Risk
4/15/2010
03:35 PM
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

States' Rights Come to Security Forefront

Massachusetts' new data protection law reaches beyond its borders. Are you ready?

InformationWeek Green - Apr. 19, 2010 InformationWeek Green
Download the entire Apr. 19, 2010 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree
for each of the first 5,000 downloads.

This story was updated on April 20. Massachusetts does not require that written information security programs be filed at this time, just that they exist.

The new Massachusetts data security law, 201 CMR 17.00, is a prime example of the increasingly aggressive role states are taking to protect their citizens. More than 40 states have data breach notification laws already on the books--a trend that started with California's SB 1386 but certainly didn't end there. Much like those other laws, Massachusetts' has impact beyond the state's borders and could spur similar legislation in other states.

Federal action is also a distinct possibility.

If you hold personal information on a Massachusetts resident, you were on the hook as of March 1. The question for security groups is, How do we comply with the myriad state-mandated data security laws without putting an undue burden on the business? And comply you must, because CMR 17.00 raises the stakes in terms of potential penalties. The law will be enforced, quite literally, in the breach, and companies can potentially be fined $5,000 per violation and per record lost. One stolen laptop loaded with a database containing the names and Social Security numbers of 200 Massachusetts residents puts you in the hole for a cool million.

The Massachusetts law isn't remarkable in its overall requirements, but it is special in two areas. First, it requires businesses to attest that they have a working data security program in place to protect any personally identifiable information (PII) they've collected from state residents. Companies must maintain a comprehensive written information security program (WISP) that includes "technical, administrative, and physical safeguards" to protect PII. Covered businesses range from neighborhood dry cleaners to Fortune 100 companies, but the law stipulates that the program be appropriate to the size and resources of the business.

The Massachusetts law also stands out by mandating encryption of data in motion and at rest, including on laptops and other portable devices like smartphones, USB drives, and MP3 players. That's going to be a sticking point for many shops; our InformationWeek Analytics State of Encryption survey found we're still moving in fits and starts despite the momentum that compliance frameworks like PCI have generated. While 86% of the 499 business technology professionals responding to that poll employ some encryption, 31% of those respondents say it's just enough to meet regulatory requirements. Only 14% characterize their encryption as pervasive, and just 38% say they encrypt mobile devices.

That puts a majority of respondents on a collision course with CMR 17.00.

Other directives cover, in fairly general terms, most of the areas you'd expect: secure authentication and access controls; firewalls; up-to-date patching and endpoint anti-malware protection; and user training in the technologies, policies, and proper handling of PII. In addition, an individual or a team must be named the official data security coordinator. This person is charged with the plan's initial implementation, training of those involved, as well as with ongoing testing and evaluation of the WISP to ensure it evolves as business realities change. The coordinator also must assess third-party service providers' ability to comply.

With any compliance mandate, IT's goal should be to implement a program that doesn't impose onerous changes to the way business is done. But the fact is, some business processes may need to be adjusted to meet compliance requirements. End-user training is a critical, and often overlooked, component as well. These are the people on the front lines. Skimping on education could cost you.

The best approach is to break up your compliance effort into three phases: assessment, execution, and management and monitoring.

To read the rest of the article,
Download the Apr. 19, 2010 issue of InformationWeek


Get This And All Our Reports

Become an InformationWeek Analytics subscriber: $99 per person per month, multiseat discounts available. Subscribe and get our full report, on the new Massachusetts Data Privacy law.

This Strategy Session report includes 15 pages of action-oriented analysis.

What you'll find:
  • A three-step plan for getting on top of 201 CMR 17.00
  • Sample business processes that could come back to bite you--and how to fix them

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio