sign in sign up
<<
Home , Identity theft

Driving Business Advantage

Five Key Steps to Developing an nformation Security Program by GabrielM.Helmer Security Program an to Developing Five Key Steps I nformation

Foley Hoag eBook Hoag Foley Contents

Introduction...... 1

1. Take the Time to Comprehensively Evaluate the Company’s Legal Obligations...... 3

2. Review What You Need to Accomplish...... 6

3. Choose an Coordinator/Team...... 7

4. Start With What You Have...... 8

5. Evaluate Potential Threats and Adopt Reasonable Security Measures to Combat Them...... 10

Appendix A - Massachusetts Identity Laws & Regulations...... 14

Appendix B - Federal Red Flags Rules...... 18

FTC Guidelines to Compliance with Red Flags Rules...... 21

Supplement A to Appendix A...... 26

About Foley Hoag LLP...... 30

About the Security and Practice...... 30

Gabriel M. Helmer...... 31

Attorney advertising. Prior results do not guarantee a similar outcome. © 2010 Foley Hoag LLP. All rights reserved. “Responding to the rising tide of damaging security incidents, the federal government and the majority of states have enacted laws and regulations requiring individuals and companies to adopt comprehensive information security programs to protect sensitive information.” Five Key Steps to Developing an Information Security Program by Gabriel M. Helmer

Information security — the discipline of protecting information found in paper documents, electronic files, and emails — has become increasingly important in business. As reports of identity theft, data breaches and have become more common, government has begun to call on businesses, both large and small, to take on new responsibilities for protecting sensitive information.

Responding to the rising tide of damaging security incidents, the federal government and the majority of states have enacted laws and regulations requiring individuals and companies to adopt comprehensive information security programs to protect sensitive information. For instance, the (FTC) along with federal banking regulatory authorities have adopted the Red Flags Rules. This broad set of regulations require businesses to assess their information security practices and implement an identity theft prevention program to mitigate the risk of identity theft. Financial institutions are also subject to Gramm Leach Bliley Act regulations, such as the FTC’s Safeguards Rule, which requires the adoption of a “comprehensive information security program” to protect nonpublic customer information.

At the state level, the majority of states have put in place regulations governing how businesses collect, handle and dispose of personal information. Aggressive new Massachusetts regulations, like those in many other states, require any individual or business that accesses personal information about a Massachusetts resident to develop a “comprehensive, written information security program.” Massachusetts has also adopted laws requiring public notification of security incidents and secure disposal of customer information.

The new federal and state identity theft regulations join dozens of other legal requirements that have emerged over time, including rules governing medical information, insider information, customer data, trade secrets, intellectual and other kinds of sensitive information. In the past, businesses typically responded to new legislation by adopting compliance policies limited to specific categories of protected information. But new laws now demand that businesses adopt a dynamic, comprehensive approach to information security. This is an opportunity for

1 2 Five Key Steps to Developing an nformation Security Program included withthis eBookare FoleyHoag’s guides totheMassachusettsidentity theftlawsand 1 begin theprocess ofdevelopingacompliantprogram infivesteps. the newfederalandstateregulations. Whatfollowsisaguidethatexplainshowto Many businesseshavetrouble knowingwhere tobeginandwhatdocomplywith necessary toavoidpotentiallyseriouslegalliabilitiesinthefuture. businesses tomakesure theirinformationassetsare wellprotected, butitisalso specific examplesthroughout thisguide. and theMassachusettsidentitytheftregulations. We willusetheseregulations as with therangeofnewinformationsecuritylaws,in particular, federalRedFlagsules T complying withinformationsecuritylaws. combat them.Fixinganynoticeableholesinexisting securitymeasures isthekeyto Finally, evaluatethepotentialthreats andadoptthesecuritymeasures necessaryto fromneed tostart scratchormakedrastic changes. Most businessesare already takingstepstoprotect sensitiveinformationanddonot assesswhatthebusinessisalreadyFourth, doingtomaintaininformationsecurity. businesses. isakeydecisionformost Whowillleadthiseffort variety ofdifferent departments. and maintaininginformationsecuritythiswillrequire inputandcooperationfrom a The newlawsrequire thatacoordinator orteamassumeresponsibility todeveloping Third, selecttherightpersonorateamtodevelopinformationsecurityprogram. them. information. Makesure youknowwhattheobjectivesare before yousetouttomeet that mustbemet,suchasencryptinglaptopcomputerscontainingpersonal require “reasonable andappropriate” protections, othershavespecific requirements applicable legalobligations.Whilesomeofthenewinformationsecuritylawswill Second, makealistofallthespecificelementsthatwillbe required tofulfillthe law, regulation andrulethatapplies. requirements gounnoticed.Makesure yourbusinesshasidentifiedeachandevery apply. regulation Attentionisoftenfocusedonaparticular whileotherlegal First, thebusinessshouldcomprehensively assesswhatlaws,regulations andrules aking thetimetofollowthesestepswillensure thatthebusinessremains compliant regulations (A ppendixA) andthe federalRedFlags Rules(A ppendix B). 1

Five Key Steps to Developing an nformation Security Program 3

ffected businesses are required required Affected businesses are 2 ssociation recently obtained a court order excusing lawyers from compliance compliance from lawyers excusing order court a obtained recently ssociation A Take the Time to to Time the Take Comprehensively the Company’s Evaluate Legal Obligations

merican Bar Bar merican A

Federal Red Flags Rules, codified in 16 C.F.R. § 681, expressly apply to apply to § 681, expressly in 16 C.F.R. Federal Red Flags Rules, codified the FTC has stated that the however, “financial institutions” and “creditors;” sells goods or services first encompasses any company that term “creditor” of these rules interpretation broad The FTC’s and then bills its customers later. has come as a surprise to many industries. to routinely assess whether they maintain accounts that present a risk of assess whether they maintain accounts that present to routinely that program” identity theft and, if they do, develop an “identity theft prevention information on the More protections. and appropriate puts in place reasonable Red Flags Rules may be found in Appendix B ndeed the the ndeed A. No. 09-1636 (Oct. 30, 2009). FTC, Civ. with the Red Flags Rules. See Dkt. No. 15, ABA v.

