consumer protection

Aug 20 2009   6:09PM GMT

Amended Massachusetts data protection act focuses on risk management

Posted by: Sarah Cortes
Federal Trade Commission, risk management, Information security, consumer protection, Security, Gramm-Leach-Bliley Act, FTC, 201 CMR 17.00, Massachusetts’ Data Privacy Law, privacy, data protection, regulation, compiance, IT compliance

As Alexander Howard reported earlier today, the Massachusetts data protection law has been amended. The revised data privacy regulations — 201 CMR 17.00, “Standards for the Protection of Personal Information of Residents of the Commonwealth” — include several key updates. If you are an information security professional, take note of these changes, as they will likely have practical implications.

The most immediate impact is the provision for an additional 60 days to comply with the regulations. The deadline for implementation is now March 1, 2010.

Individuals and municipalities have expressly been removed from guideline jurisdiction, with a clarification that the “regulation applies to those engaged in commerce.” Guidelines on the requirement for a written information security plan are now simplified.

A new definition for the term service provider was added. The Office of Consumer Affairs and Business Regulation also amended third-party vendor rules. There is now a two-year grace period, relative to existing contracts, and requirements for those third parties to be in compliance.

Encryption requirements have been clarified. The apparently strict but, practically speaking, vague 128-bit specification from the prior version was replaced by “technology-neutral language.”

Further, a “technical feasibility” standard has been incorporated, acknowledging that methods to securely encrypt data on portable devices may not yet be available. Email encryption now falls under the technical feasibility standard. Additionally, encryption of backup tapes has been clarified to include prospective encryption. So you may safely cancel your firm’s plans to encrypt existing backup tapes. Encrypting new backup tapes will still be required, along with any personal data that travels over the public Internet or wireless network.

In another change that I believe will ultimately enhance consumer protection, 201 CMR 17.00 has been brought in line with certain federal regulations. Specifically, the Massachusetts data protection act now cedes authority to the Federal Trade Commission’s (FTC) standards established under the Gramm-Leach Bliley Act (GLBA). GLBA utilizes a risk management approach to data security.

The patchwork of 44 different state health data protection laws has delayed electronic automation of, and therefore overall security for, health records. Adopting a federal standard, starting with the FTC’s risk-based approach to data protection, avoids this pitfall and may make widespread compliance both more feasible and more likely in the near future.

On one hand, a risk management approach should be familiar to IT professionals. It shifts resources from “check-the-box” controls that may or may not address a particular organization’s specific risks to controls that make more sense in context. On the other hand, given the concrete definition of the personal information in scope, it is difficult to see where risk management would not be present whenever such personal data is stored.

“Mandating every component of a program and requiring its adoption, regardless of size and the nature of the business and the amount of information that requires security, makes little sense in terms of consumer protection,” said Bradley MacDougall, of Associated Industries of Massachusetts. Risk management and assessment will afford more consumer protection by matching a given business’ actual risks with required security investments.

Jun 23 2009   11:13AM GMT

Should data security and privacy laws specify data encryption?

Posted by: Sarah Cortes
Privacy Law, Health Insurance Portability and Accountability Act, Massachusetts Senate, Information security, Cryptography, business, Security, Data Security, privacy, HIPAA, SOX, GLB, Massachusetts Data Security and Privacy Law, California Data Security and Privacy Law, data encryption, IT security, compliance, consumer protection, civil liberties, MGL 93H, Massachusetts’ Data Privacy Law, 201 CMR 17.00, Massachusetts SB 173, Technology

The proliferation of data security and privacy laws from state and federal agencies has created challenges and complexities for all entities that store and use data. One of the most controversial areas for these laws is whether or not they should specify data encryption as a requirement.

Issues currently confronting lawmakers, IT security, privacy and compliance professionals, businesses, and consumer protection and civil liberties groups include:

1. Which laws currently specify encryption and which do not? What, exactly, do they specify?
2. Should encryption be included at all in these laws?
3. If so, what, exactly, should be specified?
4. If not, what should the laws require?

One viewpoint holds that data encryption is a fundamental protection and strengthens consumer protection and privacy. From this viewpoint, laws that fail to specify encryption are weak, overly slanted toward business’ interests and inadequately protective of consumers and individuals’ privacy rights.

The counterpoint to that view, held by others, is that:

• Encryption as specified in current laws is a vague term, and thus somewhat meaningless.
• Specifying current encryption standards more concretely likely ensures the laws will quickly become outdated as technology advances.
• Mentioning encryption vaguely, without clear standards, creates business risk and uncertainty for those doing business in the commonwealth.
• Deviating so far from legislation in other states and federal approaches, in areas such as encryption and certification of third-party vendors, creates a situation where those third-party vendors may find it not worth implementing these capabilities just to do business in Massachusetts, leaving organizations at a competitive disadvantage without providing real benefit to consumers and individuals.

M.G.L. 93H, Massachusetts’ Data Privacy Law currently seems to specify encryption:

“Encrypted” transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.

However, this definition does not set forth any circumstances under which data must actually be encrypted. When detailed regulations were issued in the form of 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, regulators further specified that:

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall [include] the following elements: Encryption of all transmitted records and files containing personal information, including those in wireless environments, that will travel across public networks.

An amendment currently under consideration in the Massachusetts Senate, SB 173, would seem to reverse that:

The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

What do you think? Should data security and privacy laws specify data encryption?