Implementing compliance with the Massachusetts data protection act

By Alexander B. Howard, Associate Editor 20 Jul 2009 | SearchCompliance.com

Compliance news and advice for senior IT and business managers Digg This!     StumbleUpon     Del.icio.us

More data protection resources Mass. officials, compliance officers debate data protection law E-book: The Massachusetts Data Protection Law No easy answers for complying with data protection regulations

The urgency and interest in the precise technical requirements could be keenly felt in the packed ballroom last week at SearchCompliance.com's Compliance Decisions conference, as state officials were peppered with questions from the audience. Many of the attendees were left frustrated by the inability of those officials to answer questions about the details of enforcement, given that enforcement authority rests with the Massachusetts attorney general's office.

That frustration set the stage for Richard Mackey, vice president at SystemExperts Corp. in Sudbury, Mass., to present the practical details of compliance. Mackey reminded the crowd that compliance with 201 CMR 17 should not be a fresh set of concerns and tasks. If organizations already have programs that address the Sarbanes-Oxley and Health Insurance Portability and Accountability acts (HIPAA), as well as Payment Card Industry (PCI) Data Security Standard requirements, compliance officers are well on their way to meeting the demands of the regulation, which lays out security measures that must be met for the protection of the personally identifiable information (PII) of Massachusetts residents. "If you're familiar with PCI, this is a no-brainer," he said.

What is a WISP?

As he worked through the regulation's details, Mackey emphasized a basic tenet of information security: "Know what you have." Such information mapping is critical in the context of the requirement for a written information security plan (WISP). Mackey defined a WISP as "full documentation of your security program," including "the specific controls required by the law." He counseled caution as organizations draft them, however: "As far as the legal side of the house is concerned, if you put things in there that you can't do, you can be held to that document."

In Mackey's assessment, one of the most effective cost-reduction measures is to focus on data minimization: "[PII] shouldn't be in your possession if you don't need it." That's critical, given that one of the primary costs incurred from implementation of the Massachusetts data protection law lies in encryption.

Businesses need to implement encryption for Internet, wireless networks, laptops and other portable devices. In each case, Mackey listed available technologies to address the requirement:

• For laptops: Windows files system encryption, TrueCrypt, Pretty Good Privacy, other commercial products.
• Thumb drives: The same list of encryption options for laptops, except for Windows.
• Personal digital assistants, smartphones: Mackey recommended simply avoiding the problem by keeping PII off these devices, focusing particularly on security with the iPhone.
• Internet: Secure Sockets Layer, virtual private network, IPsec.
• File transfer: Secure copy, SFTP.
• Wireless: WPA2 with strong passwords.

Partner management and third-party responsibility

Mackey also brought his focus to the issue of third-party risk, a serious issue given that many organizations will outsource compliance with the regulation to consultants or outside information security professionals.

"You need to ensure that third-party service providers have the capacity to protect personal information as described in the law," Mackey said. "This typically means verifying the existence of a WISP and inquiring about the practices the provider has in place. Best practice calls for a partner management program including risk assessment and regular reviews of provider risk and practice."

The American Recovery and Reinvestment Act has also changed the regulatory landscape surrounding HIPAA, due to the provisions of the Health Information Technology for Economic and Clinical Health Act contained within it. As Mackey observed, "In the past, only entities with the data were responsible; now, anyone possessing information is responsible."

A representative in the audience from a mutual fund company thought ahead to precisely this sort of issue, specifically the scenario where PII is outsourced to a vendor for processing. "If you have a data breach, is the vendor responsible for reporting the incident, or are you responsible for the data and reporting that?"

Mackey's opinion was that, in this scenario, "both organizations are responsible [under M.G.L. Chapter 93H]. Under this regulation, you're responsible immediately as soon as you have access to the data." That echoed the comments of David Murray in a previous session, when he described the risks of noncompliance with 201 CMR 17. In addition, the Massachusetts data protection law requires that physical and electronic access to resident PII be blocked "as soon as the admin learns" of a change in employment status.

Monitoring , vulnerability and incident management

Mackey also allotted time to the requirements of monitoring and incident management, both of which could be potential migraines in the event of a data breach or other crisis.

If you're familiar with PCI, this is a no brainer. Richard Mackey vice president, SystemExperts Corp.

