When it comes to state regulatory mandates on data protection and privacy, the "meaning of what the word is, is"...
is more than Clintonian. Is a company in compliance with the Massachusetts Data Protection Act (201 CMR 17)? How, where, when, for what must encryption be used? How should an enterprise address years of backup tapes?
Judging by the packed house at TechTarget's recent seminar on 201 CMR 17, interest in these questions (and many more) is at an all-time high. As the nation's most comprehensive data protection law will go into effect on Jan. 1, it comes as no surprise to any industry observer. Compliance officers and storage and information security professionals want to know more about precisely what standards their organizations will be held to when it comes to protecting the personally identifiable information (PII) of Massachusetts residents.
Gerry Young, secretariat CIO for the Executive Office of Housing and Economic Development, and David Murrary, general counsel for the Office of Consumer Affairs and Business Regulation (which promulgated 201 CMR 17), presented on the regulation and answered questions for more than an hour.
More guidance on compliance with 201 CMR 17 emerges
Despite the repeated instances of the state officials deferring to the Massachusetts attorney general, more specific guidance did emerge. For instance, when it comes to wireless security, the vector for the infamous TJX Cos. data breach that prompted the Massachusetts Data Breach Notification Act (M.G.L. 93H), Young was specific: "You have to look at what is considered industry best practices. Specific to a wireless control, don't go out and look at WEP. Don't go out and look at WPA. Both of those protocols have been breached. You've got to go to WPA2."
It is true that the Attorney General is going to decide what is in compliance or not.
David Murray, general counsel, Office of Consumer Affairs and Business Regulation
Young was similarly specific on the requirements of the regulation regarding encryption of storage, stating that "magnetic tapes that get rotated must be encrypted" and that "every commercial tape drive on the market today has the ability to encrypt. It's not something you have to add; just turn it on." He went on to advise that compliance officers focus on the tapes that move, recommending that starting Nov. 1, storage admins begin encrypting, ensuring that "before Jan. 1, as you cycle through them, you've got one down."
When asked whether an administrator who has a database that includes PII fields and regularly backs it up has to encrypt the tape it rests on, Young offered further guidance: "You shouldn't have to, if you've already encrypted the database." As he has observed at previous briefings, organizations can either classify data and encrypt only personal PII, or "declare all your data as containing PII and encrypt everything."
Young further emphasized the need to consider 201 CMR 17 compliance part of a "holistic security program. "We have advocated thinking about data inflection points … are you safe at each point? You are only as strong as your weakest link." He advised that organizations make sure to expand their focus to cover internal, as well as external threats. Young provided as an example the use of full-duplex test access points, "which are not IP-addressable and give you a way to monitor your network if it's under attack."
More than one audience member was fully aware of another vector that could be at issue for data protection: faxes. As one attendant put it, "It's the nature of our business that a goodly amount of data is transmitted by fax. My concern is transmission. I haven't got a clue."
Young observed that issues of "technical feasibility" apply, as described in the regulation. "There isn't a lot of protection on the binary transmission of faxes." He suggested that organizations "make sure you're protected where the faxes exist" and explore technologies like Captaris RightFax to ensure the privacy of electronic transmission.
Questions on enforcement linger
Unfortunately for those in attendance, determining the objective truth of any standard for compliance is going to require more direct advisories from the entity responsible for its enforcement, the Massachusetts attorney general's office. As Murray observed, "it is true that the attorney general is going to decide what is in compliance or not."
That caused considerable frustration, as one audience member observed: "We need definitions for what data is. We have to wait until someone gets sued to find out?" For instance, does a student ID represent PII? Murray ceded that the attorney general's office (AGO) will ultimately decide that. In Murray's assessment, however, "to the extent that the ID gets the student into a financial account, the AGO is likely to consider it PII."
SearchCompliance.com's podcast with Murray and Young is embedded below:
Download for later:
- Internet Explorer: Right Click > Save Target As
- Firefox: Right Click > Save Link As
Let us know what you think about the story; email firstname.lastname@example.org.