Mass. officials, compliance officers debate data protection law

By Alexander B. Howard, Associate Editor 17 Jul 2009 | SearchCompliance.com

Digg This!     StumbleUpon     Del.icio.us

More on data protection E-book: The Massachusetts Data Protection Law No easy answers for complying with data protection regulations Panels describe risks of noncompliance with Mass. data protection law Encrypt now to meet new Mass. data protection law

Judging by the packed house at TechTarget's recent seminar on 201 CMR 17, interest in these questions (and many more) is at an all-time high. As the nation's most comprehensive data protection law will go into effect on Jan. 1, it comes as no surprise to any industry observer. Compliance officers and storage and information security professionals want to know more about precisely what standards their organizations will be held to when it comes to protecting the personally identifiable information (PII) of Massachusetts residents.

Gerry Young, secretariat CIO for the Executive Office of Housing and Economic Development, and David Murrary, general counsel for the Office of Consumer Affairs and Business Regulation (which promulgated 201 CMR 17), presented on the regulation and answered questions for more than an hour.

More guidance on compliance with 201 CMR 17 emerges

Despite the repeated instances of the state officials deferring to the Massachusetts attorney general, more specific guidance did emerge. For instance, when it comes to wireless security, the vector for the infamous TJX Cos. data breach that prompted the Massachusetts Data Breach Notification Act (M.G.L. 93H), Young was specific: "You have to look at what is considered industry best practices. Specific to a wireless control, don't go out and look at WEP. Don't go out and look at WPA. Both of those protocols have been breached. You've got to go to WPA2."

It is true that the Attorney General is going to decide what is in compliance or not. David Murray general counsel, Office of Consumer Affairs and Business Regulation

Young was similarly specific on the requirements of the regulation regarding encryption of storage, stating that "magnetic tapes that get rotated must be encrypted" and that "every commercial tape drive on the market today has the ability to encrypt. It's not something you have to add; just turn it on." He went on to advise that compliance officers focus on the tapes that move, recommending that starting Nov. 1, storage admins begin encrypting, ensuring that "before Jan. 1, as you cycle through them, you've got one down."

When asked whether an administrator who has a database that includes PII fields and regularly backs it up has to encrypt the tape it rests on, Young offered further guidance: "You shouldn't have to, if you've already encrypted the database." As he has observed at previous briefings, organizations can either classify data and encrypt only personal PII, or "declare all your data as containing PII and encrypt everything."

Young further emphasized the need to consider 201 CMR 17 compliance part of a "holistic security program. "We have advocated thinking about data inflection points … are you safe at each point? You are only as strong as your weakest link." He advised that organizations make sure to expand their focus to cover internal, as well as external threats. Young provided as an example the use of full-duplex test access points, "which are not IP-addressable and give you a way to monitor your network if it's under attack."

More than one audience member was fully aware of another vector that could be at issue for data protection: faxes. As one attendant put it, "It's the nature of our business that a goodly amount of data is transmitted by fax. My concern is transmission. I haven't got a clue."

Young observed that issues of "technical feasibility" apply, as described in the regulation. "There isn't a lot of protection on the binary transmission of faxes." He suggested that organizations "make sure you're protected where the faxes exist" and explore technologies like Captaris RightFax to ensure the privacy of electronic transmission.

Questions on enforcement linger

Unfortunately for those in attendance, determining the objective truth of any standard for compliance is going to require more direct advisories from the entity responsible for its enforcement, the Massachusetts attorney general's office. As Murray observed, "it is true that the attorney general is going to decide what is in compliance or not."

That caused considerable frustration, as one audience member observed: "We need definitions for what data is. We have to wait until someone gets sued to find out?" For instance, does a student ID represent PII? Murray ceded that the attorney general's office (AGO) will ultimately decide that. In Murray's assessment, however, "to the extent that the ID gets the student into a financial account, the AGO is likely to consider it PII."

SearchCompliance.com's podcast with Murray and Young is embedded below:

Play now: You must have Adobe Flash Player 7 or above to view this content. See http://www.adobe.com/products/flashplayer to download now.

Download for later: Gerry Young, CIO of the Massachusetts Office of Consumer Affairs and Business Regulation, and David Murray, General Counsel, on the Massachusetts Data Protection Act • Internet Explorer: Right Click > Save Target As • Firefox: Right Click > Save Link As

Let us know what you think about the story; email: Alexander B. Howard, Associate Editor, or reply to digiphile on Twitter. Follow ITCompliance for updates on 201.CMR.17 as the deadline for compliance approaches.

Tags: Managing governance and compliance,  Financial services compliance requirements,  HIPAA and other healthcare compliance requirements,  PCI compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Managing governance and compliance A business continuity management standard would offer consistency Business Model for Information Security: Security right the first time Facing uncertainty, IT turns to governance, risk and compliance, ERM Google adds Dashboard: Does transparency mean more online privacy? NERC CSO warns of cybersecurity threats, risk to electric grid Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange Financial services compliance requirements Online privacy: New rules for melding e-commerce and information Security and compliance can go together, when done in the right order PCI DSS compliance fails to raise the bar on financial fraud Security and privacy top IT agenda for Massachusetts CIO Twitter security risks, popularity spark regulatory concerns Top regulatory compliance trends that will affect IT in 2009 SEC commish, FINRA head: Reform financial services regulations Financial crimes resulting in increased compliance enforcement Enforcement date for FACT's Red Flags Rule approaches Panels describe risks of noncompliance with Mass. data protection law HIPAA and other healthcare compliance requirements IT compliance: FAQs about IT operations, regulations and standards Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations? Discovery of data breach under HITECH raises big compliance questions Healthcare, cybersecurity policy and privacy on legislative agenda Record locator service a step to health information exchange

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary IT controls  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary