State data protection laws offer opportunity for proactive companies

Data protection resources Mass. officials, compliance officers debate data protection law No easy answers for complying with data protection regulations

"Given what has happened with various retailers, systems getting hacked, we figured we needed to get out ahead of it as aggressively as possible and use it as an opportunity to create a higher level of trust with our customers," Kelly says.

Kelly co-owns Wireless City, a fast-growing chain of 27 wireless stores in Florida, Georgia and Massachusetts. In business five years, the chain is an exclusive licensee for Verizon wireless products and its motto is that buying a cell phone should be fun, not painful. Or lead to identity theft. To purchase wireless devices, customers need to give carriers their Social Security numbers. "People are hesitant and concerned when they give that number out along with a whole bunch of other personal information," he said.

Adhering to 201 CMR 17.00, as the regulation is called, makes good business sense, he said. Indeed, Kelly has spent close to $10,000 on professional services from security expert Kurt Baumgarten, CISA and vice president of information security at Peritus Security Partners LLC, to ensure his enterprise fulfills the 201 CMR 17.00 compliance checklist and more. When all the boxes are checked, he says he plans to install signs advertising that fact at every cash register in his stores.

As Massachusetts goes, so goes the nation

Wireless City's take on the regulation is something of an exception, judging from the complaints registered by many of the 64 companies that filed letters during the public comment period, including Verizon in a Jan. 15 letter. And the comprehensive standards may be subject to change. There is legislation introduced in the Massachusetts Senate that would water down the requirements.

Still, Wireless City is probably smart in getting ahead on the security requirements. Many analysts believe the Commonwealth's decision to make firms take a proactive, policy- and procedure-based approach to data protection is the wave of the future, likening 201 CMR 17.00 to California's groundbreaking data breach notification law passed in 2003. After that law was passed and strengthened, 44 other states not only followed suit but also have been ramping up their post-breach penalties.

There is also a movement afoot on the federal level to look "more upstream and take a more holistic view of data protection," says analyst Ian Glazer of Burton Group Inc. H.R. 2221, a federal bill moving through committee on the Hill, "talks a lot more about data protection than post-breach penalties," Glazer says, adding that he would not be surprised to see some kind of federal legislation on data protection by year's end.

What will it cost: The state's numbers

Type Mass. data privacy law into Google and a list of advertisements pops up in the right-hand margin. There are kits you can purchase, security experts for hire, consultants, law firms at the ready. So what will it cost companies to comply? According to the state's Fiscal Effect and Small Business Impact Statement, a hypothetical small business with 10 employees should pay no more than $3,000 a year.

The analysis, which is worth reading in full, assumes the hypothetical company has three laptops and one network server serving seven desktops, as well as multiple, lockable file cabinets -- oh, yes, and an expert on hand: "…we think it more than likely that a 10-employee business would already have retained such a consultant to monitor and maintain the current installation and software in connection with protecting the company's own, and customer, information." If the business does not have an existing technical support program, make that $6,000, or $500 per month in consulting fees (see sidebar).

It's the data, not the computers

Before rushing to spend $3,000 or $6,000 or more on complying with 201 CMR 17.00, it is important to understand what the regulation does and does not require.

$3,000 or less to comply with 201 CMR 17? In its Fiscal Effect and Small Business Impact Statement, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) estimates that small and medium-sized businesses (SMBs) with 10 employees should pay no more than $3,000 to comply with the consumer data protection requirements laid out in 201 CMR 17.00. CIO Gerry Young says he believes the cost of compliance could be even less. "What we've been doing is working with the SMB to find as much freeware, shareware, open source code as we can. I think we can actually drive some of that cost down," says Young, who was until recently CIO of the OCABR and is now Secretariat CIO of the Executive Office of Housing and Economic Development. He argues that businesses or consulting firms that claim the costs of compliance will in fact be much higher than $3,000 have an antipathy toward using open source and free software. "Yet if you look at the state of freeware, shareware, open source code you can't dismiss out of hand what they can do to contribute to this [data protection] model. Free options are out there to encrypt USB drives, laptops and PCs, requiring only the labor cost to do it." Much of the technology needed to comply comes with the equipment many companies already own. For example, businesses using Windows Vista can turn on the operating system's BitLocker Drive Encryption and encrypt laptops at no additional cost, Young says. He says he does not believe the rough spots for complying with 201 CMR 17.00 will be technology-related. But if there is an issue, it is the regulation's push to make key management front and center. "That, I think, will be the biggest issue for SMBs," Young says, because "they are just not used to dealing with symmetric and asymmetric keys and being able to hang on to the keys to decrypt." -- L.T.

Technology consultant Sarah Cortes says the first mistake companies make is to think the law is about computer hardware.

