SPRINGFIELD, Mass. -- A pair of Massachusetts government officials Wednesday delivered a sobering wake-up call to organizations seeking to comply with the commonwealth's new data protection law: Even with a broad range of technologies and best practices in place, companies must promptly own up to any potential breach to avoid facing enforcement actions.
During separate presentations at the Massachusetts Information Security Summit (MassISS), Diane Lawton, general counsel for the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR), and Scott D. Schafer, chief of the consumer protection division for Massachusetts Office of the Attorney General, respectively offered insight about how to go about complying with the law and how the commonwealth plans to enforce it.
MA 201 CMR 17, widely considered the nation's most comprehensive data protection and privacy law, goes into effect March 1 after multiple delays. In short, the law mandates that businesses, non-profits and other non-government entities follow a set of "minimum standards" to protect the personal information of Massachusetts residents.
Schafer said the attorney general will be less likely to bring enforcement action against organizations that cooperate quickly and fully following a breach, prove that a breach was inadvertent and demonstrate ongoing adherence with industry best practices for data protection.
"What we don't want to read about in the [newspapers]is a breach that we should've been notified about," Schafer said. "That's going to cause problems."
While Schafer said he had no true enforcement examples to offer because the law has yet to take effect, he said his office would rely on its experience investigating past data breaches, such as those involving ChoicePoint Inc., TJX Companies Inc. and Designer Shoe Warehouse (DSW) Inc.
Factors that will determine whether the AG's office pursues enforcement action following a data breach include the specifics of the breach and how many Massachusetts residents may be affected, Schafer said. Signs of intentional criminal theft and the steps the victim organization takes following the breach would also prompt enforcement of the new law.
He also said other factors will be taken into consideration, such as the breached organization's size, resources available, adherence to its written information security policy (WISP) -- a top requirement of MA 201 CMR 17 -- and whether it was technically feasible for it to have implemented measures to prevent the breach, noting that it's technically feasible today to implement encryption on notebook computers.
The AG's office generally works cooperatively with businesses affected by a breach in order to quickly provide information to affected Massachusetts residents, Schafer said. To that end, he strongly encouraged any organization that lost sensitive customer data, even temporarily, to report the incident to the AG's office.
As an example, he suggested some companies might be tempted not to report a stolen laptop if its data was encrypted. However, if an attacker finds a way to crack the encryption or if the encryption key is taped to the bottom of the laptop and the protected information is breached, he said such an incident would likely lead to an enforcement action if the theft wasn't initially reported.
"Any company that's broken into and there's potential access to personal information, regardless if it was stolen, should notify us," Schafer said.
Schafer offered a detailed how-to on filing a breach notification, referencing the breach-notification guidance on the Massachusetts AG's website. He said the AG's office won't pursue enforcement action against organizations that fail to follow the reporting guidelines, but if those organizations choose not to take corrective action after being informed, they will be added to the office's non-compliant list and face future enforcement action.
Separately, Lawton emphasized the need for every company that stores personal information about Massachusetts residents to develop a WISP and update it annually. The WISP should contain business and technical data security plans, and include how data access is controlled, how employees are trained and monitored , and the name of the employee responsible for the program.
Lawton encouraged businesses to seek out, document and implement data protection best practices for their specific industries, "and if not," she said, "you should see what you can afford to do" referencing technologies like trusted domains, IDS/IPS and database encryption.
The strain the new law could place on small businesses was a concern for Joanna L. Christensen, an attorney based in Ware, Mass., who attended MassISS. Christensen said she's disappointed Massachusetts lawmakers haven't considered that small businesses don't have time, money and resources to devote to MA 201 CMR 17 compliance, and that frameworks like the ISO 27000 series of standards are too complicated for many SMBs.
"For a business that has 20, 50, 100 employees, they can't assign someone to deal with this," Christensen said. "I can't afford to have someone to deal with it. I'm not T.J. Maxx."
Attendee Angus Fox, a senior consultant with IT security and solutions firm Aprotocall LLC in Westfield, Mass., said he was disappointed that the AG's office only plans to audit companies that submit breach notifications, since that's essentially a self-selecting group; Schafer told attendees his office receives at least three breach notifications per day on average, but that there are many more that aren't reported.
Fox also said he would like Massachusetts to maintain a database of "compliant" vendors to help companies find technologies that will enable compliance with the new law. He said that while MA 201 CMR 17 seems daunting, compliance is possible with a holistic approach.