An overview of the Massachusetts 201 CMR 17 Data Privacy Law which goes in to effect on March 1. Contact information is available for each presenter in the slidedeck. Please contact any of us with questions.

2. Welcome About the Law Affected Organizations Presenters Privacy Partners Compliance Accounting Legal Insurance Technology

3. Seminar Agenda

4. Regulatory Compliance Which Organizations are required to comply with the new law? Verbiage: Organizations, “who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” Personally Identifiable Information (PII) Includes: Electronic Transaction and Billing Data (cc #s, bank data, etc) Identity-Theft Target Data (ss#, identification, etc) Customer Records

5. What is Required? Four Main Components: Risk Assessment and WISP Data Privacy Awareness Policy Security (A/V, Firewall, Encryption) Vendor WISP or Sign-Off

6. 201 CMR 17.00 Customers Vendors Web Sites Remote Workers Suppliers External Requirements

8. Clients

9. ProjectsServices Provided

11. Heartland

12. CVS

13. Every day there are new breaches

14. Verizon report, April 2009: three-fold increase in breaches in 2008

17. Compliance is based on size, scope, type of business

20. Size, scope and type of business

21. Amount of resources available to business

22. Amount of data stored

23. Need for security and confidentiality of both consumer and employee information

24. All persons, businesses, agencies must destroy records containing Personal Information “such that the data cannot be practicably read or reconstructed after disposal or destruction”The Program = Your WISP

26. SSN,

27. Driver’s License # (or state-issued ID)

28. Financial Account Number, or

30. Identify and assess reasonable foreseeable internal and external risks

31. Evaluate and improve (where necessary) effectiveness of current safeguards for limiting risks

33. Prevent terminated employees from accessing records

34. Oversee service providers

35. Reasonable restrict physical access to, and storage of, recording containing Personal Information

36. Regularly monitor Program and upgrade safeguards as necessary

37. Review Scope of security measures at least annually, or whenever there is a material change in business practices

38. Document responsive actions taken after any breach and conduct post-incident review of events and actions takenIn case of breach, REACT IMMEDIATELY (see addendum for directions to be followed)

40. Assign unique ID’s plus Passwords – that are NOT vendor supplied defaults passwords

41. User Passwords / Biometric / Token devices

42. Control of Data Security Passwords (keys to vault)

43. Restricting Access to Active Users

44. Blocking Access after Multiple Attempts

45. Restrict Access to Records and Files to Needed Personnel

49. Rotation

52. Control Access

53. Multi-Tiered Approach to MALware – firewalls, Virus, Spyware, and SPAM elimination

54. Encryption

55. Reduce potential points of breach

56. Patch Management Program

57. Monitor Everything – and then again

58. BackUp and Disaster Recovery / Avoidance

61. Partners

62. Clients

64. Bank Account Numbers

65. Financial Data

67. Encryption

68. Mail

70. Contact LCWA Contact Jim Wiesman: jwiesman@lcwainc.com www.lcwainc.com (978)689-8822

72. Partners

73. Clients

75. Potential for Risk

76. Comparison to Similar Laws

77. Explicit Cost of Fines

78. Cost of Defense

82. Burned

83. Pulverized or

86. Implement and monitor compliance with policies and procedures

88. Attorney General action under Chapter 93A

89. Civil penalties up to $5,000 for each violation

90. Costs of investigation and litigation, including attorney’s fees

92. Notification is triggered by the breach itself rather than the likelihood of harm or misuse of Personal Information

94. More than 500,000 affected Mass residents; or

95. Costs of providing written notices shall exceed $250,000Substitute notice consists of: email notice to affected consumers Clear and conspicuous notice on the company's home page; and Publication in statewide media

97. Number of Mass residents affected; and

99. Security Breaches: G.L. ch. 93H COMMON MISTAKES made in Notices to Affected Mass residents Notice is too general Fails to include the four (4) Mass specific requirements Fraud Alert vs. Security Freeze References to websites rather than providing information in letter itself – thereby putting burden on affected residents to find information Provides a range of fees relating to security freeze when in fact amount is set by statute G.L. 93 ss 56 and 62A

100. Discovery of a Breach Typical situations: Stolen or Laptop, flash drive or other portable media Unauthorized activity on the network Missing, lost or stolen paper files Actions of departing employee Complaints from customers or employees 3rd Party Vendor breach In any of these cases, REACT IMMEDIATELY (see addendum for directions to be followed)

102. Office of Consumer Affairs

105. Cost will exceed $250,000, or

106. Affected class exceeds 500,000 residents, or

107. Do not have sufficient contact information

108. Substitute Notice

109. Email

110. Website

113. Most protect financial information, but some also protect medical information

115. Penalties

116. Fines

118. Assessment of Potential RiskSGO Compliance

119. Contact SGO Contact Peter Shaheen, Esq. pshaheen@sgolawoffice.com http://www.sgolawoffice.com/ (978)689-0800

121. Leadership

122. Clients

124. Cyber –tech Coverage

125. Liability

126. Employment Practices

128. How Much Coverage should you purchase?

132. IT Managed Services

133. Corporate Voice & Data

134. Leadership

135. Pete Peterson

136. Paul Cissel

137. Rick Umenhofer

138. Doug Smith

140. Encryption of Sensitive Data

142. Updates

144. Updates

148. Regular Updates

149. Periodic Testing of Data Integrity

152. Encryption

153. Disable & Destroy

155. 201 CMR 17.00 Customers Vendors Web Sites Remote Workers Suppliers External Requirements