The deadline for compliance with the nation's most comprehensive data protection law, 201 CMR 17.00, has been extended by 60 days to March 1, 2010. The Office of Consumer Affairs and Business Regulation (OCABR) amended certain provisions in response to widespread concern in the business community.
The news came Monday, the same day three men were indicted for data breaches at Hannaford Bros. Co. and Heartland Payment Systems Inc. The theft of 130 million credit and debit cards is the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. The cybercriminals' exploits included the data breach at The TJX Companies Inc., which instigated the creation of the Massachusetts data breach law (Chapter 93H) and, subsequently, 201 CMR 17.00.
The new version of the law shifts its approach to information security in a number of ways that are important for compliance officers to understand, although the overall shift to a risk-based approach will be familiar to most. "The federal laws -- specifically Gramm-Leach-Bliley -- all adopt a risk-based approach," said Barbara Anthony, Massachusetts undersecretary of consumer affairs, in an interview with SearchCompliance.com. "In amending the regulation, we tried to make clear that these rules would also adopt a risk-based approach. Businesses should write their own plan that takes into account the risk specific to the business. We're setting up a destination, not an approach."
Implementation requirements now specifically take into account a particular business' size, scope of business, available resources, need for information security and the nature and quantity of data collected or stored. The incorporation of this recognition into the regulation itself reflects the views expressed by OCABR's general counsel, David Murray, who said earlier this year that "liability is always driven by context. What's reasonable may vary by resources, as a judge will have to assess the responsibility of each party after a data breach."
From overly prescriptive controls to a risk-based framework
The shift to a risk-based approach is particularly relevant to small businesses that do not transmit or store large amounts of personal information. "This major shift from being prescriptive -- think PCI -- to being descriptive -- think HIPAA -- is in theory a good thing," said David Mortman, chief security officer in-residence at Mason, Ohio-based security consultancy Echelon One. "Descriptive regulation gives organizations some flexibility that prescriptive regulation does not, at least in the eyes of many auditors. This flexibility, however, is only really useful to experienced, mature organizations who already know what they need to be doing and just need 'official guidance.'"
Christophe Veltsos, president of Mankato, Minn.-based security consultants Prudent Security LLC, said, "Massachusetts deserves praise for attempting to find a balance between the need for securing sensitive data with the needs for businesses to transact in commerce. The shift to a risk-based approach should allow smaller businesses to comply with 201 CMR 17.00 without undue burden."
Encryption requirements more realistic
The contentious encryption requirement has been tailored to be "technology neutral" -- that means the 128-bit standard is out -- and "technical feasibility" has been applied to all computer security requirements.
Businesses will still need to encrypt the personally identifiable information (PII) of Massachusetts residents whenever it moves over the public Internet or wireless networks. In Anthony's assessment, each business owner should ask the following question: "Is there a better way for you to transmit the data than over the Internet?" If the answer is yes, businesses should avoid using the Internet or wireless for such migration -- and compliance headaches.
"Consumer protections have not been weakened in this amendment," Anthony said. "Monitoring, reviewing the scope of security measures -- and encryption -- is still required if you are going to transmit resident PII over public networks. What we've tried to do here is to not impose additional burdens which weren't involved in the consumer protections."
When it comes to archival storage, according to Anthony, retroactively encrypting archives is not mandatory but "encrypting backup tapes going forward will still be required."
The requirement to encrypt portable devices is also still in force. "We know right now that there's no widespread technology for encrypting mobile devices, but we know it's there for laptops," she said.
Information security professionals retain a few doubts. "I would have preferred that they had slightly better guidance then just encryption," Mortman said. "Even listing it as strong encryption would have been better."
Mortman does point out that, "Section 17.03 -- which includes the sentence 'Such comprehensive information security program shall be reasonably consistent with industry standards' -- covers that in theory and would prevent the use of WEP or ROT13."
Washington, D.C.-based Gal Shpantzer, an information security consultant specializing in encryption and data breach prevention, pointed out that the regulation may already apply to mobile devices other than laptops. "Encryption is currently available for certain versions of Palm, Symbian and Windows Mobile," he said. "BlackBerry has its own encryption software, and it's free as an easily configured security setting, even in standalone mode."
Amendments to third-party rules, access controls
OCABR also made other adjustments to specific requirements.:
- The regulation does not apply to municipalities, although the governor's executive order extending compliance requirements remains in force for all cabinet-level agencies.
- Third-party vendor requirements were also changed to be consistent with federal law, specifically the Federal Trade Commission's (FTC) Safeguards Rule. Companies are obliged to select vendors that take appropriate security measures. Anthony said there will be a two-year grace period to get third-party contracts in line.
- Restrictions on data retention and access were removed from the regulation, although Anthony said she still considers them guidelines on best practices.
Concerns for implementation, enforcement
Questions about enforcement remain. The Massachusetts Attorney General's Office, after all, has yet to enforce the regulation and show what standards its investigators find "reasonable" and "technically feasible" in a given case.
This major shift from being prescriptive -- think PCI --
to being descriptive -- think HIPAA -- is in theory a good thing.
David Mortman, chief security officer in-residence, Echelon One
Anthony offered one precedent for what that assessment might look like. "Take BJ's as an example," she said, referring to a 2004 privacy breach at BJ's Wholesale Club Inc. "In addition to credit card numbers, hackers also stole security codes. BJ's had been under obligation to delete that information as soon as the transaction was accomplished. They held onto it for 30 days for no reason. They were prosecuted by the FTC and fined."
Questions about audits and standards for implementation also still persist in the information security community. "I think in theory this is pretty decent legislation, but in practice, I feel that this will not be nearly as effective as it could have been and should have been better," Mortman said. "My larger concerns stem from the 201.CMR.11 FAQ, specifically from the 'technical feasibility' specification. The FAQ makes it abundantly clear that the Office of Consumer Affairs and Business Regulation is somewhat unclear on what the current technical options are and leaves me really worried that they are not in a position to properly assess whether or not organizations were compliant when a breach occurs."
Shpantzer also wondered about the differences between public and private when it comes to the standards for wireless security. "What are 'public airwaves,' exactly?" he asked. "Wireless transmissions bleed through buildings and perimeters and in certain cases can be captured from miles away (see 'cantenna')."
Veltos added, "I worry that the risk assessments are not going to be performed by people with the appropriate skills and depth of knowledge.
"To successfully conduct a risk assessment, the assessor must have a good understanding of the business processes, the type and amount of sensitive data handled, and the threats (including cyberthreats). For example, a doctor's office that handles patient reservation data at the front desk while another takes Web-based reservations are in two completely different risk categories. Unfortunately, it is all too common to find businesses and government entities mismanage the data entrusted to them, as the Fayetteville Public Schools identity theft case demonstrates."
For more information on the amended legislation, read "201 CMR 17 FAQ: Updates to Massachusetts data protection law" and visit Mass.gov/consumer.
Let us know what you think about the story; email firstname.lastname@example.org.