"WISP must include a requirement for the documentation of actions to take in response to a breach of security." When it comes to monitoring, he put it simply: To achieve compliance with the Massachusetts data protection law, administrators will need to monitor user access and security controls, inspect configurations and test connections, repeating each step regularly and establishing requirements for these activities.

When asked how granular a compliance officer should get in ensuring compliance, Mackey answered that "if you can say that you look at logs weekly, I would suggest that. As long as you have a regular process to see who has access to the systems and the data specifically."

Organizations need to know who is responsible for compliance, whether it's legal, IT or operations. "Sometimes it's IT leading the project and coordinating, sometimes it's information security. I kind of like [security] to be responsible. You very rarely see someone from a business leading it; data crosses over business units. You need some sort of corporate oversight to coordinate amongst multiple departments."

Vulnerability management, particularly as the threat environment changes, is another issue Mackey covered in depth. Another audience member wondered if it would ever be unreasonable not to deploy a patch. "In my opinion, deploying some patches may break other security measures, undermining the success of the business," Mackey responded. "Does that mean you shouldn't have an action plan for addressing that vulnerability over time? Absolutely not."

Encryption of data at rest in 201.CMR.17

One of the most contentious issues, both with respect to implementation and cost, was encryption requirements. One audience member wondered, "Where does encrypting data at rest come in? We have a series of tape drives; are those removable devices?" As SearchCompliance.com executive editor Scot Petersen blogged regarding compliance with data protection regulations:

"As far as data at rest is concerned, there's no such language, in the Code of Massachusetts Regulations or the Massachusetts General Law, a fact pointed out by a third participant in the conference, consultant Richard Mackey. [Gerry Young, secretariat chief information officer for the Massachusetts Executive Office of Housing and Economic Development] then responded: "There is a requirement for encryption of data at rest in 93H that radiates forward [to MA 201 CMR 17]."

After poring through the text of M.G.L. 93H over lunch, Mackey confirmed that data at rest is not an issue, and later in the day, Young and Murray recanted their statement and said encryption of data at rest should be considered a "best practice" only.

So where is encryption required? Organizations need to encrypt the PII of Massachusetts residents in three situations:

• Transmission across the Internet.
• Transmission on wireless networks.
• When PII is on laptops and other portable devices.

As Petersen reflected in his post, however, "Encryption of data at rest -- in databases, backup tapes, servers, SANs, etc. -- is no simple task. Key management, disaster recovery and application performance pose difficult problems for even large companies, let alone small businesses."

Major challenges are ahead in both determining cryptographic standards and mitigating the costs of public key management software, including where keys may be stored and when keys must be changed. Mackey advised that organizations determine who is responsible for selecting technology, what the types of acceptable encryption are and what the relationship of encryption is to particular types of data. "Your existing security policies are a good starting point. You need to ensure that your policies address unique requirements from the law: data lifecycle and encryption."

Any organization that stores or transmits the PII of Massachusetts residents now has just over five months to do so.

Tags: PCI compliance,  Encryption software solutions,  Managing governance and compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI compliance IT compliance: FAQs about IT operations, regulations and standards Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more Priorities for your sound regulatory compliance management policy Data breach notification law SB 20 strikes right balance: Simitian D.C. CTO sees compliance, cost savings benefits to cloud computing Does using ISO 27000 to comply with PCI DSS make for better security? Security and compliance can go together, when done in the right order Nonprofits are working to maintain donor trust with PCI compliance PCI DSS compliance fails to raise the bar on financial fraud PCI DSS compliance requires better management of vendor risk Encryption software solutions Data breach notification law SB 20 strikes right balance: Simitian Mass. data protection regulation passes big test in public hearing D.C. CTO sees compliance, cost savings benefits to cloud computing Does using ISO 27000 to comply with PCI DSS make for better security? PCI DSS FAQ: The Payment Card Industry Data Security Standard and IT Run encryption the right way to ensure wireless network security What's the Massachusetts data protection law and what does it require? State data protection laws offer opportunity for proactive companies Nevada toughens data protection law with crypto, PCI requirements HIPAA becoming a standard for data protection regulations Managing governance and compliance A business continuity management standard would offer consistency Business Model for Information Security: Security right the first time Facing uncertainty, IT turns to governance, risk and compliance, ERM Google adds Dashboard: Does transparency mean more online privacy? NERC CSO warns of cybersecurity threats, risk to electric grid Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary IT controls  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary