SlideShare a Scribd company logo

State Data Breach Laws - A National Patchwork Quilt

Download as PPSX, PDF
Rochester Security Summit
Rochester Security Summit

Since the days of California's pioneering data breach notification law, virtually all states have implemented some form of consumer ID theft protection law. In 2008, the focus shifted to the east coast, when Massachusetts took it beyond notification, and issued their regulations for the protection of personal information, viewed by many as the most proscriptive in the US. This presentation will provide a general overview of state law, but focus on how the MA regulations evolved from the version issued in Sept 2008 to what became effective March 2010, how organizations are responding, and some potential implications for the future. Allison Dolan, Program Director, Protecting Personally Identifiable Information, Massachusetts Institute of Technology Allison F. Dolan is currently Program Director, Protecting Personally Identifiable Information at the Massachusetts Institute of Technology. This program is co-sponsored by the Institute Auditor and Vice President for Information Services and Technology (IS&T). Previously, Allison spent 10 years in IS&T, including roles as Director of Shared Services - Finance, Administration and HR, and as Director of Telephony Services. Allison’s MIT experience was preceded by 20 years of combined information systems, operational, and leadership experience at Eastman Kodak. Allison holds a BA degree from the University of Delaware, with a double major in Computer Science and Economics.

TechnologyBusiness
1 of 24
Allison Dolan Program Director, Protecting Personally Identifiable Information Massachusetts Institute of Technology State Data Breach Laws ….A National Patchwork Quilt
• Breach law history • Massachusetts and other states • What’s on the horizon Presentation Overview 10/21/2010 2Rochester Security Summit 2010
Key Take-aways Laws and regulations continue to abound – and are becoming more proscriptive Know what state(s) are relevant Know what industry(s) are relevant Know what processes you have 10/21/2010 3Rochester Security Summit 2010
Laws & Regulations • FERPA - Family Educational Rights and Privacy Act • Gramm-Leach-Bliley Act • HIPAA - Health Insurance Portability and Accountability Act • FACTA/Red Flags Rule • PCI DSS - Payment Card Industry Data Security Standards • HITECH Act - Health Information Technology for Economic and Clinical Health • State data breach laws, regulations 10/21/2010 4Rochester Security Summit 2010
State Laws 2002 – California SB-1386 – consumer notification if unauthorized access to unencrypted electronic records with personal information 2005 – New York data breach law GBL 899-aa 2007 – Massachusetts MGL 93H/I 39th state with breach law; 5th to include paper 1st to require “written information security program” 2007 – California AB 1298 added medical and health insurance information to definition of PI 2010 – 47 states, Puerto Rico, Virgin Islands, DC, NYC with laws 10/21/2010 5Rochester Security Summit 2010
Massachusetts Data Breach Law(M.G.L. c.93H & 93I) • Personal information (PI) = last name (with first name or initial), along with one or more of Social Security Number; Driver’s License # or Mass. ID#; Financial Account # or Credit/Debit Card # • Defines obligations re: notification, if paper or electronic files exposed (irrespective of encryption) • Includes what must be in notification letter • When destroyed, must be done such that PI cannot be practicably read or reconstructed • Data protection regulations initially issued 9/08; ultimately effective 3/1/2010 10/21/2010 6Rochester Security Summit 2010
Massachusetts Data Protection Regulations (201 CMR 17) http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf If you have Personal Information, then you have a “duty to protect” and need to follow “standards to protect”, including:  “Develop, implement, maintain and monitor a …written information security program” (WISP)  Limit access and ensure user authentication & authorization  “Oversee” 3rd parties  Encrypt transmitted records and personal information stored on laptops or other portable devices.  Maintain up-to-date versions of system security including malware protection, patches and virus definitions  …plus other requirements 10/21/2010 7Rochester Security Summit 2010
Massachusetts Data Protection Regulations Evolution • Office of Consumer Affairs and Business Regulation promulgated regulations; Attorney General responsible for enforcement • Draft regulations 2/08 • Included technical detail for encryption requirements • A lot of feedback • Issued 9/08, with 1/1/09 effective date  No technical requirements for encryption  “Certification” of 3rd parties  Implied requirement to inventory PI  Standards were ‘one size fits all’ 10/21/2010 8Rochester Security Summit 2010
Massachusetts Data Protection Regulations Evolution con’t  4 postponements with revisions  Added emphasis on risk based approach – small business with little PI have different risk than large company  Made more explicit that ‘written program’ could consist of compilation of existing written policies/practices  Need to “oversee” 3rd parties by taking “reasonable steps” to ensure 3rd party can protect information  Entire IT section prefaced with “to the extent technically feasible” 10/21/2010 9Rochester Security Summit 2010