•  1 2 i

complying with (and program an information security The first step to establishing the laws that may is to take the time to fully assess information security rules) recent Acting on faulty assumptions This step is often overlooked. apply to the company. evaluation for fear of uncovering about what rules apply or putting off the preliminary that can expand a company’s shortsighted approaches legal obligations, are onerous company personnel sit down with liabilities. The better course of action is to have and rules what laws, regulations evaluate experienced counsel and comprehensively company. apply to information collected by the obligations and liabilities can be a legal evaluation of a company’s A reasonable laws that of federal, state and international hundreds are challenge because there of law is still relatively and experience with this area could govern information security evaluation is particularly Nevertheless, important. a comprehensive scarce. Not only information security program that the comprehensive require do the new regulations all of the company’s but addressing standards, be consistent with all applicable legal the company time and money in the long term. obligations at the same time will save law that should be considered. of areas Condensed below is a list of some key

4 Five Key Steps to Developing an nformation Security Program “ •  •  •  states, the answer no.” is Formany states. other in regulations and laws similar with complying is business a that ensure the aggressive new Massachusetts regulations will We are commonly asked whether compliance with 93H, and the subject totheMassachusettsdatabreach notificationlaw, Mass.Gen.Lawsch. All businessessubjecttotheMassachusettsidentitytheftregulations are also Appendix . information onMassachusettslawsandregulations, review ourguideat accesses orhowoftenthecompanypersonalinformation.Formore small thebusiness,andnomatterhowmuchpersonalinformationabusiness regulations applynomatterwhere thebusinessislocated,nomatterhowlarge or records. Remembertoconsiderthisquestionbroadly —theMassachusetts checks, taxfilings, statementsandawiderangeofotherbusiness include customerrecords, employeefiles,somemedical records, copiesofbank number. UnderMassachusettslaw, “personalinformation”isbroad enoughto identification number, or(3)credit card, bankaccountorotherfinancial combination withhisorher(1)SocialSecuritynumber, (2)driver’s licenseorstate information” isdefinedbythestatuteasnameofaMassachusettsresident in Massachusetts identity theft regulations, 201 C.M.R. §§ 17.00-17.05. “Personal information,” asthattermisdefinedunderMassachusettslaw, issubjectto and regulations. Forexample,anybusinessthatownsorlicenses“personal ofstateidentitytheftlaws It iscrucialthateverybusinessevaluatetheeffect identity theftstatute,likeMassachusetts,appliestoanybusinesswithaccess to other states.Formanystates,theanswerisno. example,theCalifornia will ensure thatabusinessiscomplyingwithsimilarlawsandregulations in asked whethercompliancewiththeaggressive newMassachusettsregulations than onestatemustconsiderthelawsofmultiplestates. We are commonly contractsorbusiness operationsinmoreAny businesswithcustomers,staff, should incorporateprocedures forcomplyingwiththeserequirements. containing “personalinformation.”Acompliantinformationsecurityprogram destroy, ratherthanmerely throw away, documentsandelectronic records customers andtheAttorneyGeneralwhenthere isasecuritybreach and These lawsrequire businessestoprovide affected formalnotificationto Massachusetts information disposal law, Mass. Gen. Laws ch. 93I.

Five Key Steps to Developing an nformation Security Program 5

), ), A B GL ccountability ccountability ct ( ct A A each-Bliley each-Bliley L ortability and and ortability P ramm- G nsurance nsurance s a result, taking time to consider all of of all consider to time taking result, a s I A X) and and X) O ct (S ct A xley xley O ), the Sarbanes- the ), IPAA ct (H ct A comprehensive assessment should also examine a company’s potential should also examine a company’s assessment A comprehensive “unfair or deceptive of federal and state laws governing liability for violations from For over 10 years, the FTC has sought sanctions acts and practices.” FTC Act which in information security under the companies for lapses numerous of “unfair acts and practices. Because the scope unfair or deceptive prohibits particular and practices” is not limited to any or deceptive acts categories of or any particular (e.g., “personal information”) sensitive information industry all businesses should be evaluating (e.g., “financial institutions” and “creditors”), This is might realize. than they broadly more their information security practices statutes could also be of particular concern because state consumer protection Act Consumer Protection In Massachusetts, the Massachusetts triggered. the possibility of (Mass. Gen. Laws ch. 93A), like similar state statutes, carries attorneys fees. damages and stiff fines, treble alifornia residents, but defines “personal information” to information” defines “personal but residents, to relating information must do to what the company When examining information. include medical whether to consider remember security rules, the new information comply with cover other to expanding protections require of other states may the rules requirements. information or additional legal categories of sensitive Review the company’s existing obligations to protect and secure information and secure obligations to protect existing Review the company’s policies, customer and confidentiality agreements, under non-disclosure This may identify other categories of or court orders. settlement agreements or other security measures information that the company is obligated to protect to implement. agreed that the company has already Businesses have also been subject to a range of industry-specific laws,Businesses have also been subject Health the including rules, and regulations A ommission (FCC) rules governing customerand the Federal Communications C It is important to take network information (CPNI), just to name a few. proprietary a compliant into account when developing requirements all industry-specific information security program. •  •  •  of these information security rules, but this process occurred slowly to address new slowly to address occurred of these information security rules, but this process call on to an incident. The new regulations or in response laws when they emerged than rather comprehensive, develop and thinking of way their change to businesses security. information to approaches piecemeal, can be critical. the potential legal obligations at the beginning of the compliance process ver the years, many businesses have adopted specific policies to comply with manyOver the years, many businesses have adopted specific policies to comply 6 Five Key Steps to Developing an nformation Security Program development process. andindividualswhoshouldbeinvolvedinthe position toidentifythedepartments security program. Armedwithalistofobjectives, thecompanywillbeinagood business willbeabletoconfidently begindevelopmentofacompliantinformation Once youhavedevelopeda listofthegeneralandspecificlegal requirements, the laid outindetailtheguidetoMassachusettsregulations includedinAppendix. physical, administrativeandelectronic securitymeasures. Theserequirements are assessment ofpotentialrisks,periodicemployeetraining andtheadoptionof Massachusetts regulations includeanumberofspecificelements,includinganannual and theneedtoprotect theinformation.Thespecific requirements ofthe of thebusiness,resources available,theamount ofsensitiveinformationatissue should bereasonably consistentwithindustrystandards andappropriate tothesize impose reasonable andappropriate informationsecuritymeasures. Theprogram governed bytheMassachusettsregulations oranyotherfederalstaterules,isto The primaryobjectiveforanyinformationsecurityprogram, nomatterwhetheritis and evaluateexistingsecuritymeasures againsttheforeseeable threats. anassessmentofthewayitcollects,managesanddisposesinformation, perform existing policiesandprocedures, butdevelopingonewillrequire thebusinessto information securityprogram willbeawrittendocumentbuiltonthecompany’s these deadlines,makesure tostayabreast ofnewdelaysorrevisions. Acompliant been repeatedly delayed.Thecurrent deadlineisMarch 1,2010.Aswegetcloseto originally were scheduledtobeenforced onJanuary1,2009,butthedeadlinehas onJune1,2010. The MassachusettsregulationsThe RedFlagsulesgointoeffect federal orstaterequirements, itmayneedtoconsiderthefederaldeadlinesaswell. company issubjecttothefederalRedFlagsules,Safeguards Ruleorother develop andimplementa“comprehensive, writteninformationsecurityprogram.” Ifa the Massachusettsidentitytheftregulations businessesmust asanexample,affected develop awrittenprogram thatlaysoutthesecuritymeasures ithasadopted.T Most federalandstateinformationsecurityregulations willrequire thatthebusiness considerations. is complicatedbythenumberoflegalrequirements andothertangential a listofthegeneralandspecificgoalsitsseekstoaccomplish.Alltoooftenthistask Once abusinessdetermineswhatlaws,regulations andrulesapply, itshould develop

