- A requirement for agency information security officers, covering both security and privacy
- A requirement to develop, implement and maintain written information security plans
- A requirement for agencies to submit a self audit to the Information Technology Division (ITD)
- A greater focus on data destruction.
Agencies must now give their full cooperation to the Massachusetts Information Technology Division (ITD), which has been given more control over IT spending. One challenge that will certainly necessitate compliance or process-related changes is the requirement that agencies adopt and implement the maximum feasible measures needed to ensure the security, confidentiality and integrity of personal information and data. So not only will that mean complying with all applicable federal and state privacy and information security laws and regulations, but also demonstrating, possibly in a court of law, that you have followed legislated and industry best practice - a challenge in anybody's book. One aspect of the order that will affect state agencies is that by September 2009, all staff and contract employees must attend information security training on how to identify, maintain and safeguard records and data. Security standards and procedures must also be written into all contracts from Jan. 1, 2009, which allow third-party access to electronic personal information.
Also taking effect Jan. 1 (at the time of this writing) are new and comprehensive data storage and protection regulations (201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth), which apply to any private parties that own, license, store or maintain personal information about Massachusetts residents. Businesses must develop and maintain a comprehensive written information security program consistent with industry standards and commensurate with their size, scope and type of business. Data encryption, security reviews, employee security life cycle management and employee training are all mandated. The clear and specific requirements of these regulations mean that they establish a liability that could be used in civil suits against businesses following a data breach. Companies across the country who do business with residents of Massachusetts will need to review and probably update their policies, practices, procedures, contracts and training in order to be compliant.
Data breach-notification legislation, enacted so far by 44 states, has done little to change the mindset of many organizations with regard to safeguarding personal data. Most still hope it won't happen to them and will worry about it only if it does. Mandates like the one from Massachusetts will surely be more effective. Security is 90% about people, and as most data loss incidents are down to human failure, I think these measures are particularly potent. Security plans and policies are all well and good, but if staff and contractors are unaware of them, their effectiveness is greatly reduced. Mandating organizations and educating users to properly value, protect and use data will help bring about a culture where data security is given a high priority.
This was first published in March 2009