California redux • 2007 – AB 1298 added medical information and health insurance information to the definition of PI  2010 – SB 1166  Additional information in notification letters, including  Type of personal information exposed  Description of incident, including date  Steps organization is taking to protect individuals  Steps consumers can take to protect themselves, including contact information for credit reporting agencies  Breach affecting >500 must review notification letter with AG 10/21/2010 10Rochester Security Summit 2010
State comparisons  All(?) focus on state residents (not company residence)  Most focus on electronic records; few include paper/other media  Most include SSN, Driver’s License/state issued id, CCN, financial account numbers; some limit only if PID/PIN included  Some include mother’s maiden name, date-of-birth, etc  Many exempt ‘protected’ or encrypted records 10/21/2010 11Rochester Security Summit 2010
State comparisons  State agency notification varies – e.g. AG, others, none  Template for notification letter varies – e.g., some require details of breach (when, how, #), others preclude details  Timeframe varies – “without unreasonable delay”, “5 days”; often exception for police investigation  Harm threshold varies – no threshold thru “reasonably believed to have been acquired by an unauthorized person”  Quantity threshold varies – 1 to 1,000 (also, maximum for personal notification)  Penalties vary, some with maximums  Private right to action varies 10/21/2010 12Rochester Security Summit 2010
Federal Trends  HITECH (2/2009)  notification requirements for HIPAA Covered Entities and Business Associates  national database  HHS AND State AG enforcement  Data Breach Notification Act (introduced 1/2009)  Authorize AG to bring civil action if notification did not occur  Extends notification requirement to government agencies  Personal Data Privacy and Security Act (introduced 7/2009)  Set criminal penalties for willful concealment of breach  Require preventative security standards 10/21/2010 13Rochester Security Summit 2010
Federal Trends  2010 Data Security Act SB 3579 (2007, reintroduced 7/2010)  preempt state laws;  modeled after GLBA;  establish “appropriate standards” for administrative, technical and physical data protection  Data Security and Breach Notification Act of 2010 S.3742  Require protection of PI (FTC to set national standards)  Require notification within 60 days  Require offering 2 years of credit protection  Up to $5 million in civil penalties  Exemption for entities covered by FCRA 10/21/2010 14Rochester Security Summit 2010
In Our Future?  More European-style controls?  More items to be protected?  Photographs  Biometrics  IP addresses  More contractual requirements between organizations?  More definition of how information is to be protected? 10/21/2010 15Rochester Security Summit 2010
Summary  Know the states(s) represented in your business (employees, customers, vendors, affiliates)  Know the industry(s) represented in your business (health, insurance, finance, retail)  Know the major business processes (HR, procurement, finance, business operations) You are prepared when - new laws enacted - business processes change - company changes (acquisition, divestiture, etc.) 10/21/2010 16Rochester Security Summit 2010
Quiz Following examples from http://www.idtheftcenter.org/artman2/publish/itrc- news/Notification_Roulette.shtml 1 Paperwork containing personal and financial information was found littering the streets of Buffalo, New York. The customer records were from Rent-a-Center. Do they have to notify you? 2 In Arizona, thousands of pages of sensitive information reportedly disposed of by The Vine Tavern and Eatery contained people’s names, Social Security numbers and dates of birth from restaurant applications, as well as checks with banking information and also credit card receipts with full card numbers from Vine customers. The receipts revealed a person’s entire credit card number. 3 Over 40,000 intact patient records containing personal and medical information were found in a pile described as 20’ long by 20’ wide at Georgetown Transfer Station in Massachusetts. The records, from four hospitals, had reportedly been dumped there by the medical billing service they had used. 4 An unknown number of canceled checks bearing Social Security and bank account numbers of Rockland, Massachusetts town employees are missing after wind knocked them from a loaded recycling truck. 5 Approximately 30,000 estimated tax payments with checks wound up in the San Francisco Bay after the truck transporting them to the Internal Revenue Service was involved in an accident and wind blew the mail into the bay. 6 Boxes with 1,590 patient records from a Charlotte, North Carolina’s psychologist’s practice were left at a county recycling facility because the psychologist’s sons mistakenly took the wrong boxes to be recycled. The records contained patient names, contact information, Social Security numbers, credit card numbers and medical histories. 10/21/2010 17Rochester Security Summit 2010
Quiz 7 In Illinois, hundreds of sensitive documents that were provided to the law firm of Robert J. Semrad & Associates, also known as DebtStoppers USA, ended up in a trash bin in an area the firm shares with other businesses. The “Client Information Sheets” contained Social Security numbers, full names and addresses, driver’s license numbers and signed debit card authorizations. 8 75 legal files were found in a dumpster off Interstate 10 near Boerne, Texas. The files, which included peoples’ names, addresses, bank accounts, social security numbers, driver license numbers, and birth dates, belonged to attorney David Naworski, who readily acknowledged throwing them away unshredded and said he was unaware of any state law on disposal. 9 Three small file boxes full of decade-old personal records belonging to customers of the First Federal Savings Bank were found near a residential street in Bryan, Texas. The bank had apparently closed its doors under that name around 2002 and has been acquired by several banks since then. The current owner says that they never assumed ownership of those bank records. 10 Credit-card numbers from 17,000 guests at the Emily Morgan Hotel in San Antonio were stolen and used in a three-state shopping spree. Officials say the suspects used stacks of stolen credit-card receipts from a storage room at the hotel in 2006. 11 The University of Florida discovered that 2,047 people that their Social Security or Medicaid identification numbers included on address labels affixed to letters inviting them to participate in a research study. The letters were sent through the U.S. Postal Service on May 24, and the information also was shared with a telephone survey company. 12 In Maryland, Montgomery County’s Department of Health and Human Services is looking into how numerous Wheaton nursing home papers containing sensitive patient information have made their way into nearby neighbors’ yards over the past few months. The exposed internal documents contained patient conditions, names and Social Security numbers. 10/21/2010 18Rochester Security Summit 2010
Resources • Map and other state/Canadian info: http://www.nymity.com/About_Nymity/Nymity_Maps.aspx • privacylaw.proskauer.com/articles/security-breach-notification-l/ • summary of state data breach requirements: www.perkinscoie.com/news/pubs_detail.aspx?publication=26596137-b74f-4b68-8063-93f996f233e9 • list of state breach statutes: www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/OverviewSecurityBreaches/tabid/1 3481/Default.aspx • www.ncsl.org/Default.aspx?TabId=13489 • "Intersections - Data Breach Consumer Notification Guide” details each state's law, 118 pages, contact info www.intersections.com 888.283.1725 DataBreachServices@Intersections.com • www.sb-1386.com/Guide to CA regulations • Breach notification letters: datalossdb.org/incident_highlights/34-data-breach-notification-letters • NY Guide to handling PII: www.nysconsumer.gov/pdf/protecting/information_privacy/the_new_york_business_guide_to_privacy.pdf • Summary of US privacy laws, (undated) www.bbbonline.org/understandingprivacy/library/fed_statePrivLaws.pdf 10/21/2010 19Rochester Security Summit 2010
Questions/other follow-up? Feel free to contact: Allison Dolan adolan@mit.edu 617.252.1461 10/21/2010 20Rochester Security Summit 2010
Places to look for PII/SSN Employee Processes • Job Applications • Background checks • New hire paperwork - I-9, Federal/State tax withholding, benefit enrollment, other new hire forms • Payroll, timecards, paychecks,direct deposit forms; wage garnishing requests • Ongoing benefit and 401(k) processes • Status changes (e.g. marriage) • Worker’s compensation, medical leave form • Employee loan programs • Specialized certifications (e.g., nurse, engineer) • Special requirements (e.g. top secret clearance, confidentiality agreement, employment contracts) • Employee reporting (e.g. annual reviews) • Union reporting 10/21/2010 21Rochester Security Summit 2010
Places to look for PII/SSN Customer Processes • Services that require customer’s PII - e.g., banking and financial services, education services, car rentals, tax preparations, accounting, etc. • Products/services with check and/or credit card payments • Services that require PII of others - e.g., 401(k) administrators, benefit providers, underwriters,claim administrators • Services that may involve access to PII of others - e.g., backup service providers, shredding services, IT application developers and system admins, custodians 10/21/2010 22Rochester Security Summit 2010
Places to look for PII/SSN - Financial Processes • Vendor files/vendor payments e.g., independent contractors • Employee reimbursements (look at form used to request reimbursements, as well as backup to request) • Honorarium • Employee awards • Customer rewards, awards, or payments • Other payments - e.g., payments to ‘one-off’ vendors, research subjects, casual labor • Taxes • State or federal government reporting- corporation reports, real estate transactions • Financial reporting - SEC 10/21/2010 23Rochester Security Summit 2010
Places to look for PII/SSN - Miscellaneous Processes • State visits • Any service that predates non-SSN organizational id (e.g. library, parking, travel, conference attendance) • Insurance (beneficiaries) • Legal (subpoenas, court records,etc.) • Audit (if PII part of the process that was audited) • Research grants (pre-2009) • Medicare • Internal medical • System backups • Paper archives • Printing/scanning with devices that retain information • PCs after ‘delete trash’; prior to deployment • Email 10/21/2010 24Rochester Security Summit 2010

Recommended

Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataRenato Monteiro
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHealthCare Too, LLC
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law padler01
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White PaperDmcenter
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Records Retention And Destruction Policies
Records Retention And Destruction PoliciesRecords Retention And Destruction Policies
Records Retention And Destruction PoliciesRichard Austin
 
Dpl november colombia
Dpl november colombiaDpl november colombia
Dpl november colombiaLuis Alberto Montezuma Chávez
 

Recommended

Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataRenato Monteiro
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHealthCare Too, LLC
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law padler01
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White PaperDmcenter
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Records Retention And Destruction Policies
Records Retention And Destruction PoliciesRecords Retention And Destruction Policies
Records Retention And Destruction PoliciesRichard Austin
 
Dpl november colombia
Dpl november colombiaDpl november colombia
Dpl november colombiaLuis Alberto Montezuma Chávez
 
Presentación ONU
Presentación ONUPresentación ONU
Presentación ONUAlfredo Reyes Krafft
 
Case for-secure-email-encryption
Case for-secure-email-encryptionCase for-secure-email-encryption
Case for-secure-email-encryptionNeoCertified
 
Information Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal ContextInformation Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal ContextJason Nathu
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Servicegorsline
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
HIPAA Overview
HIPAA OverviewHIPAA Overview
HIPAA OverviewTim Perry, MPA, MS, CPHIMS, PCMH CCE, CISSP
 
Identity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for BusinessIdentity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for BusinessHerring Consulting & Financial Group
 
Data protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and BirdData protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and BirdCoadec
 
Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Faidepro
 
Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)itgsabc
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Legal & Regulatory Update SPeRS 2.0
Legal & Regulatory Update SPeRS 2.0Legal & Regulatory Update SPeRS 2.0
Legal & Regulatory Update SPeRS 2.0Electronic Signature & Records Association
 
Personal data eng
Personal data engPersonal data eng
Personal data engBelarusian Helsinki Committee
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer PrivacyAshish Jain
 
What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?Logikcull.com
 
Documents, documents and more documents - is it time to spring clean? - Ahmor...
Documents, documents and more documents - is it time to spring clean? - Ahmor...Documents, documents and more documents - is it time to spring clean? - Ahmor...
Documents, documents and more documents - is it time to spring clean? - Ahmor...Werksmans Attorneys
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateTrustArc
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Personal Data Protection Law
Personal Data Protection LawPersonal Data Protection Law
Personal Data Protection LawHatice Zümbül, LL.M.
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 

More Related Content

What's hot

Case for-secure-email-encryption
Case for-secure-email-encryptionCase for-secure-email-encryption
Case for-secure-email-encryptionNeoCertified
 
Information Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal ContextInformation Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal ContextJason Nathu
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Servicegorsline
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Data protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and BirdData protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and BirdCoadec
 
Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Faidepro
 
Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)itgsabc
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer PrivacyAshish Jain
 
What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?Logikcull.com
 
Documents, documents and more documents - is it time to spring clean? - Ahmor...
Documents, documents and more documents - is it time to spring clean? - Ahmor...Documents, documents and more documents - is it time to spring clean? - Ahmor...
Documents, documents and more documents - is it time to spring clean? - Ahmor...Werksmans Attorneys
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateTrustArc
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 

What's hot (20)

Presentación ONU
Presentación ONUPresentación ONU
Presentación ONU
 
Case for-secure-email-encryption
Case for-secure-email-encryptionCase for-secure-email-encryption
Case for-secure-email-encryption
 
Information Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal ContextInformation Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal Context
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
HIPAA Overview
HIPAA OverviewHIPAA Overview
HIPAA Overview
 
Identity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for BusinessIdentity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for Business
 
Data protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and BirdData protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and Bird
 
Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)
 
Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 
Legal & Regulatory Update SPeRS 2.0
Legal & Regulatory Update SPeRS 2.0Legal & Regulatory Update SPeRS 2.0
Legal & Regulatory Update SPeRS 2.0
 
Personal data eng
Personal data engPersonal data eng
Personal data eng
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer Privacy
 
What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?
 
Documents, documents and more documents - is it time to spring clean? - Ahmor...
Documents, documents and more documents - is it time to spring clean? - Ahmor...Documents, documents and more documents - is it time to spring clean? - Ahmor...
Documents, documents and more documents - is it time to spring clean? - Ahmor...
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law Update
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 
Personal Data Protection Law
Personal Data Protection LawPersonal Data Protection Law
Personal Data Protection Law
 

Similar to State Data Breach Laws - A National Patchwork Quilt

Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)Craig Mullins
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
C Zick Foley Hoag FEI presentation 111315
C Zick Foley Hoag FEI presentation 111315C Zick Foley Hoag FEI presentation 111315
C Zick Foley Hoag FEI presentation 111315Colin Zick
 
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyDo You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyButlerRubin
 
Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...anthonywong
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!catherinecoulter
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!catherinecoulter
 