2 Need toAccomplish Review WhatYou aking Five Key Steps to Developing an nformation Security Program 7 , IT to assume the position, position, the assume to CIO

director position. Before asking the the asking Before position. director

IT

Choose an an Choose Security Information / Team Coordinator or or CIO larger company with many different departments should make sure that the the that sure make should departments different many with company larger A 3

ne of the key preliminary steps in the process of developing a compliant information in the process steps One of the key preliminary together. the program the right person or people to put is to designate security program that require theft regulations Rules and the Massachusetts identity Both federal Red Flags This or team. identify a coordinator expressly information security program the company’s the outset. from the compliance process is an important that will streamline step the to require is going program developing an information security Keep in mind that to time the taken is collected, maintained, handled to come up to speed on the way information coordinator Having company. the in area or department every in of disposed and a and operation of general legal obligations will be, aareas company’s assess what laws apply and what the relevant the all identify to position who good a in be individual(s) should the company identifying on Focus areas. those to access with procedures, team and or policies coordinator drafting including responsibilities, of host a over sure take make to to able are contractors company reviewing program, training required the managing as well as security threats, assess potential taking the necessary precautions, they are relations, andworking with security officers, information technology managers, public incidents at the company. to any and respond legal counsel to identify security breaches often is role coordinator’s security information the companies, emerging or small For the with merged an expansion that this usually represents the company and its CIO should recognize of from input and training preparation, additional require may and responsibilities typical the be will that areas. other departments all between navigate to position a in is security, team or physical and coordinator including security, information in involved relations. public directly and office, counsel’s general plant, physical resources, human that the role Keep in mind when selecting the information security coordinator may sometimes be in tension with the goals of the CIO, who is often asked to make The selection business projects. information available to support company’s the of the information security coordinator or committee should ensure that any negotiated at an between security and business operations are compromises level in the organization. appropriate 8 Five Key Steps to Developing an nformation Security Program company worknewsecurity measures intothecompany’s existingoperationsandculture. often shedslightonpotential threats, existingindustrystandards andwillhelpa business practices,policies andpublicstatementshavediverged overtime.This besureor managesinformation.Indiscussionswithstaff, toidentify where current policies orstatementsthatmakerepresentations abouthowthecompanysecures company haspreviously toreview identified.Itisimportant anypublicnotices, security program, buttheyalsohelpidentifyanythreats andsecuritymeasures the indrafting itsinformation policies. Priorpolicieswillgiveabusinessheadstart security policies,appropriate computerusageandpassword policies,andtermination prior policiesandprocedures thatcouldimpactinformationsecurity, includingany In goingthrough thisprocess, itisextremely tocollect andreview important any potential threats andsolutions. breaches. Priorincidentsoftenprovide insightsthatwillhelpthecompanyidentify been foundintheirtrash.Makesure toidentifyanypriorsecurityincidentsordata federal regulators havepenalizedbusinesseswhensensitivepersonalinformationhas to stealmoneyandaccessconfidentialinformation.T commonly collectinformationfrom garbagecontainersanduseinformationtheyfind about trashafterithasbeenleftatthecurb,butidentitythievesandcybercriminals access informationremotely andhowinformationisthrown away. We oftenforget company policyandgeneralpractice.Donotforget toexaminehowemployees salesperson’s ,ortransferred electronically Considerboth betweenoffices. hundred computers;andwhethertheinformationislockedinafile room, savedtoa person; whethertheinformationisstored orone inonefilecabinet,tenoffices information resides, whetherinformationiscollectedbyemail,fax,mail,phone,orin The companyshouldmakesure itgenerallyknowsallthephysicallocationswhere the requires thatthecoordinator responsible meetwithstaff forthesetasks. accesses, stores anddisposesofsensitivevaluableinformation.Thistypically policies. Thecoordinator shouldidentifyhowthecompanycollects,handles, security program, itistimetoinvestigatethecompany’s current practicesand After acompanyhasselectedcoordinator orteamtodevelopaninformation 4 What You Have With Start aking noticeofthistrend, Five Key Steps to Developing an nformation Security Program 9 advise clients to assess their information practices broadly and to practices broadly their information to assess I advise clients In particular, information, its own proprietary protects how the company to evaluate make sure information kinds of valuable and any other trade secrets and property intellectual Not of “personal information.” definition into the statutory not fit squarely that may valuable protects the company already ways that frame the different only will this help view is important in property intellectual when the company’s information, but keeping When a business is improving appropriate. of security are deciding what levels be necessary to of information, it may also specific categories security around A company intellectual property. in place for the company’s the protection increase security practices and of its existing information all-inclusive review that completes an of new laws the requirements the best possible position to address policies will be in and regulations. ...identity thieves and cybercriminals commonly commonly cybercriminals and thieves ...identity and containers garbage from information collect access and money steal to find they use information information.” confidential “ 10 Five Key Steps to Developing an nformation Security Program “ consider and address.” inherent security threats that companies should implicitly recognize that there are a number of regulations theft identity new the measures, … in requiring companies to adopt specific security

