Risk
4/15/2010
03:35 PM
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

States' Rights Come to Security Forefront

Massachusetts' new data protection law reaches beyond its borders. Are you ready?

InformationWeek Green - Apr. 19, 2010 InformationWeek Green
Download the entire Apr. 19, 2010 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree
for each of the first 5,000 downloads.

This story was updated on April 20. Massachusetts does not require that written information security programs be filed at this time, just that they exist.

The new Massachusetts data security law, 201 CMR 17.00, is a prime example of the increasingly aggressive role states are taking to protect their citizens. More than 40 states have data breach notification laws already on the books--a trend that started with California's SB 1386 but certainly didn't end there. Much like those other laws, Massachusetts' has impact beyond the state's borders and could spur similar legislation in other states.

Federal action is also a distinct possibility.

If you hold personal information on a Massachusetts resident, you were on the hook as of March 1. The question for security groups is, How do we comply with the myriad state-mandated data security laws without putting an undue burden on the business? And comply you must, because CMR 17.00 raises the stakes in terms of potential penalties. The law will be enforced, quite literally, in the breach, and companies can potentially be fined $5,000 per violation and per record lost. One stolen laptop loaded with a database containing the names and Social Security numbers of 200 Massachusetts residents puts you in the hole for a cool million.

The Massachusetts law isn't remarkable in its overall requirements, but it is special in two areas. First, it requires businesses to attest that they have a working data security program in place to protect any personally identifiable information (PII) they've collected from state residents. Companies must maintain a comprehensive written information security program (WISP) that includes "technical, administrative, and physical safeguards" to protect PII. Covered businesses range from neighborhood dry cleaners to Fortune 100 companies, but the law stipulates that the program be appropriate to the size and resources of the business.

The Massachusetts law also stands out by mandating encryption of data in motion and at rest, including on laptops and other portable devices like smartphones, USB drives, and MP3 players. That's going to be a sticking point for many shops; our InformationWeek Analytics State of Encryption survey found we're still moving in fits and starts despite the momentum that compliance frameworks like PCI have generated. While 86% of the 499 business technology professionals responding to that poll employ some encryption, 31% of those respondents say it's just enough to meet regulatory requirements. Only 14% characterize their encryption as pervasive, and just 38% say they encrypt mobile devices.

That puts a majority of respondents on a collision course with CMR 17.00.

Other directives cover, in fairly general terms, most of the areas you'd expect: secure authentication and access controls; firewalls; up-to-date patching and endpoint anti-malware protection; and user training in the technologies, policies, and proper handling of PII. In addition, an individual or a team must be named the official data security coordinator. This person is charged with the plan's initial implementation, training of those involved, as well as with ongoing testing and evaluation of the WISP to ensure it evolves as business realities change. The coordinator also must assess third-party service providers' ability to comply.

With any compliance mandate, IT's goal should be to implement a program that doesn't impose onerous changes to the way business is done. But the fact is, some business processes may need to be adjusted to meet compliance requirements. End-user training is a critical, and often overlooked, component as well. These are the people on the front lines. Skimping on education could cost you.

The best approach is to break up your compliance effort into three phases: assessment, execution, and management and monitoring.

To read the rest of the article,
Download the Apr. 19, 2010 issue of InformationWeek


Get This And All Our Reports

Become an InformationWeek Analytics subscriber: $99 per person per month, multiseat discounts available. Subscribe and get our full report, on the new Massachusetts Data Privacy law.

This Strategy Session report includes 15 pages of action-oriented analysis.

What you'll find:
  • A three-step plan for getting on top of 201 CMR 17.00
  • Sample business processes that could come back to bite you--and how to fix them

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.