Legal issues of domain names & trademarks
Legal issues of domain names & trademarksLegal issues of domain names & trademarks
Legal issues of domain names & trademarksMatt Siltala
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Lisa Abe-Oldenburg, B.Comm., JD.
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementKeelan Stewart
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveCraig Mullins
 
EKovacevich-IT697-Phase 5 IP
EKovacevich-IT697-Phase 5 IPEKovacevich-IT697-Phase 5 IP
EKovacevich-IT697-Phase 5 IPEDDY KOVACEVICH
 

Similar to State Data Breach Laws - A National Patchwork Quilt (20)

Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David Mink
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
 
IDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By WrfIDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By Wrf
 
201 CMR 17.00
201 CMR 17.00201 CMR 17.00
201 CMR 17.00
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
C Zick Foley Hoag FEI presentation 111315
C Zick Foley Hoag FEI presentation 111315C Zick Foley Hoag FEI presentation 111315
C Zick Foley Hoag FEI presentation 111315
 
Cmr 17
Cmr 17Cmr 17
Cmr 17
 
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyDo You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
 
Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
 
Legal issues of domain names & trademarks
Legal issues of domain names & trademarksLegal issues of domain names & trademarks
Legal issues of domain names & trademarks
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk Management
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspective
 
EKovacevich-IT697-Phase 5 IP
EKovacevich-IT697-Phase 5 IPEKovacevich-IT697-Phase 5 IP
EKovacevich-IT697-Phase 5 IP
 

More from Rochester Security Summit

Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Rochester Security Summit
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudRochester Security Summit
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetRochester Security Summit
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Rochester Security Summit
 

More from Rochester Security Summit (16)

IPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be IgnoredIPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be Ignored
 
Radio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration TestingRadio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration Testing
 
Real Business Threats!
Real Business Threats!Real Business Threats!
Real Business Threats!
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)
 
Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101 Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public Cloud
 
Finding Patterns in Data Breaches
Finding Patterns in Data BreachesFinding Patterns in Data Breaches
Finding Patterns in Data Breaches
 
It's All About the Data!
It's All About the Data!It's All About the Data!
It's All About the Data!
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT Budget
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
 
Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Firewall Defense against Covert Channels
Firewall Defense against Covert Channels
 

Recently uploaded

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 

Recently uploaded (20)

