Mass. data protection law requirements amended, deadline extended

By Alexander B. Howard, Associate Editor 20 Aug 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More on data protection Mass. officials, compliance officers debate data protection law State data protection laws offer opportunity for proactive companies E-book: The Massachusetts Data Protection Law

The news came Monday, the same day three men were indicted for data breaches at Hannaford Bros. Co. and Heartland Payment Systems Inc. The theft of 130 million credit and debit cards is the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. The cybercriminals' exploits included the data breach at The TJX Companies Inc., which instigated the creation of the Massachusetts data breach law (Chapter 93H) and, subsequently, 201 CMR 17.00.

The new version of the law shifts its approach to information security in a number of ways that are important for compliance officers to understand, although the overall shift to a risk-based approach will be familiar to most. "The federal laws -- specifically Gramm-Breach Bliley -- all adopt a risk-based approach," said Barbara Anthony, Massachusetts undersecretary of consumer affairs, in an interview with SearchCompliance.com. "In amending the regulation, we tried to make clear that these rules would also adopt a risk-based approach. Businesses should write their own plan that takes into account the risk specific to the business. We're setting up a destination, not an approach."

Implementation requirements now specifically take into account a particular business' size, scope of business, available resources, need for information security and the nature and quantity of data collected or stored. The incorporation of this recognition into the regulation itself reflects the views expressed by OCABR's general counsel, David Murray, who said earlier this year that "liability is always driven by context. What's reasonable may vary by resources, as a judge will have to assess the responsibility of each party after a data breach."

From overly prescriptive controls to a risk-based framework

The shift to a risk-based approach is particularly relevant to small businesses that do not transmit or store large amounts of personal information. "This major shift from being prescriptive -- think PCI -- to being descriptive -- think HIPAA -- is in theory a good thing," said David Mortman, chief security officer in-residence at Mason, Ohio-based security consultancy Echelon One. "Descriptive regulation gives organizations some flexibility that prescriptive regulation does not, at least in the eyes of many auditors. This flexibility, however, is only really useful to experienced, mature organizations who already know what they need to be doing and just need 'official guidance.'"

Christophe Veltsos, president of Mankato, Minn.-based security consultants Prudent Security LLC, said, "Massachusetts deserves praise for attempting to find a balance between the need for securing sensitive data with the needs for businesses to transact in commerce. The shift to a risk-based approach should allow smaller businesses to comply with 201 CMR 17.00 without undue burden."

Encryption requirements more realistic

The contentious encryption requirement has been tailored to be "technology neutral" -- that means the 128-bit standard is out -- and "technical feasibility" has been applied to all computer security requirements.

Businesses will still need to encrypt the personally identifiable information (PII) of Massachusetts residents whenever it moves over the public Internet or wireless networks. In Anthony's assessment, each business owner should ask the following question: "Is there a better way for you to transmit the data than over the Internet?" If the answer is yes, businesses should avoid using the Internet or wireless for such migration -- and compliance headaches.

"Consumer protections have not been weakened in this amendment," Anthony said. "Monitoring, reviewing the scope of security measures -- and encryption -- is still required if you are going to transmit resident PII over public networks. What we've tried to do here is to not impose additional burdens which weren't involved in the consumer protections."

When it comes to archival storage, according to Anthony, retroactively encrypting archives is not mandatory but "encrypting backup tapes going forward will still be required."

The requirement to encrypt portable devices is also still in force. "We know right now that there's no widespread technology for encrypting mobile devices, but we know it's there for laptops," she said.

Information security professionals retain a few doubts. "I would have preferred that they had slightly better guidance then just encryption," Mortman said. "Even listing it as strong encryption would have been better."

Mortman does point out that, "Section 17.03 -- which includes the sentence 'Such comprehensive information security program shall be reasonably consistent with industry standards' -- covers that in theory and would prevent the use of WEP or ROT13."

Washington, D.C.-based Gal Shpantzer, an information security consultant specializing in encryption and data breach prevention, pointed out that the regulation may already apply to mobile devices other than laptops. "Encryption is currently available for certain versions of Palm, Symbian and Windows Mobile," he said. "BlackBerry has its own encryption software, and it's free as an easily configured security setting, even in standalone mode."

