Risk

4/15/2010
03:35 PM
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

States' Rights Come to Security Forefront

Massachusetts' new data protection law reaches beyond its borders. Are you ready?

InformationWeek Green - Apr. 19, 2010 InformationWeek Green
Download the entire Apr. 19, 2010 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree
for each of the first 5,000 downloads.

This story was updated on April 20. Massachusetts does not require that written information security programs be filed at this time, just that they exist.

The new Massachusetts data security law, 201 CMR 17.00, is a prime example of the increasingly aggressive role states are taking to protect their citizens. More than 40 states have data breach notification laws already on the books--a trend that started with California's SB 1386 but certainly didn't end there. Much like those other laws, Massachusetts' has impact beyond the state's borders and could spur similar legislation in other states.

Federal action is also a distinct possibility.

If you hold personal information on a Massachusetts resident, you were on the hook as of March 1. The question for security groups is, How do we comply with the myriad state-mandated data security laws without putting an undue burden on the business? And comply you must, because CMR 17.00 raises the stakes in terms of potential penalties. The law will be enforced, quite literally, in the breach, and companies can potentially be fined $5,000 per violation and per record lost. One stolen laptop loaded with a database containing the names and Social Security numbers of 200 Massachusetts residents puts you in the hole for a cool million.

The Massachusetts law isn't remarkable in its overall requirements, but it is special in two areas. First, it requires businesses to attest that they have a working data security program in place to protect any personally identifiable information (PII) they've collected from state residents. Companies must maintain a comprehensive written information security program (WISP) that includes "technical, administrative, and physical safeguards" to protect PII. Covered businesses range from neighborhood dry cleaners to Fortune 100 companies, but the law stipulates that the program be appropriate to the size and resources of the business.

The Massachusetts law also stands out by mandating encryption of data in motion and at rest, including on laptops and other portable devices like smartphones, USB drives, and MP3 players. That's going to be a sticking point for many shops; our InformationWeek Analytics State of Encryption survey found we're still moving in fits and starts despite the momentum that compliance frameworks like PCI have generated. While 86% of the 499 business technology professionals responding to that poll employ some encryption, 31% of those respondents say it's just enough to meet regulatory requirements. Only 14% characterize their encryption as pervasive, and just 38% say they encrypt mobile devices.

That puts a majority of respondents on a collision course with CMR 17.00.

Other directives cover, in fairly general terms, most of the areas you'd expect: secure authentication and access controls; firewalls; up-to-date patching and endpoint anti-malware protection; and user training in the technologies, policies, and proper handling of PII. In addition, an individual or a team must be named the official data security coordinator. This person is charged with the plan's initial implementation, training of those involved, as well as with ongoing testing and evaluation of the WISP to ensure it evolves as business realities change. The coordinator also must assess third-party service providers' ability to comply.

With any compliance mandate, IT's goal should be to implement a program that doesn't impose onerous changes to the way business is done. But the fact is, some business processes may need to be adjusted to meet compliance requirements. End-user training is a critical, and often overlooked, component as well. These are the people on the front lines. Skimping on education could cost you.

The best approach is to break up your compliance effort into three phases: assessment, execution, and management and monitoring.

To read the rest of the article,
Download the Apr. 19, 2010 issue of InformationWeek


Get This And All Our Reports

Become an InformationWeek Analytics subscriber: $99 per person per month, multiseat discounts available. Subscribe and get our full report, on the new Massachusetts Data Privacy law.

This Strategy Session report includes 15 pages of action-oriented analysis.

What you'll find:
  • A three-step plan for getting on top of 201 CMR 17.00
  • Sample business processes that could come back to bite you--and how to fix them

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-2607
PUBLISHED: 2018-05-21
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users...
CVE-2018-1108
PUBLISHED: 2018-05-21
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
CVE-2018-11330
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
CVE-2018-11331
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
CVE-2018-7687
PUBLISHED: 2018-05-21
The Micro Focus Client for OES before version 2 SP4 IR8a has a vulnerability that could allow a local attacker to elevate privileges via a buffer overflow in ncfsd.sys.