AKIBIA'S PRACTICAL GUIDE TO ENTERPRISE TECHNOLOGY
Wednesday, March 04, 2009
Ten Steps for the Mass Data Security Law
Massachusetts recently pushed back the implementation date of the Massachusetts Data Security law, formally known as 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH. This law, which was scheduled to take effect on January 1, 2009, was originally delayed to May 1, 2009 and then delayed again to January 1, 2010. While there are no guarantees that the law will not be pushed back a third time as we approach the end of 2009, prudent organizations should not count on this and should take the opportunity provided by this extension to get in compliance.
There are two things interesting about this law. The first is that the law empowers the Commonwealth to conduct audits to validate compliance. This means that a company that has not suffered a breach could still find itself running afoul of the law. Whether or not the Commonwealth will actually perform pre-emptive audits is anyone’s guess, but it makes sense to be prepared just in case. The second thing is that there are no penalties specifically proscribed at this time for non-compliance. What this means for companies found in breach of the law is something for the lawyers to debate, but the lack of specific proscribed penalties leaves the door wide open for the Commonwealth to use its judgment.
So, here are ten things that you can undertake over the next ten months to achieve compliance:
- Read the Law – If you have not done this, now is the time to do it. It is written in a fairly straightforward manner and should be easy for most people to understand.
- Educate Your Staff – Do the Executives know about this law? How about the line staff? Everyone needs to know what the Commonwealth is expecting with respect to this law, so an education program is important.
- Review Your Written Security Plan – The Commonwealth has provided some very specific guidelines as to what a security plan must contain as well as how often it must be updated and by whom. Read and understand the specific guidance in the law and make sure that your plan meets the stated criteria.
- Say What You Do, Do What You Say – While it’s important to clearly spell out in your written plan what you do to achieve the stated security objectives, it is even more important to ensure that you comply with your plan. In the past, the Federal Trade Commission has acted against companies that said they did certain things in their Security Plans, but in practice did not and it is a good bet that the Commonwealth will be looking for this.
- Pick the Low Hanging Fruit – The Law proscribes certain technical safeguards such as encrypting laptops, PDA, and other portable devices such as USB Keys if they have Personally Identifiable Information (PII) on them. If you can’t be sure that you have a strong wall around the PII in your enterprise, then take the safe approach and encrypt everything you can.
- Document Your PII – Start the process of documenting where in your environment PII lives. HR and accounting are good places to start as both of these departments usually maintain information about employees that falls within the scope of the law. Start with the data repositories such as HR and Accounting systems and trace from there. This can also be a good opportunity to get a better handle on your business processes.
- Don’t Rely on Policy – Having a policy that prohibits placing PII on unsecured devices is not likely to save you if you have a breach. The law proscribes specific technical steps to take and it is likely that the Commonwealth will look for technical controls rather than policy to control the flow of PII.
- Network with Peers – No one has all of the answers yet, so there is a lot of value in discussing prospective plans of action with your peers to see what they are planning to do.
- Evaluate Existing Technologies – You may very well have technologies in house that can help you meet the new security requirements. Revisit these technologies with the help of the vendor or consultants and see what you already have that can be adapted to meet the Security Law.
- Talk To Your Attorney – In the end if you find yourself facing legal action as a result of this law, it’s going to be up to your attorney to help defend you. Now is the time to run potential courses of actions past your legal team – get their feedback and integrate it into your planning.
Above all, don’t wait. The regulatory authorities in Massachusetts do not want another major security breaches to happen on their watch again. This is one reason the Breach Notification law was fast tracked in 2007 and why Massachusetts is the first state in the nation to develop a Data Protection Law. They are likely to make things unpleasant for a company found out of compliance with the new law and doubly so now that they have granted a one year extension.
-- Jim Barrett, Security Consulting Manager, CISA, CISSP, CIPP, Akibia
Disclaimer: The above is for information purposes only and is provided “as is” without any warranty of any kind, whether express or implied. Akibia specifically disclaims all warranties, including warranties of merchantability and fitness for a particular purpose. This above material is not intended as legal advice or professional advice by Akibia. © 2009 Akibia, Inc. All rights reserved.