable federal regulations.” Furthermore, the Regulations mandate that companies contractually require their service providers to safeguard personal information in accordance with the Massachusetts regulations and applicable federal requirements. Regardless of location, an entity must comply if it receives, stores, maintains, processes, or otherwise has access to personal information of Massachusetts residents in connection with the provision of goods and services or in connection with employment. Because the Regulations contain such broad definitions for terms such as “own and license,” most service providers – from your payroll provider to your e-commerce hosting provider – are likely subject to this requirement.

The contract provision includes a grandfather clause, providing that all contracts entered into before March 1, 2010 are exempt from complying with this requirement until March 1, 2012. By March 1, 2012, companies that own or license PI of Massachusetts residents must ensure that pre-March 1, 2010 contracts with third party service providers are amended to incorporate appropriate contractual requirements.  Regardless, service provider contracts entered into after the March 1, 2010 effective date of the Massachusetts regulations have been and continue to be required to contain such a contractual representation of compliance.

If your company relies on service providers to receive, store, process or otherwise access personal information of Massachusetts residents, you should be ensuring that those service provider contracts contain a representation that appropriate administrative, physical and technical safeguards are maintained to protect the personal information.  Letters from service providers “certifying” that they are in compliance with 201 CMR 17 are not sufficient to meet the requirements of the Regulations if they do not specifically act as an amendment to whatever agreement you have in place with a service provider.

Since it’s traditionally the time for new beginnings and resolutions to clear away old habits, we’d like to pass on some tips for improving privacy and security in your operations — and in your own life —  in 2012.

1.   Be sure to secure.

Many data breaches occur by leaving sensitive information lying around the office.  Keep documents containing sensitive data and personally identifiable information locked up.  A clean desk is a safe desk.  Also, make this the time to secure your home network.   Since many online banking and other types of activities occur across a home network, why allow drive-by hackers to compromise your information?

2.  Encrypt, Encrypt, Encrypt.

When transmitting sensitive information, make sure it is encrypted and transmitted over a secure connection.   This is not only a privacy and information security “best practice,” it is also required by several laws and industry body regulations, including the HITECH Act (for electronic protected health information), the Massachusetts data security regulations, and the Payment Card Industry Data Security Standards (for credit card information).

3.  If you don’t need it, don’t take it.

Data breaches often occur when a laptop or document files are stolen from an employee’s home, or lost while in transit.  If you don’t need to work with sensitive data outside the office, don’t take it with you.

4.   Once you have read it, shred it.

If you no longer need files or documents containing sensitive information, destroy them using proper methods.  Using a secure file deletion program or an “e-shredder” is an effective way to destroy electronic copies.  Again, this isn’t just “best practice” in many situations — it’s the law (e.g., FTC Disposal Rule, Mass. Gen. Law 93I, HIPAA Privacy Rule).

5.   Browse intelligently.

Make sure that your web browser’s security and privacy settings are set to an appropriate level.  When traveling, or using a personal computer, be sure to delete web or temporary file caches so your “e-footprints” don’t expose any sensitive information.

6.    Never engage with a spammer.

  While unsolicited commercial emails (“spam”) are annoying, do not e-mail or otherwise contact the spammer unless you use a valid “unsubscribe” link at the bottom of the email.   It only serves to confirm your email as “live” and may actually increase the amount of spam you receive. Don’t open email or attachments from anyone you do not know.   Remind employees of this at work to avoid your company’s information being compromised by phishing scams.

7.  Make your passwords complex.

The passwords you use for your email, online banking, network access, or any other services that contain your private information — or the confidential information of your company/employer — should not be simple or easily guessed.   The best passwords are a mix of numbers, characters and letters.   If your company does not have a password policy, 2012 is a good time to start.  And,  mix up your own passwords.   Utilization of the same password across all your electronic activities is an invitation to be hacked.

Here’s to a happy and SAFE 2012!!

 

Once again, we have evidence that failures to implement the most basic of data security measures can cost real money.

The Massachusetts Attorney General’s office announced a consent order that fines a Boston restaurant group $110,000 and imposes a set of compliance measures that will also carry a price tag.   Despite many headlines trumpeting the “first enforcement action,” this action was not brought by the AG’s office under the Massachusetts data security regulations. It was a consumer protection action brought by the Attorney General under the Massachusetts consumer protection law, 93A. 201 CMR 17.00 certainly played a part in the consent order and the Briar Group is required to implement a written information security plan, and supply a copy to the AG’s office within 14 days of the order.  The standards set out in 201 CMR 17.00 are the framework around which the settlement order is built, but the action was not one to enforce those regulations.   Those are coming.

A copy of the consent order is here –  Briar Signed Consent Judgment – 3-28-11 (3).pdf.

Much has been written and blogged over the last couple of days about the consent order.  But, what should business take away from this?   The retail and hospitality business is particularly vulnerable to data breaches due to the volumes of credit card information that they process every day.   But they are also responsible for dealing with that aspect of their business as a part of doing business.

More after the jump.

Continue Reading Into the Breach – Security Failures Can Cost You

Since March 1, 2010, privacy professionals have been waiting for a data breach that could bring an enforcement action under 201 CMR 17.00, the Massachusetts privacy regulations.   I just spoke with Paul Roberts, editor of threatpost.com, a blog that posted an entry yesterday regarding a breach that could do just that.   Twin America LLC, the parent company of bus tour company CitySights NY, says the credit card details of 110,000 customers were stolen in a Web based attack and suggests it wasn’t following Payment Card Industry guidelines for storing card data.

Continue Reading Data Breach at NYC “Hop-on, Hop-off” Tour Company — 110,000 credit card numbers stolen