As the effective date of Jan. 1, 2010, approaches for Massachusetts’ data protection regulation, business owners and information security managers are getting a little bit edgy about compliance with MA 201 CMR 17.
Witness this week’s Compliance Decisions conference. There were two main questions on the minds of the attendees: Enforcement (how strict?) and encryption (what to encrypt and how?). However, no easy answers are available — yet.
The answers that were given by a pair of experts — Gerry Young, secretariat chief information officer for the Massachusetts Executive Office of Housing and Economic Development, and David Murray, general counsel of the Massachusetts Office of Consumer Affairs and Business Regulation — provided a wealth of information about compliance, but in the case of enforcement and encryption, not quite enough information.
It’s not really their fault. While Young and Murray helped craft the data protection regulations, promulgated by Massachusetts General Law 93H in 2007, enforcement will fall to the Massachusetts Attorney General, Martha Coakley, and, lawyers being lawyers, Murray could not speculate as to how Coakley will seek to prosecute data breach violations. Will she come down hard on all businesses, or will small businesses be spared? What will she consider to be “reasonable” steps — cited four times in the regulation — to comply?
Coakley’s office has not been available for comment on this topic, and likely no one will know for sure what will happen until the first data breach of 2010 occurs.
That leaves business owners of all sizes with no choice but to comply with the letter of the law (or make their best attempt to). But even what that means is not clear. Young and Murray have been on the road for months, talking up the regulation to business and consumer groups, and have a well-rehearsed presentation with slides. But when asked about what data needs to be encrypted, they said everything — “data at rest” and “data in motion.”
Now, MA 201 CMR 17 is clear about data in motion, mandating “encryption of all personal information stored on laptops or other portable devices” and “encryption of all transmitted records and files containing personal information that will travel across public networks, and … transmitted wirelessly.”
This all makes sense so far. The parties responsible for the infamous TJX data breach in 2007, which gave rise to 93H, exploited the weak WEP encryption protocol for wireless networks, not TJX company servers or databases. Currently, WPA and WPA2 are considered the minimum security standard, but even that has to be implemented correctly, with strong passwords.
As far as data at rest is concerned, there’s no such language, in the Code of Massachusetts Regulations or the Massachusetts General Law, a fact pointed out by a third participant in the conference, consultant Richard Mackey, vice president at SystemExperts. Young then responded: “There is a requirement for encryption of data at rest in 93H that radiates forward [to MA 201 CMR 17].”
After poring through the text of M.G.L. 93H over lunch, Mackey confirmed that data at rest is not an issue, and later in the day, Young and Murray recanted their statement and said encryption of data at rest should be considered a “best practice” only.
Attendees were relieved to hear this. But the concept of a “best practice” opens up even more issues. Encryption of data at rest — in databases, backup tapes, servers, SANs, etc. — is no simple task. Key management, disaster recovery and application performance pose difficult problems for even large companies, let alone small businesses. The best practice of storage encryption may be a worthwhile goal, something to be phased in over time, but shouldn’t be something that gets in the way of the immediate requirements of compliance.
It is not surprising then, that enforcement of MA 201 CMR 17 was delayed from its original May 2009 date to Jan. 1, 2010. Nor that a bill, No. 173, was introduced in the Massachusetts Senate earlier this year seeking to amend the underlying M.G.L. 93H law. Senate Bill 173 would change the law to say that businesses will not be required “to use a specific technology or technologies, or a specific method or methods for protecting personal information.” In addition, it would “create separate regulations for small businesses … that reflect said small businesses unique situation and resources.”
So where are we? No one really knows for sure. What we do know is that Massachusetts employers, and out-of-state businesses that employ Massachusetts residents, must have a compliance plan well under way by January 1.