MA data protection law

What will compliance with the Massachusetts data protection act mean?

A bill being discussed in the Massachusetts Senate proposes major changes to MA GL 93H, the Data Breach Notification Act. These changes could in turn result in revisions to 201 CMR 17.00, the data protection regulation promulgated by the Office of Consumer Affairs and Business Regulation (OCABR), including removal of specific encryption requirements and deference to federal statutes.

We wrote about it last week in “Mass. Senate seeks to amend, weaken data breach notification law.” As you know, we’ve been covering news on the nation’s most comprehensive data protection law since the beginning of the year, including a podcast with the OCABR CIO and general counsel:

•    Podcast: New Massachusetts data protection law mandates IT compliance
•    Panels describe risks of noncompliance with Mass. data protection law

Kevin Beaver, a contributor to SearchCompliance.com, offered his commentary on the situation nationally: “Are you out of the loop on state data breach notification laws?“

Sarah Cortes reminded the readers of SearchCompliance.com last week of  the risk of penalties for violating data privacy laws.

Anne McCrory, editorial director for the CIO/IT Strategy Media Group at TechTarget, also has rung in with her view: “It’s time for a federal data protection act,” following Scot Petersen’s take: “Red Flags Rule delay reveals troubling pattern developing.”

Our sister site, SearchSecurity.com, posted some additional advice:  Encrypt now to meet new Mass. data protection law.

So with all that out there, here’s what I’m wondering:

What do you think of the law?

What are your thoughts on the proposed revisions?

How are you approaching compliance with the regulation?

Do you have clients or partners that you are advising on the topic? What do they think?

I’ve been interviewing many of our readers on precisely these questions, including many thought leaders, CISOs, privacy officers and CIOs. I’d be grateful for your thoughts as well.

Please write to editor@SearchCompliance.com or directly to me at ahoward@techtarget.com.

As you know, you can also find us @ITCompliance on Twitter

Red Flags Rule delay reveals troubling pattern developing

May 1 passed without the raising of the Red Flags: The Federal Trade Commission announced a delay in the enforcement of the Red Flags Rule, which requires companies to come up with programs to detect and respond to financial data breaches or identity theft.

Last week, the FTC said it will delay enforcement until Aug. 1, “to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.”

This is the second enforcement delay of a major data protection law. Massachusetts extended enforcement of its 201 CMR 17.00 law until Jan. 1, from the original enforcement date of May 2009, also to give constituents more time to get into compliance.

Security expert and SearchCompliance.com contributor Paul Roberts of The 451 Group sees a pattern developing, which he relayed in an email:

I think the decision to delay Red Flag Rule enforcement is yet more evidence that the public sector has a lot to learn about formulating and then implementing data privacy regulations. What’s so interesting is how closely the FTC’s Red Flag Rule headache parallels Massachusetts regulators’ headaches trying to implement their “toughest in the nation” data privacy laws.

“The lesson in both cases is that regulators need to put down the sledgehammer when writing these new rules and spend more time refining their scope and soliciting input from the private sector so that they understand the practical impact of new requirements on businesses, nonprofits and individuals. Practically: Some kind of phased-in approach to enforcement would seem to make sense. And, as with the PCI regulations, it might be smarter to have an iterative process to writing these kinds of regulations, rather than trying to fix a complex problem (data theft, data privacy) in one fell swoop. So you might start with small-bore regulations that have teeth, but are focused on clear problems and easy to implement, then expand and refine them over time, as conditions change.

Seems like smart advice. Perhaps security, compliance and risk managers from corporate America should start calling for a change of strategy from federal and state lawmakers. But on the other hand, he’s also right about the fact that the “public sector has a lot to learn about formulating and then implementing data privacy regulations.” As we have also pointed out, many compliance, security and risk managers are finding themselves out of the loop, creating a major disconnect between the new laws and the efforts many companies are putting forth to get into compliance.

Email to the Editor: 201 CMR 17.00, ID theft and data protection

Great article ["Panels describe risks of noncompliance with Mass. data protection law"]. Numerous thought-provoking statements in this article and in the legislation itself. My first thought is that this regulation shouldn’t be so shocking, surprising and difficult to comply with. It’s all about doing the right things, as Rebecca Herold stated.

Information Security Officers, IT professionals and consulting firms have been telling the companies for whom they work to do this for years. But many firms, even those that are highly regulated, have traditionally taken a wait-and-see approach since they can’t seem to find the ROI. Locking down USB ports, encrypting hard drives and encrypting mail that contains sensitive data is just too “inconvenient” for them. I ask them, “What’s your reputational risk worth?”

This legislation goes hand in hand with the Red Flags Identity Theft Prevention rule that went into effect Nov. 1, 2008, for similar types of business. After a deeper look, it was determined that there were more than 10 million businesses throughout the country that would need to be examined. That’s nearly 10 million more than the number of examiners in the field to assess them.

While a great deal of the focus for Red Flags is certainly on the banking industry, in terms of governance and enforcement, my car dealer never heard of it. Neither has my attorney friend, who is the compliance officer at the insurance agency that wrote my general liability and errors & omissions policy and also provides my life insurance. They have no such program in place. And what about the gas station that still uses multipart forms to take my credit card information? I better ask the attendant how their efforts are going to comply with MA 201 CMR 17.00 before I fill up.

Legislation is great, if practical, but governance and enforcement is even better. I’d love to hear how the regulators plan to enforce it for those outside the banking sector, which at least makes an strong effort to comply and do the right thing. I also wonder about vendor management. Third-party providers must comply with the regulation by Jan. 1. Thus, it’s incumbent upon those who use third parties to ensure that those controls are in place at those third-party companies.

For the banking industry, the third key point of GLBA 501(b) requires oversight of service providers, meaning that even though you’ve assigned your risk by outsourcing a function or process to another company, you’re not relieved of your responsibility to ensure that controls are in place to protect sensitive data and systems. Heartland sound familiar? Hannaford sound familiar? TJX ring a bell? There are many others out there as well but just not as high profile. There’s always a box of tapes with a few hundred thousand customer names, account numbers and SSNs that’s been lost or misplaced or that fell off the truck. Or a dumpster that’s been raided for the sensitive info that employees have haphazardly discarded, despite policy for proper destruction and disposal.

A formal vendor management program is a requirement! And the banking sector has seen tighter and tighter regulatory scrutiny and examiner focus in this specific area over the past year or two, but there’s still a long way to go. There are very specific components to a sound and compliant vendor management program. These include vendor inventory, status tracking, periodic monitoring, due diligence, contract review, risk rating, reporting and policies and procedures. This is a long haul for those not in the heavily regulated banking sector. So, again, it will come to being all about governance and enforcement and the penalties for noncompliance to make this legislation effective.

And my final thought is that Massachusetts should at least be commended for taking a stand. I’ve read countless critiques of the legislation but haven’t seen anyone state in writing that MA should be commended for doing something to try to protect the consumer. Any time you stick your neck out, you’re bound to get slapped.

Mick Kless
Managing partner
R.I.S.C. Associates

Let us know what you think about our stories. Email editor@searchcompliance.com.

Coming: State privacy laws run amok

As business owners are preparing for the new Massachusetts data protection law, also known as 201 CMR 17: Standards for The Protection of Personal Information of Residents of the Commonwealth, due next year, a potential quagmire is building.

Speaking at the TechTarget Compliance Decisions Summit March 12, Laurence Anker, engagement manager, technology risk management for Jefferson Wells International, said the coming influx of state privacy laws will create “a mess.”

Only about half of the states have laws governing personally identifiable information, but several more, including Massachusetts, are crafting tough laws that will put new burdens on businesses, especially SMBs, and businesses outside of the state that employ Massachusetts residents.

These laws will cover areas such as secure storage of data, encryption of data and access controls, as well as require businesses to create written, comprehensive security and privacy policies for personal data.

Such tasks are formidable, but not impossible, but multiply the Massachusetts law by 50 and it’s easy to see how difficult it will become for some businesses to make sure they are in compliance with every state’s privacy law.

Anker said that he does not foresee new state laws as they come on the books to be in direct conflict with one another. Rather, business entities will have to make decisions on how to manage compliance with state privacy laws with different degrees of requirements. Most likely businesses with a widespread employee base will standardize and comply with the state with the toughest privacy policy.

Or, Anker said, there could be a day when state privacy regulators will join an organization similar to the National Association of Insurance Commissioners, which will seek to normalize the state privacy laws and help the states enforce them.

Risk-based approach to information governance at Compliance Decisions

As I wrote yesterday, the Compliance Decisions Summit got off to a great start when Eric Holmquist and Richard Mackey considered the future of compliance in their talks before a crowded hall of auditors, compliance officers, CIOs and information security professionals.

The second half of the day featured Holmquist again, this time exploring a risk-based approach to information security governance, and Laurence Anker, speaking about managing the cost and complexity of compliance through governance.

We posted the following Twitter on our ITCompliance account over the course of the afternoon. The #CSD09 you see below is a hashtag we chose to track tweets related to today’s seminar. For a full explanation of what a hashtag is and how it works, please consult last week’s digest of compliance headlines from Twitter.