"The law does not apply to laptops, computers or machines; it applies to data," says Cortes, a principal at Cambridge, Mass.-based Inman TechnologyIT. "The law is not saying you have to get your laptop encrypted; it is saying you have to encrypt your data if it meets certain criteria."

Therein probably lies one of the most difficult tasks required of the law. Many companies, small, medium or large, don't know what data they have, or may know less about their data than they think they do. Data inventory is a big job, even more so when it involves archived data. "Even world-class companies don't really know what they have; they realize they have vast amounts of data in files all over the place," says Cortes, who counts Fidelity among her clients.

In addition, many companies believe that if they do collect confidential data they must encrypt it and meet the 20 requirements of the regulation. But the personal data protected by the law must contain a name and another piece of personal identifying information, such as a Social Security number or bank account number.

"It's like a combination lock," Cortes says. "There will be a lot of companies that have the requisite combination, but there will be many that don't, and they need to know, 'Oh, you're done. Don't worry about anything else.'"

What's a small company to do?

Large companies have many resources at hand to sort out the data, as well as automated tools used to meet other compliance mandates, such as the Sarbanes-Oxley or Health Insurance Portability and Accountability acts. What about the small, privately owned company never or rarely subject to compliance regulations before -- for example, a clothing boutique or independently owned dry cleaners?

The first question small business owners need to ask, Cortes says, is whether they are keeping personal records such as payroll or credit card data on their computers. It may be that the company uses an accountant to process paychecks, in which case the data is the accountant's problem to protect because he or she is the one storing it, Cortes says. With regard to credit card data, the question is whether the business is storing it or using a facility that passes that information off-site to a company like PayPal, which stores the information. A really small company might not have any of this data stored and it is done, Cortes says.

Or it might be storing the Social Security numbers of 10 employees and indeed fall within the purview of the law.

Before that small business rushes to beef up security, Cortes advises that it think hard about alternatives to storing the data. "Everybody jumps to the conclusion that they have to figure out how to get compliant, instead of asking why they are storing the data," she says.

Cortes cites a recent client, a Web design firm in New York that's the creative talent behind some very high-profile websites, including the one for the Guggenheim Museum. The midsized design firm, which boats about 300 clients, had suffered a data breach. A hacker stole some information from a plastic surgeon who sold products online -- the only client this design firm had put on its own server. "I advised her to think through what it would cost to make that one site compliant. I said, 'It's not your core business, it is on a platform you built three years ago that probably should be updated anyway, and you're taking on this liability, '" Cortes recalls. She advised the firm to get the personal data off its site.

"A lot of companies are not big enough to deal with the risk of credit cards, or with Social Security numbers," Cortes says, "You can change your workflow and not accept the risk."

The holistic approach

Peritus' Baumgarten, the consultant for Wireless City, agrees that many businesses will be thrown for a loop by the new reg. "This is going to hit a lot of people with this who never had to comply with anything," he says, adding he believes many of the smallest companies will decide they just don't have the time or money to comply.

In his view, it is the broad middle swath of businesses -- not large enough for sophisticated data protection policies and procedures but with a lot to lose if they run afoul of the law, that are most affected by 201 CMR 17.

"They certainly don't want to be held up as the poster child for noncompliance," he says. "And they will, as we are seeing now, generally do their best to at least get the ball rolling."

Baumgarten recommends those companies that fall in this group first do a security assessment to identify their risks because the next step -- creating the written information security program (WISP) -- is a big project.

Given what has happened … we figured we needed to get out ahead of it as aggressively as possible and use it as an opportunity to create a higher level of trust with our customers. Dennis Kelly co-owner, Wireless City

His firm has a 36-page risk self-assessment application that is online and breaks down the regulations "in layman's terms." Customers can fill that out to define where their risk lies in regard to information security and what will be expected of them by the state. The exercise also includes videos of Baumgarten and his colleagues explaining various aspects of the law, which helps fulfill the education and training components of the law.

The self-assessment then serves as the basis for a professional risk assessment, cutting down on the time and expense of having the firm do the preliminary work. The entry price for the risk assessment is $795, which includes some consulting time. The next step would be writing a WISP -- prices vary by the size and complexity of the company.

As for how precisely to comply with the law, Baumgarten's firm works off the ISO 27001 standards, which were also used to develop 201 CMR 17.00. Rather than inventory the data, "We often say why not throw a big warm fuzzy blanket over everything and treat it all the same? Think about the administrative nightmare you're mitigating by not cherry-picking every piece of data that might be categorized as critical Massachusetts resident data and trying to treat it differently than everything else," says Baumgarten, whose firm is vendor-agnostic and does not sell technology tools.

"If you have to implement the controls anyway, how about protecting all the information in your organization?" he says. "This is a new world out there. Everything is critical."