Amendments to third-party rules, access controls

OCABR also made other adjustments to specific requirements.:

• The regulation does not apply to municipalities, although the governor's executive order extending compliance requirements remains in force for all cabinet-level agencies.
• Third-party vendor requirements were also changed to be consistent with federal law, specifically the Federal Trade Commission's (FTC) Safeguards Rule. Companies are obliged to select vendors that take appropriate security measures. Anthony said there will be a two-year grace period to get third-party contracts in line.
• Restrictions on data retention and access were removed from the regulation, although Anthony said she still considers them guidelines on best practices.

Concerns for implementation, enforcement

Questions about enforcement remain. The Massachusetts Attorney General's Office, after all, has yet to enforce the regulation and show what standards its investigators find "reasonable" and "technically feasible" in a given case.

Anthony offered one precedent for what that assessment might look like. "Take BJ's as an example," she said, referring to a 2004 privacy breach at BJ's Wholesale Club Inc. "In addition to credit card numbers, hackers also stole security codes. BJ's had been under obligation to delete that information as soon as the transaction was accomplished. They held onto it for 30 days for no reason. They were prosecuted by the FTC and fined."

This major shift from being prescriptive -- think PCI -- to being descriptive -- think HIPAA -- is in theory a good thing. David Mortman chief security officer in-residence, Echelon One

Questions about audits and standards for implementation also still persist in the information security community. "I think in theory this is pretty decent legislation, but in practice, I feel that this will not be nearly as effective as it could have been and should have been better," Mortman said. "My larger concerns stem from the 201.CMR.11 FAQ, specifically from the 'technical feasibility' specification. The FAQ makes it abundantly clear that the Office of Consumer Affairs and Business Regulation is somewhat unclear on what the current technical options are and leaves me really worried that they are not in a position to properly assess whether or not organizations were compliant when a breach occurs."

Shpantzer also wondered about the differences between public and private when it comes to the standards for wireless security. "What are 'public airwaves,' exactly?" he asked. "Wireless transmissions bleed through buildings and perimeters and in certain cases can be captured from miles away (see 'cantenna')."

Veltos added, "I worry that the risk assessments are not going to be performed by people with the appropriate skills and depth of knowledge.

"To successfully conduct a risk assessment, the assessor must have a good understanding of the business processes, the type and amount of sensitive data handled, and the threats (including cyberthreats). For example, a doctor's office that handles patient reservation data at the front desk while another takes Web-based reservations are in two completely different risk categories. Unfortunately, it is all too common to find businesses and government entities mismanage the data entrusted to them, as the Fayetteville Public Schools identity theft case demonstrates."

For more information on the amended legislation, read "201 CMR 17 FAQ: Updates to Massachusetts data protection law" and visit Mass.gov/consumer.

Tags: Industry-specific requirements for compliance,  Managing governance and compliance,  Risk management and compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Industry-specific requirements for compliance Poor application security creates supply chain risk, security threat Business Model for Information Security: Security right the first time Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more NERC CSO warns of cybersecurity threats, risk to electric grid FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing McCain answers new FCC net neutrality rules with Internet Freedom Act SAP sees green in sustainability software for carbon compliance Managing governance and compliance A business continuity management standard would offer consistency Business Model for Information Security: Security right the first time Facing uncertainty, IT turns to governance, risk and compliance, ERM Google adds Dashboard: Does transparency mean more online privacy? NERC CSO warns of cybersecurity threats, risk to electric grid Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange Risk management and compliance Facing uncertainty, IT turns to governance, risk and compliance, ERM FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Mass. data protection regulation passes big test in public hearing Does using ISO 27000 to comply with PCI DSS make for better security? FTC pursuing HIPAA violations as a matter of consumer protection Are mandatory business continuity management standards good business? PCI DSS compliance requires better management of vendor risk

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI compliance  (SearchCompliance.com) XBRL  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary