Right now, most states have some type of breach disclosure notification requirement. But some folks might remember when this wasn't the norm -- when there were only a few states leading the breach disclosure charge and the rest weren't there yet.
At that time, we had a real pickle to contend with. Unless we knew what state our customers were residents of, we had to treat them all as if the notification requirement applied. And, at the end of the day, knowing what state customers really live in (not just what state is on record) is harder than you might think.
For most companies, the path of least resistance was pretty clear: disclose for all customers, no matter where they live. It seemed simpler at the time to just assume that the requirement applied, especially since other states were rapidly jumping on the bandwagon.Here we are again
The reason I bring all this up is that today we're faced with a similar quandary. Last year, Massachusetts and Nevada were the first to adopt specific laws outlining minimum protections that organizations must implement for protecting the personal information of customers.
But while the Nevada law applies only to companies doing business in Nevada, the Massachusetts law doesn't limit scope in the same way. The Massachusetts law addresses itself more generally to "Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth…"
That's potentially quite a wide audience. It's possible that many organizations will find implementing the mandates of the law across the board to be the path of least resistance. As such, sitting up and taking notice of this law now is a pretty good idea.The Massachusetts data protection law
The Massachusetts law, 201 CMR 17.00 (pdf) or Standards for The Protection of Personal Information of Residents of the Commonwealth, applies to organizations that maintain Personal Information about a Massachusetts resident. It outlines the minimum protections that must be used by that organization for protecting that data: both administrative requirements related to organization of information security and specific technical controls that must be employed. The original timeline for compliance was January 2009, but has been pushed back to May 1 2009 (or longer for a few specific difficult-to-meet requirements) to allow firms time to get the requisite controls in place.
Section 17.03, Duty to Protect and Standards for Protecting Personal Information, outlines specific administrative requirements that we must adhere to such as a formal, written information security program, designation of an individual to maintain the security program, and requirements for third-parties that will have access to covered data.
Now don't be surprised if some of this sounds familiar. Organizations that have already put effort into compliance with other legislation (for example, HIPAA or GLBA) or that have taken steps to comply with industry self-regulation (e.g., the PCI DSS) may find that they've already met many -- in some cases all -- of these requirements.
But section 17.04, Computer System Security Requirements, which outlines specific technical controls required to protect the data, is more likely to catch some of us by surprise. It requires, among other things, encryption of all records being transmitted across public networks (such as the Internet or wireless networks), encryption of all data on laptops or other portable devices, monitoring of systems for unauthorized exposure of personal information, and blocking of a user account after multiple incorrect login attempts.
For industries such as healthcare, which are used to less prescriptive regulations like HIPAA, making sure that these technical controls are in place could prove quite challenging. Even if you have many of these controls, the clock is ticking toward that deadline. May 1 isn't that far away, and given the scope of the technical controls required, now's the time to bring this law into the fold of your compliance program.
Ed Moyle is currently a manager with CTG's Information Security Solutions practice and a founding partner of Security Curve. Prior to joining Security Curve, Moyle was vice president and information security officer for Merrill Lynch Investment Managers (MLIM,) where he was responsible for coordinating all aspects of information security within the business unit.
MA 201 CMR 17 HELP
New data protection laws
201 CMR 17 enforcement less likely with prompt reporting
Encrypt now to meet new Mass. data protection law
Interpreting 'risk' in the Massachusetts data protection law
Podcast: New MA data protection law mandates IT compliance