The deadline has been a moving target but come March 1, Massachusetts' new data protection law is finally slated...
to take effect. 201 CMR 17.00, along with Nevada's 603A, which took effect in January, represent a new class of state regulations that require organizations to deploy specific controls to protect personal identifying information from unauthorized access. Massachusetts and Nevada have established a new standard for personal data protection and appear to have set the stage for more prescriptive laws at the federal level.
These new laws are the result of pressures on lawmakers to do something to combat the countless compromises of credit cards, Social Security numbers, and bank account information we hear about every day. They provide clear guidance on how personal data must be protected and who is ultimately responsible for its protection.
Instead of just requiring organizations to notify data security breach victims, the new regulations go a step further by trying to prevent breaches from occurring in the first place. Furthermore, both the Massachusetts and Nevada regulations require organizations to employ a defined set of administrative and technical controls rather than simply "implement and maintain reasonable security measures" as most existing regulations do. The Massachusetts law explicitly lists administrative and technical controls for all data collectors. Nevada lists only a few controls that apply to all data collectors, but refers to one of the most prescriptive industry security standards when dealing with merchants that accept credit cards: the Payment Card Industry Data Security Standard (PCI DSS).
Both approaches represent a significant increase in the complexity and depth of controls required of data collectors. They require organizations to expend substantial time, effort, and money to implement policies, locate personal information, and establish access controls and monitoring. Read on to learn what's required, some tips for complying, and the implications of a proposed federal data protection law.
WHAT NEEDS TO BE PROTECTED?
Any organization with personal information pertaining to a Massachusetts resident needs to protect it, according to Massachusetts' 201 CMR 17.00 regulation. So, what is "personal information?" Massachusetts defines it as:
"A Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account."
The law excludes personal information that includes data lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
This definition is almost identical to the one used in the Nevada data protection law and California' data breach notification law and also matches most of the language in the proposed federal Data Accountability and Trust Act (H.R. 2221). This consistency helps immensely in identifying the data that needs to be tracked and protected. The one significant difference is that both Nevada and the federal bill require the security code/PIN to accompany a financial account ID while Massachusetts law considers a name and financial account ID to be personal information even in absence of a PIN.
201 CMR 17:00: A TALL ORDER
The Massachusetts law has sent shock waves through businesses with Massachusetts resident data as it requires organizations to implement a full-fledged written information security program (WISP) complete with governance, risk assessment, partner management, preventive and detective technical controls, and an incident response process. Companies, both large and small, that have not had to comply with other data protection regulations like PCI DSS or HIPAA may be hard pressed to find the expertise or time to dedicate to the development of a security program. It's important to note that the Massachusetts data protection law is not meant to be one size fits all. In other words, the regulation is designed to take risk into account. There is language that allows an organization's security controls to be judged in light of its size, the resources it has to apply to implement the program, the amount of data it stores, and the sensitivity and risk of identity theft associated with the data.
Here is a summary of 201 CMR 17.00'srequired administrative controls:
- A designated person or group responsible for managing the security program
- A risk assessment and management program
- A method of assessing the effectiveness of controls protection personal data
- An employee and contractor training program
- A set of security policies and procedures
- A method of monitoring compliance
- A means for detecting and preventing security system failures (monitoring and review)
- Specific policies and procedures relating to the storage, access, transmission, and handling of personal data
- Disciplinary measures for non-compliance
- A reliable method of promptly disabling access of terminated employees
- A program to ensure that third parties with access to personal data are competent to protect it and contractually obligated to maintain appropriate safeguards on the information
- A set of physical controls to ensure that systems, media, and paper containing personal data are protected from unauthorized access
- An annual review of security measures and reviews whenever there is a material change in business practices that may affect the security of personal information.
In addition to this long list of administrative controls, Massachusetts also requires the following technical controls:
- Secure user authentication methods, including secure protocols that do not expose passwords on the network, strong passwords, secure password storage, unique user identifiers, and optional two-factor authentication technologies
- Access control mechanisms that restrict access only to active users
- Automatic lockout after multiple failed access attempts
- Tight access controls on files and records containing personal information
- Restriction of access to those with a business need
- Removal of all vendor default accounts
- Encryption of personal records when transmitted across public networks and wireless networks
- Monitoring of systems for unauthorized use and access to personal information
- Encryption of all personal information stored on laptops or other portable devices
- An Internet firewall protecting systems and files containing personal information
- A vulnerability and management program that keeps software and virus definitions up-to-date
Enforcement deadline for Massachusetts law appears to be sticking
The enforcement date for Massachusetts' new data protection law has been extended multiple times, but this time around it doesn't look like organizations can expect more extensions.
Last summer, Massachusetts officials released a revised version of 201 CMR 17.00 and extended the enforcement date from Jan. 1 to March 1. The revision came after about a year of pressure from businesses to amend the law and two previous enforcement extensions.
The revised regulation assuaged business interests by adopting a risk-based approach to take a company's size, resources and nature of the data collected into account. Also, several provisions were dropped from the required written information security program and encryption requirements were designed to be technology neutral.
BUILDING THE PROGRAM MA 201 CMR 17.00 requires organizations have a formal written security program. In other words, you need to have a document that describes who is responsible for managing the security program, a set of security policies governing protection and treatment of personal information, and mechanisms to implement technical controls. If you have a security program in place, your best course of action is to fold these controls into your existing policies and procedures.