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 

State Data Breach Laws - A National Patchwork Quilt

  • 1. Allison Dolan Program Director, Protecting Personally Identifiable Information Massachusetts Institute of Technology State Data Breach Laws ….A National Patchwork Quilt
  • 2. • Breach law history • Massachusetts and other states • What’s on the horizon Presentation Overview 10/21/2010 2Rochester Security Summit 2010
  • 3. Key Take-aways Laws and regulations continue to abound – and are becoming more proscriptive Know what state(s) are relevant Know what industry(s) are relevant Know what processes you have 10/21/2010 3Rochester Security Summit 2010
  • 4. Laws & Regulations • FERPA - Family Educational Rights and Privacy Act • Gramm-Leach-Bliley Act • HIPAA - Health Insurance Portability and Accountability Act • FACTA/Red Flags Rule • PCI DSS - Payment Card Industry Data Security Standards • HITECH Act - Health Information Technology for Economic and Clinical Health • State data breach laws, regulations 10/21/2010 4Rochester Security Summit 2010
  • 5. State Laws 2002 – California SB-1386 – consumer notification if unauthorized access to unencrypted electronic records with personal information 2005 – New York data breach law GBL 899-aa 2007 – Massachusetts MGL 93H/I 39th state with breach law; 5th to include paper 1st to require “written information security program” 2007 – California AB 1298 added medical and health insurance information to definition of PI 2010 – 47 states, Puerto Rico, Virgin Islands, DC, NYC with laws 10/21/2010 5Rochester Security Summit 2010
  • 6. Massachusetts Data Breach Law(M.G.L. c.93H & 93I) • Personal information (PI) = last name (with first name or initial), along with one or more of Social Security Number; Driver’s License # or Mass. ID#; Financial Account # or Credit/Debit Card # • Defines obligations re: notification, if paper or electronic files exposed (irrespective of encryption) • Includes what must be in notification letter • When destroyed, must be done such that PI cannot be practicably read or reconstructed • Data protection regulations initially issued 9/08; ultimately effective 3/1/2010 10/21/2010 6Rochester Security Summit 2010
  • 7. Massachusetts Data Protection Regulations (201 CMR 17) http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf If you have Personal Information, then you have a “duty to protect” and need to follow “standards to protect”, including:  “Develop, implement, maintain and monitor a …written information security program” (WISP)  Limit access and ensure user authentication & authorization  “Oversee” 3rd parties  Encrypt transmitted records and personal information stored on laptops or other portable devices.  Maintain up-to-date versions of system security including malware protection, patches and virus definitions  …plus other requirements 10/21/2010 7Rochester Security Summit 2010
  • 8. Massachusetts Data Protection Regulations Evolution • Office of Consumer Affairs and Business Regulation promulgated regulations; Attorney General responsible for enforcement • Draft regulations 2/08 • Included technical detail for encryption requirements • A lot of feedback • Issued 9/08, with 1/1/09 effective date  No technical requirements for encryption  “Certification” of 3rd parties  Implied requirement to inventory PI  Standards were ‘one size fits all’ 10/21/2010 8Rochester Security Summit 2010
  • 9. Massachusetts Data Protection Regulations Evolution con’t  4 postponements with revisions  Added emphasis on risk based approach – small business with little PI have different risk than large company  Made more explicit that ‘written program’ could consist of compilation of existing written policies/practices  Need to “oversee” 3rd parties by taking “reasonable steps” to ensure 3rd party can protect information  Entire IT section prefaced with “to the extent technically feasible” 10/21/2010 9Rochester Security Summit 2010
  • 10. California redux • 2007 – AB 1298 added medical information and health insurance information to the definition of PI  2010 – SB 1166  Additional information in notification letters, including  Type of personal information exposed  Description of incident, including date  Steps organization is taking to protect individuals  Steps consumers can take to protect themselves, including contact information for credit reporting agencies  Breach affecting >500 must review notification letter with AG 10/21/2010 10Rochester Security Summit 2010
  • 11. State comparisons  All(?) focus on state residents (not company residence)  Most focus on electronic records; few include paper/other media  Most include SSN, Driver’s License/state issued id, CCN, financial account numbers; some limit only if PID/PIN included  Some include mother’s maiden name, date-of-birth, etc  Many exempt ‘protected’ or encrypted records 10/21/2010 11Rochester Security Summit 2010
  • 12. State comparisons  State agency notification varies – e.g. AG, others, none  Template for notification letter varies – e.g., some require details of breach (when, how, #), others preclude details  Timeframe varies – “without unreasonable delay”, “5 days”; often exception for police investigation  Harm threshold varies – no threshold thru “reasonably believed to have been acquired by an unauthorized person”  Quantity threshold varies – 1 to 1,000 (also, maximum for personal notification)  Penalties vary, some with maximums  Private right to action varies 10/21/2010 12Rochester Security Summit 2010
  • 13. Federal Trends  HITECH (2/2009)  notification requirements for HIPAA Covered Entities and Business Associates  national database  HHS AND State AG enforcement  Data Breach Notification Act (introduced 1/2009)  Authorize AG to bring civil action if notification did not occur  Extends notification requirement to government agencies  Personal Data Privacy and Security Act (introduced 7/2009)  Set criminal penalties for willful concealment of breach  Require preventative security standards 10/21/2010 13Rochester Security Summit 2010
  • 14. Federal Trends  2010 Data Security Act SB 3579 (2007, reintroduced 7/2010)  preempt state laws;  modeled after GLBA;  establish “appropriate standards” for administrative, technical and physical data protection  Data Security and Breach Notification Act of 2010 S.3742  Require protection of PI (FTC to set national standards)  Require notification within 60 days  Require offering 2 years of credit protection  Up to $5 million in civil penalties  Exemption for entities covered by FCRA 10/21/2010 14Rochester Security Summit 2010
  • 15. In Our Future?  More European-style controls?  More items to be protected?  Photographs  Biometrics  IP addresses  More contractual requirements between organizations?  More definition of how information is to be protected? 10/21/2010 15Rochester Security Summit 2010
  • 16. Summary  Know the states(s) represented in your business (employees, customers, vendors, affiliates)  Know the industry(s) represented in your business (health, insurance, finance, retail)  Know the major business processes (HR, procurement, finance, business operations) You are prepared when - new laws enacted - business processes change - company changes (acquisition, divestiture, etc.) 10/21/2010 16Rochester Security Summit 2010
  • 17. Quiz Following examples from http://www.idtheftcenter.org/artman2/publish/itrc- news/Notification_Roulette.shtml 1 Paperwork containing personal and financial information was found littering the streets of Buffalo, New York. The customer records were from Rent-a-Center. Do they have to notify you? 2 In Arizona, thousands of pages of sensitive information reportedly disposed of by The Vine Tavern and Eatery contained people’s names, Social Security numbers and dates of birth from restaurant applications, as well as checks with banking information and also credit card receipts with full card numbers from Vine customers. The receipts revealed a person’s entire credit card number. 3 Over 40,000 intact patient records containing personal and medical information were found in a pile described as 20’ long by 20’ wide at Georgetown Transfer Station in Massachusetts. The records, from four hospitals, had reportedly been dumped there by the medical billing service they had used. 4 An unknown number of canceled checks bearing Social Security and bank account numbers of Rockland, Massachusetts town employees are missing after wind knocked them from a loaded recycling truck. 5 Approximately 30,000 estimated tax payments with checks wound up in the San Francisco Bay after the truck transporting them to the Internal Revenue Service was involved in an accident and wind blew the mail into the bay. 6 Boxes with 1,590 patient records from a Charlotte, North Carolina’s psychologist’s practice were left at a county recycling facility because the psychologist’s sons mistakenly took the wrong boxes to be recycled. The records contained patient names, contact information, Social Security numbers, credit card numbers and medical histories. 10/21/2010 17Rochester Security Summit 2010
  • 18. Quiz 7 In Illinois, hundreds of sensitive documents that were provided to the law firm of Robert J. Semrad & Associates, also known as DebtStoppers USA, ended up in a trash bin in an area the firm shares with other businesses. The “Client Information Sheets” contained Social Security numbers, full names and addresses, driver’s license numbers and signed debit card authorizations. 8 75 legal files were found in a dumpster off Interstate 10 near Boerne, Texas. The files, which included peoples’ names, addresses, bank accounts, social security numbers, driver license numbers, and birth dates, belonged to attorney David Naworski, who readily acknowledged throwing them away unshredded and said he was unaware of any state law on disposal. 9 Three small file boxes full of decade-old personal records belonging to customers of the First Federal Savings Bank were found near a residential street in Bryan, Texas. The bank had apparently closed its doors under that name around 2002 and has been acquired by several banks since then. The current owner says that they never assumed ownership of those bank records. 10 Credit-card numbers from 17,000 guests at the Emily Morgan Hotel in San Antonio were stolen and used in a three-state shopping spree. Officials say the suspects used stacks of stolen credit-card receipts from a storage room at the hotel in 2006. 11 The University of Florida discovered that 2,047 people that their Social Security or Medicaid identification numbers included on address labels affixed to letters inviting them to participate in a research study. The letters were sent through the U.S. Postal Service on May 24, and the information also was shared with a telephone survey company. 12 In Maryland, Montgomery County’s Department of Health and Human Services is looking into how numerous Wheaton nursing home papers containing sensitive patient information have made their way into nearby neighbors’ yards over the past few months. The exposed internal documents contained patient conditions, names and Social Security numbers. 10/21/2010 18Rochester Security Summit 2010
  • 19. Resources • Map and other state/Canadian info: http://www.nymity.com/About_Nymity/Nymity_Maps.aspx • privacylaw.proskauer.com/articles/security-breach-notification-l/ • summary of state data breach requirements: www.perkinscoie.com/news/pubs_detail.aspx?publication=26596137-b74f-4b68-8063-93f996f233e9 • list of state breach statutes: www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/OverviewSecurityBreaches/tabid/1 3481/Default.aspx • www.ncsl.org/Default.aspx?TabId=13489 • "Intersections - Data Breach Consumer Notification Guide” details each state's law, 118 pages, contact info www.intersections.com 888.283.1725 DataBreachServices@Intersections.com • www.sb-1386.com/Guide to CA regulations • Breach notification letters: datalossdb.org/incident_highlights/34-data-breach-notification-letters • NY Guide to handling PII: www.nysconsumer.gov/pdf/protecting/information_privacy/the_new_york_business_guide_to_privacy.pdf • Summary of US privacy laws, (undated) www.bbbonline.org/understandingprivacy/library/fed_statePrivLaws.pdf 10/21/2010 19Rochester Security Summit 2010
  • 20. Questions/other follow-up? Feel free to contact: Allison Dolan adolan@mit.edu 617.252.1461 10/21/2010 20Rochester Security Summit 2010
  • 21. Places to look for PII/SSN Employee Processes • Job Applications • Background checks • New hire paperwork - I-9, Federal/State tax withholding, benefit enrollment, other new hire forms • Payroll, timecards, paychecks,direct deposit forms; wage garnishing requests • Ongoing benefit and 401(k) processes • Status changes (e.g. marriage) • Worker’s compensation, medical leave form • Employee loan programs • Specialized certifications (e.g., nurse, engineer) • Special requirements (e.g. top secret clearance, confidentiality agreement, employment contracts) • Employee reporting (e.g. annual reviews) • Union reporting 10/21/2010 21Rochester Security Summit 2010
  • 22. Places to look for PII/SSN Customer Processes • Services that require customer’s PII - e.g., banking and financial services, education services, car rentals, tax preparations, accounting, etc. • Products/services with check and/or credit card payments • Services that require PII of others - e.g., 401(k) administrators, benefit providers, underwriters,claim administrators • Services that may involve access to PII of others - e.g., backup service providers, shredding services, IT application developers and system admins, custodians 10/21/2010 22Rochester Security Summit 2010
  • 23. Places to look for PII/SSN - Financial Processes • Vendor files/vendor payments e.g., independent contractors • Employee reimbursements (look at form used to request reimbursements, as well as backup to request) • Honorarium • Employee awards • Customer rewards, awards, or payments • Other payments - e.g., payments to ‘one-off’ vendors, research subjects, casual labor • Taxes • State or federal government reporting- corporation reports, real estate transactions • Financial reporting - SEC 10/21/2010 23Rochester Security Summit 2010
  • 24. Places to look for PII/SSN - Miscellaneous Processes • State visits • Any service that predates non-SSN organizational id (e.g. library, parking, travel, conference attendance) • Insurance (beneficiaries) • Legal (subpoenas, court records,etc.) • Audit (if PII part of the process that was audited) • Research grants (pre-2009) • Medicare • Internal medical • System backups • Paper archives • Printing/scanning with devices that retain information • PCs after ‘delete trash’; prior to deployment • Email 10/21/2010 24Rochester Security Summit 2010