address. are anumberofinherent securitythreats thatcompaniesshouldconsiderand security measures, thenewidentitytheftregulations implicitlyrecognize thatthere companies shouldconsider. However, inrequiring companiestoadoptspecific other stateregulations, donotexpressly listallpotentialsecuritythreats that identifying where thetwodonotmeet.TheMassachusettsregulations, likemost current practicesandpolicieswiththeprovisions ofapplicableregulations and pointformanycompanieshasbeentocompareIn practice,agoodstarting their threats thatare reasonably foreseeable. possible toprotect againstallpotentialthreats, companieswillneedtoidentify may already ofanexistingcompliance program. bepart Mindfulthatitmaynotbe security programs, acomprehensive or riskassessmentmaybeanewundertaking measures tomitigatethoserisks.Formanycompaniesdevelopinginformation identifying thereasonably foreseeable threats andadoptingappropriate security The core challengeforacompanydevelopinganinformationsecurityprogram is 5 Combat Them Security Measures to and AdoptReasonable Evaluate PotentialThreats Five Key Steps to Developing an nformation Security Program 11 erification of security practices by all third-party third-party erification of security practices by all raining on procedures raining on computer security procedures p-to-date software Up-to-date malware Up-to-date system software T system Up-to-date network firewall Routine monitoring of network traffic personal information for destroying Procedure disposal before Security Measure(s): Security program Employee training for violations Disciplinary measures access by using locked Restricting physical facilities authorized users access to Restricting electronic policies user name and Secure access electronic Routine monitoring of Administrative security measures of Policies for storage, disposal and transfer information outside of the company of all personal information on or mobile devices of personal information Policies limiting retention Policies for terminating access to departing employees of Policies on storage, disposal and transfer information outside of the company V service providers rojan horse attacks rojan Intrusions by hackers and other cybercriminals Unauthorized access to personal information found in company trash Threat: to use by employees Failure security practices reasonable to Unauthorized access stored personal information at company offices Inadvertent loss of personal on lost or stolen information stored company laptops or mobile devices Theft of personal information by departing employees Unauthorized access to information service providers sent to third-party caused by Security breaches computer viruses, worms and T 12 Five Key Steps to Developing an nformation Security Program the FTC’s listofwarning signsare includedinFoleyHoag’s guidetotheRedFlags Rules 3 administrative, physicalandelectronic securitymeasures toavoidproblems: resources thatcanhelpcompaniesidentifythepotentialrisksandfindappropriate directly duringtheriskassessmentphase.Thefollowingare ahandfulofuseful businesses mayneedtoinvolvecounselandsecurityconsultantsadvisethem news, securityincidentsandindustrystandards. Thiscanbeachallengeandsome forinformationsecuritycoordinatorsIt isimportant tokeepup-to-dateonrecent breaches are discovered everydayasare new, solutionstothoseproblems. effective ofthistaskisthefactthatnewrisks,exploitsandsecurity Adding tothedifficulty regulations, theFTC’s listmaybeusefultoreview whenidentifyingpotentialthreats. relevant totheirbusinesses. FTC’s detailedlistofidentitytheftwarningsignsanddeterminewhetheranyare Companies thatmustcomplywithfederalRedFlagsulesare required toreview the at Appendix B. •  •  annual reports thatidentifyhowthesecuritybreaches occurred. nationwide. TheITRCproduces alistofhighprofile breaches andsearchable Resource Center ® (ITRC)maintainsawebsitetrackingdatabreaches journals typicallykeeptrackofhighprofile incidents,buttheIdentityTheft threats andappropriate solutions.Newspapers,magazinesandindustry and organizations isoneofthebestwaystoidentifyreasonably foreseeable Reviewing thesecuritybreaches experiencedatsimilarlysituatedcompanies agencies andpostshelpfulreports onSecurity PrivacyandtheLaw.com. Practice trackspotentiallyrelevant decisionsfrom federalandstateregulatory wireless internetaccess,amongotherthings.FoleyHoag’s Security&Privacy allowing userstoseteasyguesspasswords, andfailingtoproperly secure information, storingsensitiveinformationinanumberofunnecessarylocations, collect ormanagesensitivepersonalinformation,failingtoencrypt companies forfailingtotestthesecurityofnewwebsitesandsoftware usedto security flawsdiscovered atothercompanies.TheFTChassanctioned and theFTCwebsitecontainslistingsofpriorcasesthatidentifyalleged enforcement. TheFTChastakentheleadinenforcing securityandprivacyrules already way tostayaheadofanygovernment identifiedcanbeanimportant Staying up-to-dateonwhatthreats andsecuritymeasures regulators have 3 Evenifacompanyisnotsubjecttothefederal Five Key Steps to Developing an nformation Security Program 13 For detailed technical information on threats to computer systems and to computer on threats technical information For detailed flaws. and security surveys vulnerabilities e actively the SANS Institut networks, setting in S Institute repeatedly the SAN referenced have Federal regulators security standards. information •  ...when adopting security measures, it is is it measures, security adopting ...when important to maintain the right balance the of operations existing the between obligations.” legal company’s the and company ost importantly, when adopting security measures, it is important to maintain the security measures, when adopting Most importantly, company and the company’s the existing operations of the right balance between that impact strict security measures is a push to adopt Often there legal obligations. and companies also no imminent threat is there where workflow a company’s is a pressing there even where adopting low-cost security measures commonly avoid also impacts what and other practical consideration need. Financial limitations that remember can put in place. Businesses should a company security measures the right of flexibility to strike allow businesses a degree regulations federal and state strategic decisions is a good way to balance. Involving counsel in these delicate business compliant without impeding that the company remains make sure operations. is developing a comprehensive that a company Following these steps will make sure program. and compliant information security “ 14 Five Key Steps to Developing an nformation Security Program of theinformationsecurity program istoensure thatonlyauthorizedindividualswitha with industrystandards andotherapplicablelawsregulations. Thegeneralfocus designed toprotect personalinformationinamannerthatis reasonably consistent program”? entitiesmustdevelop awritteninformationsecurityprogram Allaffected What are therequirements ofa“comprehensive, writteninformationsecurity Theft Laws&Regulations Massachusetts Identity Appendix A ll affected entitieshavethreeWhat doIhavetodo?Allaffected primaryobligations: a businessmaintainsorhowoftenitusestheinformation. Importantly, theMassachusettsrulesapplynomatterhowmuchpersonalinformation where thebusinessislocatedandnomatterhowlarge orsmall itsoperations. credit card ordebitcard number. TheMassachusettsregulations applynomatter license numberorstateidentificationcard number, or(3)financialaccountnumber, Massachusetts resident incombinationwith(1)aSocialSecuritynumber, (2)driver’s Massachusetts. Thelawdefines“personalinformation”asthefullnameofa processes orotherwiseaccessespersonalinformationaboutaresident of Who iscovered? Anyindividual,businessoragencythatreceives, maintains, 17.00-17.05. andBusinessRegulation,201C.M.R.§ ofConsumerAffairs the MassachusettsOffice Laws ch.93Hand93Itheaggressive newidentitytheftregulations adoptedby of Massachusettsresidents. Thesenewlawsandregulations includeMass.Gen. Massachusetts hasenactedbroad legislationtosafeguard the“personalinformation” Introduction. 3. 2. provide awrittennotificationwhenthebusinessknowsorhas reason to 1. or reconstructed afterdocumentshavebeenthrown away. (M.G.L. ch.93I,§2) Dispose ofpersonalinformationsothat cannotberead know thatthere hasbeenasecuritybreach. (M.G.L.ch.93H,§3(a)) (17 C.M.R.§§17.03+17.05) written informationsecurityprogram” onorbefore March 1,2010. Develop, implement,maintainandmonitora“comprehensive,

Five Key Steps to Developing an nformation Security Program 15 to personal information to personal information that personal information them to ensure from obtaining written agreements adequate protection receives access to accomplish a legitimate business purpose require unauthorized access or technologies in light of new threats revision requires keeping personal information in locked facilities, storage areas or containers. keeping personal information in locked facilities, storage areas outside of the company on physical access to personal information, such as 12. Reasonable restrictions rocedures for the storage, access and transfer of personal information for the storage, access and transfer of personal 5. Procedures and providers service third-party for selecting appropriate rocedures 6. P individuals that for limiting access to personal information to the rocedures 7. P program of company compliance with the 8. Routine review that it is adequately preventing to ensure regularly onitoring the program 9. M it to determine whether at least annually, eviewing the program, 10. R to security breaches response for documenting the company’s 11. Procedure 1. Designation of an information security coordinator / committee an information security coordinator 1. Designation of management training on security and information 2. Ongoing employee violations of the program for 3. Disciplinary measures no longer have access for ensuring that terminated employees rocedure 4. P Physical Security Measures n addition, the In addition, personal information. have access to business purpose legitimate that affected a series of specific businesses adopt require regulations Massachusetts a summary of the Below is security measures. electronic physical and administrative, requirements. specific Measures Administrative Security 16 Five Key Steps to Developing an nformation Security Program postponed to further anongoing criminalinvestigation. postponed tofurther enforcement agencyinvestigatingthebreach determinesthatnotificationmust be must bemade“assoonas practicableandwithoutunreasonable delay,” unlessalaw details ofthesecuritybreach orthenumberofresidents Thisnotification affected. prohibits youfrom providing informationinyourletter, certain includingspecific information onhowtheresident requests acredit freeze. Also,theMassachusettslaw resident knowthatheorshehastherighttoobtainapolicereport; and(2)provide andBusinessRegulation.ThenoticetoresidentsConsumer Affairs should(1)letthe residents, theMassachusettsAttorneyGeneralanddirector of oftheOffice to makeanotification,youmustprepare Massachusetts writtenletterstoallaffected What doIhavetosatisfythenotification requirement? Ifyouare required unauthorizeddisclosurethe informationorfurther access topersonalinformation,unlessthisbreach resulted inunauthorizeduseof statute doesnotrequire noticewhenthere hasbeengoodfaithbutunauthorized former employeeshaveusedcompanyrecords toengageinidentitytheft.The company laptopscontainingpersonalinformationandthediscoverythatcurrent or against aresident ofthecommonwealth.”Commonexamplesincludeatheft acquisition oruseofdata“thatcreates asubstantialriskofidentitytheftorfraud “security breach.” UnderMassachusettslaw, a“securitybreach” istheunauthorized notification whentheybecomeaware (or reasonably shouldhavebeenaware) ofa Anyone subjecttotheMassachusettslawsandregulations mustmakeaformal Under whatcircumstances doIhavetoprovide noticeofasecuritybreach? Electronic SecurityMeasures* technicallyfeasible forthebusiness. * Theelectronic securitymeasures identifiedbythe regulations are required only totheextentthattheyare 20. Setuptoreceive regular software securityupdates 19. Reasonablyup-to-datesystemsoftware 18. Reasonablyup-to-datevirusandmalware protection 17. Reasonablyup-to-datenetworkfirewall protection 16. Routinemonitoringofcomputersystemsforunauthorizedaccess 15. Use ofencryptiontoprotect personalinformation,includingtheencryption 14. Reasonableprocedures forselectingpasswords ofappropriate complexity 13. Policies thatrequire theuseofuniqueusernamestoaccess and strength personal information of emails,filetransfers,laptopcomputersormobiledevicesthatcontain personal information Five Key Steps to Developing an nformation Security Program 17 How do I dispose of personal information in a way that complies with complies with in a way that information I dispose of personal How do law? All affectedMassachusetts must meet and agencies individuals, businesses must be Paper documents information. for disposal of personal standards minimum cannot the personal information so that or shredded burned, pulverized redacted, drives or other files, disks, hard Electronic or reconstructed. practicably be read information or erased so that the personal destroyed be securely storage media must after disposal. be recovered practicably cannot to adopt or follow Failure for not meeting these obligations? What is the penalty notification may lead or make an adequate security program a compliant information fees and the of attorney’s award up to $5,000 per violation, the to civil penalties of information is subject to a fine disposal of personal Improper costs of investigation. affected, of $50,000 per incident. The up to a maximum of $100 per resident violations under the to enforce Massachusetts Attorney General is empowered may also be A. Affected Act, ch. 93 residents Massachusetts Consumer Protection violators for “unfair or deceptive trade practices” able to bring private actions against damages and as well as treble awards, that could lead to compensatory damages fees. attorney’s 18 Five Key Steps to Developing an nformation Security Program actual incident,itmaypresent riskofidentitytheft to makeita“covered asufficient has experiencedinvolving fraudoridentitytheft.Ifanaccounthasbeeninvolved inan foreseeable byreviewing riskof identity theft?Start anyincidentsthecompany How doIassesswhether Imaintainanaccountthatposesareasonably anykindofaccount. include virtually that posesareasonably foreseeable riskofidentitytheft.Thisbroad categorycould savings accounts.Thesecondcategoryofcovered accountsincludesanyaccount automobile loans,cellphoneorutilityaccounts,as welltraditionalcheckingor multiple paymentsortransactions,includingcredit card loans, accounts,mortgage categories. Thefirstcategoryispersonalfinancialaccountsdesigned topermit What isa“covered account?”Acovered accountmayfallintooneoftwo Federal RedFlagsRules Appendix B ffected entitieshavetwoprimaryobligations: What doIhavetodo?Affected comply withtheRedFlagsules. clients thatare financialinstitutionsorcreditors alsomayneedtotakesteps and otherbusinesses.Businessesthatactasserviceproviders tocustomersor Red Flagsulesapplytoawiderangeofmerchants, doctors,lawyers,consultants goods orservicesnowandbillstheircustomerslater. Underthisconstruction,the regulators haveannouncedthattheterm“creditors” appliestoanybusinessthatsells While thisincludesbanks,credit card companiesandinstitutionallenders,federal Who iscovered? TheRedFlagsulesapplyto“financialinstitutions”and“creditors.” general overviewoftheseregulations. programs todetectandprevent identitytheftonorbefore June1,2010.Below, isa federal agencies.TheseRulesrequire kindsofbusinessestodevelopwritten certain Federal T The “RedFlagsules”are federalidentitytheftregulations promulgated bythe Introduction. 2.  1. Regularly assesswhetherthebusinessmaintains“covered accounts.” implement an“IdentityTheftPrevention Program.” (16C.F.R. §681.2(d)) respectWith toany“covered accounts,”thebusinessmustdevelopand (16 C.F.R. §681.2(c)) rade Commission(FTC),theT reasury andanumberofother Department

