COLUMN

Mass., Nev. data protection laws wrong, ineffective

By Eric Ogren 31 Mar 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Massachusetts and Nevada have joined the list of states with bills legislating steps businesses must take to protect personal information such as Social Security numbers and financial account numbers. These state regulations represent exactly the wrong kind of laws to be passing, but legislators compelled to take on identity theft seem intent on establishing legal requirements for technical solutions.

While Nevada Revised Statutes Title 597, Section 970 (NRS 597.970) calls for personal information to be encrypted when transferred over public networks, Massachusetts 201 CMR 17.00 Standards for The Protection of Personal Information of Residents of the Commonwealth is even more encompassing. When MA 201 CMR 17.00 goes into effect in January of 2010, all non-government entities that handle personal information must document and follow a set of security procedures that appears to have been heavily inspired by the PCI DSS.

Data protection law: Encrypt now to meet new Mass. data protection law: A Massachusetts law taking effect in May requires encryption and could have organizations implementing the mandates across the board nationwide as the path of least resistance. Mass. officials explain new data protection regulations: In this podcast, Gerry Young and David Murray of the Massachusetts Office of Consumer Affairs and Business Regulation, discuss the details of the new data protection rules.

The security industry can't agree if servers, networks or laptops are the most vulnerable to attack. It is hard to imagine any government regulation dictating how to secure data being enforceable and effective. Government should be looking towards legislating behavior, perhaps extending existing frameworks for fraud, trespassing and trafficking across state and national borders. However, IT organizations must prepare to defend their security programs as states will surely continue passing versions of data protection and disclosure laws.

Small and midsized organizations have the greatest problems complying with prescriptive "how to" regulations as investments in a complex technical infrastructure can drive the overhead costs per business transaction through the roof. They simply seldom have the skills necessary to fulfill the requirements of the statutes. These firms will need to find ways of conducting business that either don't require storing and securing of personal information or take advantage of managed service offerings to handle personal information with reasonable levels of security.

Merchant Warehouse Inc. and ProPay Inc. are two leading vendors that offer secure credit card handling services for merchants. These two organizations present examples of the types of alternatives that become more attractive as the liabilities of handling personal information increase. Both vendors illustrate end-to-end, swipe-through payment systems:

1. Encrypt credit card data at the swipe. The merchant is never in possession of clear text credit card information as it is encrypted before even entering the point-of-sale (POS) system.

2. Securely pass transactions onto card processors. The business transaction remains secure from the POS application all the way through delivery to the credit card processing companies. While the merchant has transaction receipts, they are not in possession of personal information that must be secured.

3. Provide automated credit card on file services. Merchants with subscription services, such as newspapers that bill monthly, can have the service handle the transaction and provide the merchant with business intelligence reports. Expensive investments in security products and audits are shared among all service members.

4. Report all transaction information to merchants. Merchants need the intelligence of customer lists and profiles to run a competitive business.

There are other vendors that compete with Merchant Warehouse and ProPay that organizations can investigate. Larger organizations can mimic this approach by mapping use of personal information within the business, and finding ways to shrink the risk of personal information exposure. Encryption and PCI are not magic elixirs for preventing theft of personal information. Technology can help reduce risk, but businesses will also innovate with cost-effective alternatives.

Tags: Information Security Laws, Investigations and Ethics,  Enterprise Data Governance,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Enterprise Data Governance Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Compliance in the cloud How to write technology outsourcing contracts Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CALEA  (SearchSecurity.com) cyberstalking  (SearchSecurity.com) FERPA  (SearchSecurity.com) HSPD-7  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) Information Awareness Office  (SearchSecurity.com) intelligence community  (SearchSecurity.com) lawful interception  (SearchSecurity.com) lifestyle polygraph  (SearchSecurity.com) vulnerability disclosure  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary