What's the Massachusetts data protection law and what does it require?

Massachusetts' data protection law, 201 CMR 17.00, focuses on prevention rather than notification. Here are the technologies and policies you'll need for compliance.

During any given week, company X discloses that it has been breached. In fact, this year alone more than 100 companies -- the likes of Merrill Lynch, Pepsi and Monster.com, among others -- have disclosed that personal information had been compromised.

More on data protection
Mass. officials, compliance officers debate data protection law

No easy answers for complying with data protection regulations
As a result, new data protection laws are taking a different approach to protecting sensitive information. While certainly not a cure-all, today's new laws are focusing on prevention rather than notification. Instead of legislating reactive data laws requiring companies to notify customers after data has been compromised, these new regulations are mandating technologies and policies in hopes of preventing a breach in the first place.

Massachusetts' 201 CMR 17.00 is such an example. This regulation, set to go into effect Jan. 1, 2010, requires all businesses that are entrusted with personally identifiable information by Massachusetts residents to take a set of prescribed steps to protect that data.

While the law takes data privacy regulations to a new level, it also forces organizations to take some measures that are just generally good security practice. Here's what you need to know about the law and what you can do to meet the requirements and the pending deadline.

What information must be protected?

The 201 CMR 17.00 regulation defines the information that needs to be protected as:

Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "Personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

Who is affected?

The requirements of the law apply to persons (or organizations) that "own, license, store or maintain personal information about a resident of the commonwealth of Massachusetts." There is no concept of a "covered entity" like there is in the Health Insurance Portability and Accountability Act (HIPAA) or a clearly defined set of organizations required to comply, like there is in the Federal Trade Commission's Red Flag rules.

For those unfamiliar with those regulations, they distinguish the organizations that are directly entrusted with the sensitive information from those that handle the data on behalf of those organizations. That was the case in HIPAA, in which a hospital would be a covered entity, while a service provider that stored or processed the information would be considered a "business associate." HIPAA defined that the law applies to only the covered entity, who were then responsible for managing and policing their service providers or business associates.

(The covered entity concept has changed since the passage of the American Recovery and Reinvestment Act (ARRA) earlier this year. The ARRA includes The Health Information Technology for Economic and Clinical Health Act (HITECH), which has done away with the covered entity vs. business associate distinction, and now business associates are responsible for disclosing their own data breaches.)

Under the Massachusetts law, any organization, whether interacting directly or indirectly with Massachusetts resident information, is fully responsible to comply with the regulation. This difference is significant. It appears to mean that any company with personal identifying information can be prosecuted directly for a breach -- rather than just the organization directly entrusted with the information. The lack of a "covered entity" concept makes it appear as if a service provider could be legally assailed by all affected parties rather than just the company that contracted the service. There does not appear to be a way to reduce liability.

What does compliance mean?

The regulation requires organizations to safeguard personal information in both paper and electronic form against "anticipated threats" to the confidentiality or integrity of the information. What's more, the regulation protects against the unauthorized access or use of the data that may lead to fraud or identity theft.

Data privacy requirements
Must-have technologies:
  • Laptop encryption
  • Portable device encryption
  • Firewalls
  • Antivirus software
  • Patch management software
  • Authentication system that supports lockout after multiple failures.

    Not specifically required, but useful:
  • Monitoring software to help analyze logs and system use.
  • Intrusion detection systems
  • Identity management software
  • Vulnerability management
  • While the intent of the law is fairly straightforward, the regulation goes on to specify a number of requirements that some organizations, particularly small ones, might not have in place.

    For example, organizations need to create and maintain a comprehensive written information security program (WISP) to secure the records containing Massachusetts residents' personal information. Compliance with this requirement is supposed to take into account the size and resources of the business, the amount of information managed and the security requirements of the information.

    The controls established need to be consistent with industry best practice and with controls specified by other federal and state regulations. Further, the WISP needs to include 12 items:

    • A designated person or group responsible for managing the security program.
    • A method for identifying, assessing and treating risks.
    • A method for improving effectiveness of security controls.
    • Security policies regarding the management of personal information.
    • A policy and procedure for disciplinary action in the event of policy infringement.
    • A reliable method of terminating access when employees leave or are fired.
    • A methodology to verify that third-party service providers will take adequate steps to secure the personal information entrusted to them.
    • A practice of limiting the collection and storage of personal information to what is required.
    • A practice of identifying all physical assets containing personal information to ensure they will be treated with due care.
    • Regular monitoring of the security program and at least annual assessment of its effectiveness.
    • Review of incidents, the organization's response activities and any corrective actions taken.
    • Institution of a security education and training program for employees.

    If you are acquainted with the ISO 27000 series of security standards, this list should look familiar. Virtually every one of the controls is included in those standards. Unfortunately, it is unlikely that a midsized or smaller company would be familiar with these standards and, more importantly, have anything resembling a written program including all these elements.

    In addition to the program requirements, the regulation describes the following computer system security requirements designed to implement the policies included in the WISP:

    • Secure authentication protocols, good identity management practices, strong passwords and automatic lockout on multiple failed logins.
    • Secure access management that ensures that only appropriate people gain access to protected information.
    • Encryption of all personal information that travels across public networks or on wireless networks.
    • Monitoring of systems for unauthorized access.
    • Encryption of all personal information stored on laptops or other portable devices.
    • Up-to-date (patched) firewall and operating systems for all systems containing personal information connected to the Internet.

    What do organizations need to do?

    All organizations need to step through a process to understand what they need to protect, what systems affect that information, the risks to the information and systems and the controls they should deploy to mitigate the risk. This process is described in ISO 27001, but it may seem too Draconian for many organizations to adopt. Furthermore, while developing a formal security program may be a natural part of larger organizations, smaller ones may find the process daunting.

    In short form, if a company has very little in the way of a security program, it should follow this path:
    1. Appoint a responsible party to lead the security program. This person should have some IT knowledge and an understanding of the information the organization has.
    2. Identify the assets -- in other words, identify the personal information that is in your possession and where it is. If possible, isolate it to make controlling access to the information as easy as possible.
    3. Analyze the risk -- consider the magnitude of risk associated with the various forms of information including where the information is stored, who has access to it, what skills an attacker would need to compromise it, the value it might have to the attacker and the controls that might impede the attack. This practice may be beyond the reach of many non-IT organizations, so it could be a reason to seek professional help.
    4. If you don't have them, draft policies regarding who should have access to the information and ensure that the accounts that exist on your systems and the access to paper files match that policy.
    5. Establish tight controls over account creation on all your systems, disabling those for anyone who doesn't need one (or has left the company).
    6. Establish a regular process of reviewing accounts and access controls.
    7. Inspect your technology to ensure that you have strong passwords, good virus protection and encryption of data on portable devices and data transmitted over the Internet.
    8. Ensure that employees know the importance of security of personal information to the business and their role in protecting it. You can do this by drafting a security guide or manual that describes the importance of protecting physical security of records, keeping passwords secret and following the other policies you have defined. Reinforce this documentation with regular training.
    9. Draft a procedure for responding to incidents like information leakage, virus infections and any other security compromise. This could mean calling in IT support personnel to help sort out the problem, but it's critical to outline the steps leading to bringing in outside help.
    10. Make sure systems are configured to lock out users after multiple failed login attempts.
    11. Establish a process for monitoring who logged in to systems storing personal data with specific provisions for identifying unauthorized access.
    12. Ensure that all systems with personal data on them are protected by a firewall and are running up-to-date software.
    13. Identify all external parties with whom you share personal information. Their treatment of the data is critical to your compliance. Ask each of them for some evidence that they comply with the requirements of the law. If possible, avoid exposing the data to them to bypass the problem altogether.

    These steps describe activities that all companies should follow to ensure that their sensitive data is protected. Unfortunately, some organizations may not have the IT staff and the security skill to take these tasks on, but this should not be a reason to ignore the problem. The most important step is to take the time to think about your data and to know where it is stored and who has access to it. The better contained the information is, the easier the IT problems become. The rest of the steps can be done with the help of IT contractors.

    Larger organizations face a different problem. While they may have the IT staff, many will not have the formal, documented security policies and procedures that would meet the requirement of a WISP. Further, they may not have established the kinds of organizational roles, service provider management processes, monitoring and incident response procedures for which the regulation calls. These companies simply have to bite the bullet and do what it takes to comply.

    If you take a more global view, the steps you take to address these requirements should improve your overall security approach. After all, it pays to recognize that this law is likely the first of a long line of state and federal laws that will require the same types of controls.

    Richard E. Mackey, vice president, SystemExperts Corp., ISACA/CISM, is a leading authority on enterprise security architecture and compliance. Let us know what you think Let us know what you think about the story; email: [email protected].

    Dig Deeper on Encryption software solutions