Beruflich Dokumente
Kultur Dokumente
Standard
M a s s a c h u s e t t s ’
s w e e p i n g n e w d a t a
p r o t e c t i o n r u l e s
Joe Laferrera
Gesmer Updegrove LLP
March 2010
Massachusetts’ Law:
Chapter 93H
any
e
m
e a l
f
onw identit resid Chapt
Com eat of n of it l Laws
y
M
th o theft a nts by r 93H
s
e
,
e
etts gated
Internal
a l y s i s f o r
p e c i fi c a n k
Risks
F a c t - s e s s i n g r i s
g a n d a s s
ide n t i f y in
and i n g
d i m p r o v
a t in g a n d s
External evalu s o f s a f e g u a r
e n e s
Risks effectiv
Off-Premises Access
Develop policies “relating to the storage,
access and transportation of records
containing personal information outside of
business premises.”
Telecommuting
Use of messenger and delivery services
Ability to maintain files at home
Disciplinary
Measures
State wants to know that WISP is
taken seriously.
Discipline must be imposed for
breach.
Flexibility can be preserved.
Terminated
Employees
Access to Personal Information
prohibited for terminated employees.
Email
Network accounts
Physical access
3rd-Party Providers
Select 3rd-party providers “capable of
maintaining appropriate security measures”
consistent with Mass and federal regs
Contractually require compliance
1. In all contracts executed after effective
date (March 1, 2010)
2. In all contracts, after March 1, 2012
Changed yet again
Deleted Provisions
No more requirement of data
inventory
No more limitation on duration or
amount of collection to that
“reasonably necessary”
PI Inventory
Physical Access
Physically restrict access to
Personal Information
Personal Information must
be kept in locked facilities
or containers
WISP Monitoring and
Review
WISP must provide for ongoing
monitoring of plan effectiveness
At least annual review of WISP to
accommodate new and unanticipated
risks
Post Hoc Incident
Reviews
After a “breach of security”:
subsequent review of response and
necessary changes to prevent
recurrence
documentation of event and
response
Electronic
Requirements
(201 CMR 17.04)
User authentication Laptop and mobile
protocols device encryption
1
2 0 1 0
The Approach
Audit and assess
Inventory type of PI kept
Review 3rd-party contracts
Assess risks
Plan information and data strategy
IT infrastructure and information process
changes
Implement plan and policies
Contract changes, employee policies, etc.
40 Broad Street
Boston, MA 02109
(617) 350-6800
gesmer.com
joe.laferrera@gesmer.com
All rights reserved. ©2010 Gesmer Updegrove LLP. This may be considered advertising under Mass. R. Prof. C. 7.3(c).