All four seminars from Compliance Decisions will be available soon from SearchSecurity.com and SearchCompliance.com, along with an exclusive interview with Mackey exploring the ramifications of virtualization to compliance management.

A Risk-Based Approach to Information Security Governance

Lunch over, video recorded w/Mackey on #virtualization & #compliance. Next: Holmquist on a risk-based approach to infosec governance. #CSD09

Information security must be approached as a business issue, not an IT issue. Then we can consider risk mgmt practices.” -Holmquist | #CSD09

“You can’t buy your way out of a data breach.” -Holmquist | #CSD09 | #riskmanagement

RT @ scotpe Adding: “chief security officer does not belong in IT.” Where does s/he belong? [ <-- Good question. Any answers? ]

Lundquist recommends forming a #security council. Give it authority, include senior execs, make cross-disciplinary, safe & visible. #CSD09

Key insight for creating a culture of cooperation vs. risk: “Make it safe to fail” -Holmquist | Don’t underestimate “gut feelings” #CSD09

Back to #compliance basics: “Everything starts with a risk assessment, not controls. Manage to assessed risk, not perceived risk.” | #CSD09

“Insiders are exponentially more of a threat than outsiders. The ability to respond quickly & effectively is critical” -Holmquist | #CSD09

“You can approach assessing risk in 4 ways: IT systems, electronic data, physical files & third parties. Focus on accountability.” #CSD09

“Risk is quantified in 4 broad categories: What’s at risk? What would be the impact? What could be the source? What can we mitigate?” #CSD09

RT @ scotpe Scare the CEO: Statistically speaking, “someone is planning to steal your data right now, thinking about it or doing it” #CSD09

Paused for another message from another sponsor of #CSD09 & a networking break. Door prize drawing up next for a Flip, iPod & a GPS unit.

Managing the Cost and Complexity of Compliance through Governance

Now up at #CSD09: Anker on managing the cost & complexity of #compliance through #governance. Session info: http://bit.ly/J9OP

Anker began his seminar at #CSD09 talking about the importance of IT governance. @ rlebeaux just reported on that: | #TTGT

@ rlebeaux that reported on aligning IT governance & corporate governance in an economic #recession -> http://bit.ly/PDfkk

Insurance for IT risk? Anker notes standard policies may not address IT exposures like a data breach or reputational damage. #CSD09

“An organization’s info & other intangible assets account for 80%+ of its market value.” -IT Governance Institute (ITGI) | #CSD09

In discussing key requirements of the new MA data protection law, Anker notes WISP: written information security policy | #CSD09 | #acronym

Great Q&A on provisions of the MA data protection law w/Anker to end. @rwestervelt reported on its extension: http://bit.ly/yMBgP #CSD09

Conclusions from Compliance Decisions

You’ll be reading, hearing more and seeing more of Holmquist, Anker and Mackey on SearchCompliance.com. All three men will be contributing experts in upcoming articles, podcasts or video.

Writers from both SearchSecurity.com and SearchCompliance.com will continue reporting on the Massachusetts data protection law and its ramifications for IT professionals and businesses nationwide. Clearly, many questions remain about the regulatory impact of the law on IT operations.

As Robert Westervelt reported, the deadline for the Massachusetts data protection and encryption law was extended to Jan. 1.

“We understand the impact of the current business environment and feel this is an appropriate time frame for companies to implement the necessary protections,” Daniel C. Crane, the Undersecretary of the Office of Consumer Affairs and Business Regulation, said in a statement.

Westervelt noted a key change in the updated version of the regulation: “The extension includes a revision to the rules relaxing a requirement holding third parties accountable to the security rules. Under the original law, companies had to attest that a third-party provider was compliant with the regulations.”

As noted to the audience during the question-and-answer session with Anker, SearchCompliance.com recorded a podcast last month with Gerry Young and David Murray of the Massachusetts Office of Consumer Affairs and Business Regulation. The CIO and general counsel, respectively, discuss the details of the new data protection rules:

Massachusetts data protection law mandates IT compliance [Download the MP3]

The provision of third-party compliance as proven by a “WISP” came up during the course the interview, if not under that name. Regardless of the documentation requirements, small businesses and enterprises alike considering outsourcing data protection and encryption compliance will need to make sure that service providers, VARs and consultants certify and appropriately explain where and how their work brings an organization into compliance with the Massachusetts statute.

On a final note, we picked up dozens of followers on Twitter yesterday and earned two kind endorsements of our coverage from PrivacyProf and DanPhilpott. Thank you, Dan and Rebecca!