Five Key Steps to Developing an nformation Security Program 19 t is best to keep in mind that an “account” may cover a variety of business may cover a variety an “account” to keep in mind that It is best account.” that could be a user number or card an identification It may include arrangements. include an It may also as the customer. or to pose goods or services used to obtain card credit numbers, such as bank account information that stores online account The FTC suggests information that could be misused. or other numbers, and accessed when making its how an account is opened that businesses consider online or by the telephone, either be opened remotely, assessment. If an account can theft. risk of identity may be an increased there have any Even if you do not accounts?” have any “covered What if I do not to perform a required are institutions and creditors accounts, all financial covered accounts they offer to determine whether any of the periodic assessment or maintain perform accounts. It is a good idea to once per this assessment at least covered are year. offers accounts?” What do I have to do if my business or maintains “covered the FTC’s accounts must (1) review An affected that maintains covered business and (2) develop and Guidelines to Red Flags Compliance, which we include below, consistent with those rogram P Prevention implement a written Identity Theft that will is to put in place procedures Program Guidelines. The primary purpose of the signs of identity theft and take steps to the warning enable the business to recognize is Program Identity Theft Prevention consumers. A key step in developing an protect for developing the Program. to take responsibility to select the right team of people a variety of input from requires likely Keep in mind that developing the program information technology, security, including, physical plant, physical business areas public relations. accounting, as well as customer and A Program?” of an “Identity Theft Prevention the requirements What are Red Flags” must contain: (1) a list of the “ Program compliant Identity Theft Prevention to detect the business; (2) procedures relevant to its the company has identified as red flags responding to any for procedures flags the company has identified; (3) red administrative provisions. that have been detected; and (4) a number of required How do I identify “Red Flags?” A “Red Flag” is a pattern, practice or specific Guidelines ’s activity that indicates the possible existence of identity theft. The FTC credit flags including, alerts from below) list a number of potential red (reproduced monitoring agencies or service providers, receipt of suspicious documents or accounts. Businesses to covered personal information, or suspicious activity relating applicable. A are flags and determine which, if any, list of red must consider the FTC’s agency should victim or law enforcement a customer, of identity theft from report 20 Five Key Steps to Developing an nformation Security Program number ofadministrativeprocedures, including: Prevention Program? TheRedFlagsulesalsorequire abusiness toadopta What are theadministrativerequirements ofacompliantIdentityTheft should ensure thattheresponse istimelyandreasonable underthecircumstances. actions toalleviatetheriskofharmconsumersandbusiness.TheProgram appropriate response undertheProgram, aninvestigationandtake anyother perform to internalmanagersandthesecuritycoordinator, asnecessary, toselectan response tobeappropriate underthecircumstances. Redflagsshouldbeescalated Theft Prevention Program mayneedtobeflexibleinorder forthecompany’s the matterovertolawenforcement. TheRedFlagsulesrecognize thatanIdentity new accountnumberandpassword. Itmaybeappropriate totakenoactionorturn passwords andsecuritycodes,closingtheaccount,reopening theaccountwitha and monitoringanaccountforabusewhenared flaghasbeendetected,changing theft onceabusinesshasdetectedred flag.Theseincludecontactingthecustomer been detected?TheFTC’s Guidelinessuggestanumberwaystoprevent identity What procedures shouldIadopttoprevent identitytheftonceaRedFlaghas sophistication ofidentitythieves. place, butshouldconsiderwhetherimprovement iswarrantedgiventheincreasing when theyaccesstheiraccounts.Mostbusinessesalready havesuchprocedures in identities atthetimetheyopenaccountsandonauthenticatingcustomers’ business andthered flags.TheFTCGuidelinesfocusonverifyingcustomers’ The procedures neededtodetectandidentifyred flagsdependonthenature ofthe What procedures are necessarytodetectthe“RedFlags”Ihaveidentified? of whatred flagsmayapply. run-ins withidentitytheft,areview oftheseincidentscanprovide youwithagoodidea always beconsidered ared flag.Ifyourbusinessorsimilarbusinesseshavehadprior 2. Procedures forreviewing andrevising theProgram periodicallytoensure that 1. Aprocedure toobtain theapproval oftheProgram from itsboard ofdirectors. 4. Policies requiring appropriate supervisionofservice providers thatmayaccess 3. Policiesrequiring employeetraining,asnecessary. involved inthisprocess. risks toconsumers.Theboard ofdirectors oritsdelegate(s)alsoshouldbe the Program reflects current practices,changesintheindustry orincreased or provide services related tocovered accounts. Five Key Steps to Developing an nformation Security Program 21 o reduce potential liabilities, o reduce FTC Guidelines on Compliance with FTC Guidelines on Red Flags Rules Appendix A to 16 CFR Part Theft 681—Interagency Guidelines on Identity and Mitigation Detection, Prevention, that offers or and creditor each financial institution Section 681.2 of this part requires accounts, as defined in § 681.2(b)(3) of this part, to covered maintains one or more to detect, for the continued administration of a written Program develop and provide and mitigate identity theft in connection with the opening of a covered prevent, intended to assist account. These guidelines are account or any existing covered in the formulation and maintenance of a Program financial institutions and creditors of § 681.2 of this part. requirements that satisfies the businesses may wish to avoid dealing with service providers that do not agree to do not agree that providers to avoid dealing with service businesses may wish providers At minimum, service Programs. dentity Theft Prevention adopt compliant I by covered and accounts are notice that customer information should be put on periodic written should provide provider Rules and the service federal Red Flags state laws and consistent with federal and practices are assurances that their regulations. the Red Flags Rules by June 1, 2010? What is the penalty for not complying violations of the Red Flags for relief The FTC may seek civil penalties and injunctive the FTC of similar rules over the past years has seen in enforcement Rules. The trend number of customers, harm has affectedseek substantial civil fines when the a large and the adoption of a compliant Program requiring as well as court orders for 20 years. to federal regulators reported independent security audits that are What do I need to do if I use a third-party service provider to manage some to manage serviceI use a third-party I need to do if What do provider to provide a business Rules require The Red Flags accounts? of covered aspects to it uses and effective service providers any third-party oversight” of “appropriate must take provider that uses a service Any business accounts. covered manage Prevention have an adequate Identity Theft providers that the service steps to ensure affected with the service businesses will obtain written contracts Ideally, Program. Rules. T compliance with Red Flags requiring providers 22 Five Key Steps to Developing an nformation Security Program (b) (a) II. IdentifyingRelevantRedFlags financial institutionorcreditor from identitytheft. reasonably foreseeable riskstocustomersorthesafetyandsoundnessof appropriate, itsexistingpolicies,procedures, andotherarrangementsthatcontrol In designingitsProgram, afinancialinstitutionorcreditor mayincorporate,as I. TheProgram

(c)

incidents ofidentitytheftthatthefinancialinstitutionorcreditor has (1) relevant RedFlagsfrom sources suchas: Sources ofRedFlags.Financialinstitutionsandcreditors shouldincorporate itsprevious experienceswithidentitytheft. (4) themethodsitprovides toaccessitscovered accounts;and (3) themethodsitprovides toopenitscovered accounts; (2) thetypesofcovered ormaintains; accountsitoffers (1) factors inidentifyingrelevant RedFlagsforcovered accounts,asappropriate: Risk Factors.Afinancialinstitutionorcreditor shouldconsiderthefollowing methods ofidentitytheftthatthefinancialinstitutionorcreditor has (2) notifications,orotherwarnings alerts, received from consumer reporting (1) these categoriesare appendedasSupplementAtothisppendix. the followingcategories,asappropriate. ExamplesofRedFlagsfrom eachof Categories ofRedFlags.TheProgram shouldincluderelevant RedFlagsfrom applicablesupervisoryguidance. (3) the presentation ofsuspiciouspersonalidentifyinginformation, suchas (3) thepresentation ofsuspiciousdocuments; (2) the unusualuseof,orother suspiciousactivityrelated to,acovered (4) experienced; identified that reflect changesinidentitytheftrisks;and agencies orserviceproviders, suchasfrauddetectionservices; a suspiciousaddress change; account; and Five Key Steps to Developing an nformation Security Program 23 authorities, or other persons regarding possible identity theft in possible identity regarding or other persons authorities, institution by the financial accounts held with covered connection or creditor. access to a covered account; access to a covered change of address requests, in the case of existing covered accounts. accounts. in the case of existing covered requests, change of address opening a covered account, for example, using the policies and procedures procedures example, using the policies and account, for opening a covered set forth identification and verification in the Customer Identification regarding CFR 103.121); and rules implementing 31 U.S.C. 5318(l) (31 Program (5) theft, law enforcement victims of identity customers, notice from (d) account with a new account number; reopening a covered (e) account; not opening a new covered IV. Preventing and Mitigating Identity Theft and Mitigating Preventing IV. to responses for appropriate should provide policies and procedures The Program’s commensurate detected that are has creditor the Red Flags the financial institution or a financial response, of risk posed. In determining an appropriate with the degree factors that may heighten the risk should consider aggravating institution or creditor in unauthorized access incident that results of identity theft, such as a or third creditor, held by the financial institution, account records to a customer’s to a covered information related that a customer has provided or notice party, to someone fraudulently claiming or creditor account held by the financial institution Appropriate or to a fraudulent website. the financial institution or creditor to represent may include the following: responses (a) account for evidence of identity theft; monitoring a covered (b) ontacting the customer; c (c) security codes, or other security devices that permit changing any passwords, (b) transactions, and verifying the validity of authenticating customers, monitoring III. Detecting Red Flags III. Detecting Red of Red Flags in the detection should address policies and procedures The Program’s accounts, covered accounts and existing opening of covered connection with the such as by: (a) the identity of, a person information about, and verifying obtaining identifying

