By now, most compliance professionals are at least aware of the most comprehensive data protection regulation in the U.S. Given that the Jan. 1 deadline for compliance with the Massachusetts data protection act (201 CMR 17.00) is fast approaching, organizations are actively seeking out information and guidance on what standards they must implement.
The urgency and interest in the precise technical requirements could be keenly felt in the packed ballroom last week at SearchCompliance.com's Compliance Decisions conference, as state officials were peppered with questions from the audience. Many of the attendees were left frustrated by the inability of those officials to answer questions about the details of enforcement, given that enforcement authority rests with the Massachusetts attorney general's office.
That frustration set the stage for Richard Mackey, vice president at SystemExperts Corp. in Sudbury, Mass., to present the practical details of compliance. Mackey reminded the crowd that compliance with 201 CMR 17 should not be a fresh set of concerns and tasks. If organizations already have programs that address the Sarbanes-Oxley and Health Insurance Portability and Accountability acts (HIPAA), as well as Payment Card Industry (PCI) Data Security Standard requirements, compliance officers are well on their way to meeting the demands of the regulation, which lays out security measures that must be met for the protection of the personally identifiable information (PII) of Massachusetts residents. "If you're familiar with PCI, this is a no-brainer," he said.
What is a WISP?
As he worked through the regulation's details, Mackey emphasized a basic tenet of information security: "Know what you have." Such information mapping is critical in the context of the requirement for a written information security plan (WISP). Mackey defined a WISP as "full documentation of your security program," including "the specific controls required by the law." He counseled caution as organizations draft them, however: "As far as the legal side of the house is concerned, if you put things in there that you can't do, you can be held to that document."
In Mackey's assessment, one of the most effective cost-reduction measures is to focus on data minimization: "[PII] shouldn't be in your possession if you don't need it." That's critical, given that one of the primary costs incurred from implementation of the Massachusetts data protection law lies in encryption.
Businesses need to implement encryption for Internet, wireless networks, laptops and other portable devices. In each case, Mackey listed available technologies to address the requirement:
- For laptops: Windows files system encryption, TrueCrypt, Pretty Good Privacy, other commercial products.
- Thumb drives: The same list of encryption options for laptops, except for Windows.
- Personal digital assistants, smartphones: Mackey recommended simply avoiding the problem by keeping PII off these devices, focusing particularly on security with the iPhone.
- Internet: Secure Sockets Layer, virtual private network, IPsec.
- File transfer: Secure copy, SFTP.
- Wireless: WPA2 with strong passwords.
Partner management and third-party responsibility
Mackey also brought his focus to the issue of third-party risk, a serious issue given that many organizations will outsource compliance with the regulation to consultants or outside information security professionals.
"You need to ensure that third-party service providers have the capacity to protect personal information as described in the law," Mackey said. "This typically means verifying the existence of a WISP and inquiring about the practices the provider has in place. Best practice calls for a partner management program including risk assessment and regular reviews of provider risk and practice."
The American Recovery and Reinvestment Act has also changed the regulatory landscape surrounding HIPAA, due to the provisions of the Health Information Technology for Economic and Clinical Health Act contained within it. As Mackey observed, "In the past, only entities with the data were responsible; now, anyone possessing information is responsible."
A representative in the audience from a mutual fund company thought ahead to precisely this sort of issue, specifically the scenario where PII is outsourced to a vendor for processing. "If you have a data breach, is the vendor responsible for reporting the incident, or are you responsible for the data and reporting that?"
Mackey's opinion was that, in this scenario, "both organizations are responsible [under M.G.L. Chapter 93H]. Under this regulation, you're responsible immediately as soon as you have access to the data." That echoed the comments of David Murray in a previous session, when he described the risks of noncompliance with 201 CMR 17. In addition, the Massachusetts data protection law requires that physical and electronic access to resident PII be blocked "as soon as the admin learns" of a change in employment status.
Monitoring , vulnerability and incident management
Mackey also allotted time to the requirements of monitoring and incident management, both of which could be potential migraines in the event of a data breach or other crisis.
If you're familiar with PCI, this is a no-brainer.
Richard Mackey, vice president, SystemExperts Corp.
"WISP must include a requirement for the documentation of actions to take in response to a breach of security." When it comes to monitoring, he put it simply: To achieve compliance with the Massachusetts data protection law, administrators will need to monitor user access and security controls, inspect configurations and test connections, repeating each step regularly and establishing requirements for these activities.
When asked how granular a compliance officer should get in ensuring compliance, Mackey answered that "if you can say that you look at logs weekly, I would suggest that. As long as you have a regular process to see who has access to the systems and the data specifically."
Organizations need to know who is responsible for compliance, whether it's legal, IT or operations. "Sometimes it's IT leading the project and coordinating, sometimes it's information security. I kind of like [security] to be responsible. You very rarely see someone from a business leading it; data crosses over business units. You need some sort of corporate oversight to coordinate amongst multiple departments."
Vulnerability management, particularly as the threat environment changes, is another issue Mackey covered in depth. Another audience member wondered if it would ever be unreasonable not to deploy a patch. "In my opinion, deploying some patches may break other security measures, undermining the success of the business," Mackey responded. "Does that mean you shouldn't have an action plan for addressing that vulnerability over time? Absolutely not."
Encryption of data at rest in 201.CMR.17
One of the most contentious issues, both with respect to implementation and cost, was encryption requirements. One audience member wondered, "Where does encrypting data at rest come in? We have a series of tape drives; are those removable devices?" As SearchCompliance.com executive editor Scot Petersen blogged regarding compliance with data protection regulations:
"As far as data at rest is concerned, there's no such language, in the Code of Massachusetts Regulations or the Massachusetts General Law, a fact pointed out by a third participant in the conference, consultant Richard Mackey. [Gerry Young, secretariat chief information officer for the Massachusetts Executive Office of Housing and Economic Development] then responded: "There is a requirement for encryption of data at rest in 93H that radiates forward [to MA 201 CMR 17]."
After poring through the text of M.G.L. 93H over lunch, Mackey confirmed that data at rest is not an issue, and later in the day, Young and Murray recanted their statement and said encryption of data at rest should be considered a "best practice" only.
So where is encryption required? Organizations need to encrypt the PII of Massachusetts residents in three situations:
- Transmission across the Internet.
- Transmission on wireless networks.
- When PII is on laptops and other portable devices.
As Petersen reflected in his post, however, "Encryption of data at rest -- in databases, backup tapes, servers, SANs, etc. -- is no simple task. Key management, disaster recovery and application performance pose difficult problems for even large companies, let alone small businesses."
Major challenges are ahead in both determining cryptographic standards and mitigating the costs of public key management software, including where keys may be stored and when keys must be changed. Mackey advised that organizations determine who is responsible for selecting technology, what the types of acceptable encryption are and what the relationship of encryption is to particular types of data. "Your existing security policies are a good starting point. You need to ensure that your policies address unique requirements from the law: data lifecycle and encryption."
Any organization that stores or transmits the PII of Massachusetts residents now has just over five months to do so.
Let us know what you think about the story; email: firstname.lastname@example.org.