Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/18/2009
11:38 AM
Keith Ferrell
Keith Ferrell
Commentary
50%
50%

Data Compliance: Massachusetts Law Has National Implications (If It Ever Gets Finished)

Massachusetts' decision to revise its exceptionally tough new data privacy law (which will exert effects far beyond the Commonwealth's borders) has a lot of businesses (not to mention their lawyers and compliance advisers) wondering just what to do and when. How do you know what to comply with, and what to finesse? How far do you go in complying with a law that may be changed in the next few months?

Massachusetts' decision to revise its exceptionally tough new data privacy law (which will exert effects far beyond the Commonwealth's borders) has a lot of businesses (not to mention their lawyers and compliance advisers) wondering just what to do and when. How do you know what to comply with, and what to finesse? How far do you go in complying with a law that may be changed in the next few months?The buzz over the past few days regarding the ongoing revisions to Massachusetts' new data protection and privacy regulations has centered around what direction revisions in the law may take. At this point, it's anybody's guess, but with the law on the books at least there's a starting point.

The law, 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, establishes minimum standards for data protection, which pretty much requires that:

Businesses encrypt everything relating to records containing information about citizens of the Commonwealth

Businesses designate a specific person responsible for compliance

Businesses establish and enforce written security policies

... all of which is tough, but it gets tougher, as in: "Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated."

Nor have the regulators overlooked the tricky relationship between your customers' information and what happens when that information gets shared/used by outside vendors/partners, mandating that businesses take "reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information.."

The announcement that there would be revisions to the rules, without specifying what those revisions would be (they're due around the first of May) further complicates an already complicated situation.

A situation even further complicated by factors including a) the regulations are aimed at protecting information related to citizens of Massachusetts, which means, as I read it, that if you have a customer/vendor/associate residing in Massachusetts, you're subject to the regulations, and b) adherence to the Massachusetts regs must be "must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated."

When it comes to data protection, are we all citizens of Massachusetts now (and the other 49 states as well)?

Could be. Take a look at this map showing state-by-state data breach notification laws.

While most states follow California's lead and require beach notification in an expedient manner, some have gotten far more specific, as with Florida's requirement that notification be made within 45 days.

This patchwork of laws, rules, acts, regulations is likely only to get patchier. Add the gathering movement to collect state taxes on Internet sales (Florida is looking at a Net purchases tax, for example) and the additional levels of records-keeping (and required records-encryption) and you have a situation where what little time you have left after ensuring that you've met the data protection and encryption and policy regs for every state you do business in will be spent filing (encrypted, of course, as Ben Tomkins pointed out here yesterday)state (and ultimately county and local, no doubt) taxes on your sales.

There are some good things about the Massachusetts rules, not least of which is the insistence upon a written security policy, with clearly defined enforcement and disciplinary actions in the event of violations.

Nice, too, if awfully ambiguous, that the regulations mandates "Education and training of employees on the proper use of the computer security system and the importance of personal information security."

But right above that one, is an example of why these sorts of laws drive so many people crazy:

"For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

"Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis."

Reasonably up-to-date? How about constantly or perpetually or always?

Maybe that's the sort of language that will be adjusted and made more specific in the revisions, when the revisions are made more specific.

Until then, what to do?

The best you can, I guess. None of us wants a data breach, and all of us are aware of areas in which we can tighten up and focus in on potential vulnerabilities, sloppinness, areas where things are a little (or a lot) lax when it comes to data protection, data encryption, data access, while keeping a careful eye on your state (and all the others, it seems) require of you.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36197
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
CVE-2020-36198
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP...
CVE-2021-28799
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
CVE-2021-22155
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
CVE-2021-23134
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.