If the list of controls seems daunting, take heart. It's likely that many of the technical requirements of the regulation can be met by configuring your current systems to implement the necessary policies. For example, strong passwords, automatic lockout on multiple login failures, and automatic download and installation of necessary patches are supported by most enterprise operating systems and application suites. Tight access controls on files and databases may take some technical knowledge, but should not be a problem for a competent IT administrator once the information is isolated. Encryption of laptop file systems and storage on portable devices is often supported natively or can be added.
While configuring system policies will not solve all your problems, it will allow you to meet many of the requirements and allow you to concentrate on addressing the more challenging areas of monitoring access, encrypting transmission, and administering your overall program.
However, your first order of business is to reduce the amount of information stored to absolute minimum. If you can eliminate certain databases or pieces of information, you may be able to avoid employing the more administratively demanding controls at least on particular systems.
Once you have isolated the information to a few systems, encryption of information is much easier. Likewise, maintaining strict access controls and access monitoring will become more practical. Patch management, account management, and encryption of portable devices (like backup media) -- to the degree required by this regulation and others like PCI DSS -- can be major task if you attempt employ them across an entire enterprise.
NEVADA CODIFIES PCI
Unlike the Massachusetts law, the Nevada data protection law began as a rather vague requirement for organizations to employ "reasonable measures" to protect personal information of residents of Nevada. It has since been amended to be much more prescriptive.
Here is a summary of the required controls:
- Implement and maintain reasonable security measures to protect personal data records from unauthorized access, acquisition, destruction, use, modification or disclosure
- Comply with current PCI DSS (if a merchant)
- Encrypt personal information transmitted outside the secure system of the data collector
- Encrypt data on storage devices moved outside the physical controls of the data collector
- Contract with business associates to maintain reasonable security measures
- Notify affected individuals in the event of a breach
Nevada's law is similar to Massachusetts' regulation in its requirement for encryption of information transmitted on public networks and on portable media. However, there is one item in this list that distinguishes Nevada 603A from all other data protection statutes: The reference to PCI DSS. Prior to this law, PCI DSS was a contractual requirement between a merchant bank and a merchant. With the reference to PCI DSS in Nevada's law, failure to comply with PCI DSS can be held against a merchant in legal actions by injured parties or the state in the event of a breach. This clause alone makes PCI DSS compliance and the results of merchants' PCI assessments more important than ever.
California led the charge on data breach notification laws
California paved the way for data breach notification laws back with SB 1386, which took effect in 2003. The law requires that organizations with personal information about California residents notify them if their data is compromised.
Since then, 44 other states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal data, according to the National Conference of State Legislatures. Many of the laws, including California's, make exceptions for encrypted data.
The state regulations have led to a flurry of disclosures and a constant stream of breaches involving credit card numbers and other personal information. According to the nonprofit consumer organization Privacy Rights Clearinghouse, as of late January, more than 344 million records containing sensitive personal data have been compromised since 2005.
The proposed federal Data Accountability and Trust Act (DATA), which was passed by the U.S. House of Representatives in December, would replace the groundbreaking state law requirements we have just detailed with similarly prescriptive requirements. The bill is awaiting Senate approval.
As stated in Section 6 of H.R. 2221, DATA would supersede any state statute or regulation that requires information security for data containing personal information or notification to individuals of a data security breach involving personal information. Here is a summary of the salient points of H.R. 2221 as it stood in January:
- Like Nevada's law, bank account information must include an access code to be considered personal information
- Like other laws, DATA would allow compliance with other federal laws such as HIPAA that require protection of personal information to establish compliance
- The law would have special requirements for information brokers, including submission of policies to the Federal Trade Commission, mandatory post-breach audits, controls to ensure the accuracy of information collected, provisions for individual access to information collected, and a set of extensive limitations and exclusions
- The law is meant to be enforced by the Federal Trade Commission (FTC)
According to the bill, data collectors must have the following controls in place:
- A security policy governing treatment of personal information
- An appointed responsible party to run the compliance program
- A process for identifying and assessing vulnerabilities, including monitoring for breaches
- A process to take corrective action to address vulnerabilities
- A secure data destruction process
- A process to notify individuals of a breach (with special requirements for service providers)
As drafted, this set of controls falls somewhere between the specificity of Massachusetts and the general requirements of Nevada, without the reference to PCI DSS. However, the general intent of requiring a compliance program and the fact that the law requires the FTC to specify further regulations and guidance is likely to make the law more like the Massachusetts regulation over time.
One of the most curious differences between the proposed federal law and the state laws is the selection of the FTC as the enforcing body. The FTC's jurisdiction does not extend to a number of organizations, including nonprofits, government agencies and depository institutions.
FACT OF LIFE
The Massachusetts and Nevada laws have changed the way the state and federal governments will deal with personal data protection. It appears to be a fact of life that organizations that handle protected data in whatever form (health care, financial, or identity) need to maintain formal security and compliance programs. While the formality and extent of the programs are allowed to be structured according to the size and resources of a given organization and geared to risk of compromise, it is unlikely that the courts will look favorably on any organization that does not implement a formal security program.
It is important for organizations to recognize that the time and expense in complying with new state data protection laws will produce benefits over time, reducing the likelihood of compromise while at the same time avoiding costly non-compliance penalties. The release of personal data -- whether through human error or criminal activities -- is both disruptive and costly and can be disastrous for customers and the organizations that serve them.
Richard Mackey is vice president of consulting at SystemExperts, an information security-services firm. Send comments on this article to firstname.lastname@example.org.