Editor's Notes

  1. 1
  2. What this means to companies in general - some industries, like Health Care, already ‘covered’; Ask audience – who is NY? Health Care? Retail? Any international?? If so – can’t help
  3. Review of federal… FERPA – 1972; no notification; GLB – basis for many state laws; HIPAA – protection, but no notification; FACTA – data protection PCI – notify banks, but not consumers; HITECH – first federal. State HITECH FIRST NATIONAL DATA BREACH – ALSO, STATE AG INVOVEMENT – Conn was first Ask about what ones are relevant to audience
  4. MA definition of PI fairly typical
  5. MA seems to be influencing other – this bit of background might be useful OCABR and AG – didn’t talk with each other – ie what OCABR expected and what AG doing not necessarily in synch
  6. Technically feasible – that means what is ok today, might not be in the future…
  7. Mention CA law re: medical notification within 5 days - $100/day/record penalty up to a maximum Significant implications of multi state breach – Minimum – different letters If <1000 in state with 1K threshold, but 10 in state with no threshold – do you notify the 10 and not the 999?
  8. Bills on calendar for full senate
  9. FCRA – Fair Credit Reporting Act
  10. 1)No.  Even though financial information about you was exposed, it was exposed by a business, not a regulated financial institution. New York State law does not require businesses to notify consumers of breaches involving paper records. 2)No.  Not only does Arizona law not require notification of breaches involving paper records, but there is no law preventing such dumping of records.  Arizona’s protections are significantly less than many other states’ because AZ also does not require breach notification for computerized data unless the breach is “reasonably likely to cause substantial economic loss.”  For a state that claims to be worried about ID theft due to immigration concerns, their lack of state laws to secure data and notify individuals of breaches is surprising. 3)Yes.  The federal medical privacy law known as HIPAA, as amended by ARRA, requires all covered entities to notify affected individuals even if the records are in paper format.  But: covered entities do not have to notify individuals unless there is a “significant risk of harm” to the individual.  The U.S. Dept. of Health & Human Services has recently withdrawn this breach notification rule and it is undergoing further consideration.  Even if this breach did not have to be reported under HIPAA, however, it would likely have to be reported under Massachusetts state law, which does cover paper records. 4)Yes, the town would likely be obligated to report the breach under Massachusetts law. 5)Yes, the IRS would likely be obligated to notify, but since the mail had not yet been opened, they had no idea whom to notify. 6)Yes, under both HIPAA and North Carolina law.  North Carolina is one of only a few states that include paper records in their breach notification law.
  11. 7)Probably not.  Illinois law does not cover paper breaches and it is not clear to me whether bankruptcy lawyers would be covered under the Federal Trade Commission (FTC) Safeguards Rule.  This is a useful example of how consumers do not have a simple and clear understanding of whether they will be notified or not.  Do we need to become lawyers to figure out which laws apply and how? 8)No.  Although Texas requires businesses to dispose of records securely and the state attorney general can bring charges against or sue a business for improper disposal. here is no requirement that the entity notify individuals of a breach involving paper records. 9)I would say “yes” because it was a financial institution and the records contained sensitive information, but since the bank no longer exists, who is going to notify you? 10)No. Although the hotel did notify affected customers (once they realized there had been a breach and were able to figure out who to notify), Texas law does not mandate breach notification if the breach involved paper records. Credit card receipts are paper records. 11)No.  Although the University notified affected individuals, Florida law does not require notification if the breach involves paper records.  Nor does FERPA, the federal educational rights privacy law that applies to public universities and schools, require notification of breaches. 12) No.  I bet you thought I was going to say “Yes, under HIPAA,” but nursing homes are not covered by HIPAA and Maryland does not require breach notifications if the breach involves paper records.