24 Five Key Steps to Developing an nformation Security Program (a) VI. MethodsforAdministeringtheProgram changes inthebusinessarrangementsoffinancialinstitutionorcreditor, (e) changes inthetypesofaccountsthatfinancialinstitutionorcreditor (d) changesinmethodstodetect,prevent, andmitigateidentitytheft; (c) changesinmethodsofidentitytheft; (b) theexperiencesofthefinancialinstitutionorcreditor withidentitytheft; (a) theft, basedonfactorssuchas: or tothesafetyandsoundnessoffinancialinstitutioncreditor from identity Flags determinedtoberelevant) periodically, toreflect changesinriskstocustomers Financial institutionsandcreditors shouldupdatetheProgram (includingtheRed V. UpdatingtheProgram (i) notifyinglawenforcement; or (h) not attempting to collect on a covered account or not selling a covered account (g) closinganexistingcovered account; (f)

reviewing reports prepared regarding bystaff compliancebythefinancial (2) assigningspecific responsibility fortheProgram’s implementation; (1) management shouldinclude: committee oftheboard, oradesignatedemployeeatthelevelofsenior Oversight ofProgram. Oversightbytheboard ofdirectors, anappropriate arrangements. including mergers, acquisitions, alliances,jointventures, and serviceprovider ormaintains;and offers  to adebtcollector; approving material changestotheProgram as necessarytoaddress (3) Determining thatnoresponse circumstances. iswarrantedundertheparticular institution orcreditor and with§681.2ofthispart; changing identitytheftrisks. Five Key Steps to Developing an nformation Security Program 25 related material matters should address The report Contents of report. as: The effectiveness and evaluate issues such of the to the Program in institution or creditor of the financial policies and procedures of theft in connection with the opening the risk of identity addressing accounts; service to existing covered accounts and with respect covered identity theft and arrangements; significant incidents involving provider changes to for material and recommendations response; management’s the Program. Staff of the financial institution or creditor responsible for responsible StaffIn general. or creditor financial institution of the should of its Program and administration implementation, development, of the board, committee an appropriate of directors, to the board report at least at the level of senior management, or a designated employee with § financial institution or creditor on compliance by the annually, 681.2 of this part. circumstances under which credit may be extended when the financial institution credit under which circumstances detects a or active duty alert; or creditor Whenever a financial institution or arrangements. Whenever a financial institution or Oversight of service provider to perform an activity in connection with engages a service provider creditor take should creditor accounts the financial institution or covered one or more conducted in is provider that the activity of the service steps to ensure designed to detect, policies and procedures with reasonable accordance For example, a financial and mitigate the risk of identity theft. prevent, by contract to have the service provider could require institution or creditor Red Flags that may arise in the to detect relevant policies and procedures the Red Flags activities, and either report performance of the service provider’s or steps to prevent or to take appropriate to the financial institution or creditor, mitigate identity theft. subject to 31 U.S.C. 5318(g), that are For financial institutions and creditors with applicable law and filing a Suspicious Activity Report in accordance regulation; (2) (1) (c) VII. Other Applicable Legal Requirements legal should be mindful of other related Financial institutions and creditors that may be applicable, such as: requirements (a) (b) the under 15 U.S.C. 1681c–1(h) regarding mplementing any requirements i

(b) Reports. 26 Five Key Steps to Developing an nformation Security Program a consumerreport indicatesapatternof activity thatisinconsistentwiththe 4. 3. a consumerreporting agencyprovides anoticeofcredit freeze inresponse 2. isincludedwithaconsumerreport. afraudoractivedutyalert 1. Notificationsor Alerts, Warnings from Agency aConsumerReporting from thefollowingillustrativeexamplesinconnectionwithcovered accounts: consider incorporatingintoitsProgram, whethersinglyorincombination,RedFlags eachfinancialinstitutionorcreditorof theGuidelinesinAppendixthispart, may In additiontoincorporatingRedFlagsfrom thesources recommended insectionII.b. Supplement AtoAppendix complying withtheprohibitions in15U.S.C.1681monthesale,transfer, (d) implementing anyrequirements forfurnishersofinformationtoconsumer (c)

the photographorphysical descriptionontheidentificationisnotconsistent 6. 5. Suspicious Documents a materialchangeintheuseofcredit, especiallywithrespect torecently c. anunusualnumberofrecently establishedcredit relationships; b. arecent andsignificantincrease inthevolumeofinquiries; a. history andusualpatternofactivityanapplicantorcustomer, suchas: A consumerreporting agencyprovides anoticeofaddress discrepancy, to arequ debtsresultingand placementforcollectionofcertain from identitytheft. that thefurnisherhasreasonable causetobelieveisinaccurate;and update inaccurateorincompleteinformation,andtonotreport information reporting agenciesunder15U.S.C.1681s–2,forexample,tocorrect or an accountthatwasclosedforcauseoridentified abuseofaccount d. with theappearanceof applicantorcustomerpresenting theidentification. Documents provided foridentificationappeartohavebeenaltered orforged. as definedin§681.1(b)ofthispart. established credit relationships; or privileges byafinancialinstitutionorcreditor. est foraconsumerreport. Five Key Steps to Developing an nformation Security Program 27 service. on a fraudulent application. fraudulent application; or Master File. Death Social Security Administration’s a. or a ; or on an application is fictitious, a mail drop, the address b. the phone number is invalid, or is associated with a pager or answering b. the phone number on an application is the same as the number provided activity as indicated by internal or third-party sources used by the financial sources third-party activity as indicated by internal or For example: institution or creditor. a. a on provided address on an application is the same as the the address other personal identifying information provided by the customer. For example, by the customer. provided other personal identifying information between the SSN range and date of birth. is a lack of correlation there external information sources used by the financial institution or creditor. For or creditor. used by the financial institution external information sources example: a. or report; in the consumer does not match any address the address b. on the Number (SSN) has not been issued, or is listed the Social Security of having been destroyed and reassembled. and of having been destroyed information that is on file with the financial institution or creditor, such as a creditor, or on file with the financial institution information that is check. or a recent card signature provided by the person opening a new covered account or customer presenting presenting or customer account covered opening a new by the person provided the identification. fraudulent activity as indicated by internal or third-party sources used by the sources fraudulent activity as indicated by internal or third-party For example: financial institution or creditor.

ersonal identifying information provided is of a type commonly associated with ersonal identifying information provided 13. P

12. with known fraudulent is associated personal identifying information provided 11. customer is not consistent with by the personal identifying information provided

Suspicious Personal Identifying Information Suspicious Personal 10. against is inconsistent when compared information provided ersonal identifying p 9. or gives the appearance or forged, to have been altered an application appears 8. accessible readily with the identification is not consistent other information on 7. information consistent with is not on the identification other information 28 Five Key Steps to Developing an nformation Security Program a newrevolving credit accountisusedinamannercommonlyassociatedwith 20. 19. Unusual Useof,orSuspiciousActivityRelatedto,theCovered Account 18. personal identifyinginformationprovided isnotconsistentwithpersonal 17. the personopeningthecovered accountorthecustomerfailstoprovide all 16. the address ortelephonenumberprovided isthesameasorsimilarto 15. the SSNprovided isthesameasthatsubmittedbyotherpersonsopeningan 14.

21. the majorityofavailablecredit isusedforcashadvancesor a. known patternsoffraudpatterns.Forexample: card oracellphone,fortheadditionofauthorizedusersonaccount. institution orcreditor receives arequest foranew, additional,orreplacement followingthenoticeofachangeaddressShortly foracovered account, the consumer report. information beyondthatwhichgenerallywouldbeavailablefrom awalletor opening thecovered accountorthecustomercannotprovide authenticating For financialinstitutionsandcreditors thatusechallengequestions,theperson identifying informationthatisonfilewiththefinancialinstitutionor creditor. notification thattheapplicationisincomplete. required personalidentifyinginformationonanapplicationorinresponse to of otherpersonsopeningaccountsorcustomers. account numberortelephonesubmittedbyanunusuallylarge number account orothercustomers. the customerfailstomakethefirstpaymentormakes aninitialpayment b. amaterialincrease intheuseofavailablecredit; b. nonpaymentwhenthere isnohistoryoflateormissedpayments; a. A covered accountisusedinamannerthatnotconsistentwithestablished patterns ofactivityontheaccount.There is,forexample: equipment orjewelry); merchandise tocash(e.g.,electronics that iseasilyconvertible but nosubsequentpayments. Five Key Steps to Developing an nformation Security Program 29 phone account. deposit account; or deposit account; theft, a law enforcement authority, or any other person that it has opened a or any other person that it has opened authority, theft, a law enforcement in identity theft. fraudulent account for a person engaged transactions in connection with a customer’s covered account. covered transactions in connection with a customer’s paper account statements. transactions continue to be conducted in connection with the customer’s with the customer’s to be conducted in connection transactions continue account. covered time is used (taking into consideration the type of account, the expected into consideration the type of account, time is used (taking factors). and other relevant pattern of usage e. with a cellular in telephone call patterns in connection a material change c. or spending patterns; change in purchasing a material d. a connection with patterns in fund transfer change in electronic material a Notice from Customers, Victims of Identity Theft, Law Enforcement Victims Customers, of Identity Theft, Law Enforcement Notice from in Connection Possible Identity Theft Authorities, or Other Persons Regarding Institution or Creditor Accounts Held by the Financial With Covered 26. a victim of identity by a customer, is notified the financial institution or creditor 25. or of unauthorized charges is notified the financial institution or creditor 24. receiving that the customer is not is notified the financial institution or creditor 23. as undeliverable although repeatedly is returned ail sent to the customer m 22. lengthy period of inactive for a reasonably account that has been covered a

30 Five Key Steps to Developing an nformation Security Program challenges and opportunities. Formorechallenges andopportunities. information visitfoleyhoag.com. a networkofLexMundilawfirmstoprovide forclients’largest globalsupport Washington, andtheEmerging EnterpriseCenterinWaltham,Massachsetts joinwith sectors gaincompetitiveadvantage.Thefirm’s 225lawyerslocatedinBoston, biopharma, hightechnology, energy technology, financialservicesandmanufacturing operational imperatives,andmarketplacerealities, thefirmhelpscompaniesin large-cap adeepunderstandingofclients’strategicpriorities, companies.With intellectual property, andcorporatetransactionsforemerging, middle-market,and Foley HoagLLPisaleadingnationallawfirmintheareas ofdispute resolution, About FoleyHoagLLP crises rangingfrom surpriseinspectionsbygovernmentinvestigators, toobtaining them developnewprograms whennecessary. Ourlawyershavemanaged unexpected to ensure the legalityandsuccessofexistingsecuritypolicies andprotocols andhelp facilities andinformationsystems, andfixbreaches ofsecurity. We workwithclients abusive email,takedowninfringingwebsites,maintain surveillanceofcompany Our lawyersassistclientswithquestionsonhowtolegally andethicallyinvestigate insurance companies,andretail businesses. financial servicesfirms,manufacturingcompanies, governmentcontractors, industries, includingtechnologycompanies,healthcare providers, investmentand numerousface anexpandinguniverseofsecurityandprivacy issuesthataffect Security andPrivacypracticeisacomprehensive advisoryserviceforclientsthat customer data,intellectualproperty and othervaluableinformationassets.The Our lawyersadviseclientsstrivingtoguard companyrecords, personnelfiles, and leaksinvolvingproprietary data. information, governmentinvestigations,competitiveespionage,aswellbreaches and resolving awidevarietyofsecurityincidents,includingtheftsconfidential and otherprivacyissues.We havedecadesofexperienceininvestigating,litigating and internationallawsgoverninginformationsecurity, identitytheft,surveillance through theprocess ofcomplyingwiththeever-growing numberofstate,federal, that oftenrequire immediateanddiscreet solutions.We activelyguideourclients legalcounselonthesecurityandprivacyissues encounteredeffective bybusinesses Foley Hoag’s SecurityandPrivacypracticeprovides clientswithexperiencedand About theSecurityandPrivacyPractice Five Key Steps to Developing an nformation Security Program 31 Gabriel M. Helmer protect Gabriel Helmer focuses on helping clients Although he has a varied litigation practice, assets. He as well as their intellectual property their sensitive business data and systems, of computer and and data theft, breaches advises companies faced with electronic video surveillance, and has helped them audio and as well as electronic, , these actions. employees who committed in court against the competitors and rogue prevail to anonymous Internet activity that involves Gabriel also helps clients investigate and respond of including unauthorized transfers and public disclosures the clients’ intellectual property, information. As part security work, he develops security policies of his information proprietary that enable multinational companies to conduct internal investigations of and procedures while complying with U.S. surveillance and privacy laws. security breaches, r Gabriel M. Helme Click the image below for a full biography. emergency court orders needed to secure stolen company computers from rogue rogue computers from stolen company to secure needed court orders emergency and information clients’ confidential our safeguard we successfully Above all, insiders. from require companies and discretion the level of attention each matter with manage and privacy professionals. security including of legal specialty, all areas experienced counsel from draw together We government investigations, employment, business and litigation, labor and compliance and regulatory health care, technology transactions, intellectual property, to our tailored solutions efficient, cross-disciplinary provide tax. This enables us to clients’ needs. 32 Five Key Steps to Developing an nformation Security Program download orvisitfoleyhoag.comforourlibrary. Y industry-specific alerts andupdatesfromindustry-specific alerts FoleyHoag,orvisitourWeb site. Sample otherfree titlesfrom theFoleyHoageBooklibrary, sign-upfor Foley HoageBookLibrary ou mayalsobeinterested inoureBookseries.Simplyclickonanimageto V isit our Web site Sign up for industry-specific alerts andupdates Sign upforindustry-specificalerts Driving Business Advantage by V to PatentInfringement Standing asaDefense

ickie L.HenryandNathanCHenderson Foley Hoag eBook Hoag Foley 617 832 1000 tel 617 382 7000 fax Driving Business Advantage BOSTON | WASHINGTON | EMERGING ENTERPRISE CENTER | FOLEYHOAG.COM

Attorney advertising. Prior results do not guarantee a similar outcome. © 2010 Foley Hoag LLP. All rights reserved.