Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/18/2009
11:38 AM
Keith Ferrell
Keith Ferrell
Commentary
50%
50%

Data Compliance: Massachusetts Law Has National Implications (If It Ever Gets Finished)

Massachusetts' decision to revise its exceptionally tough new data privacy law (which will exert effects far beyond the Commonwealth's borders) has a lot of businesses (not to mention their lawyers and compliance advisers) wondering just what to do and when. How do you know what to comply with, and what to finesse? How far do you go in complying with a law that may be changed in the next few months?

Massachusetts' decision to revise its exceptionally tough new data privacy law (which will exert effects far beyond the Commonwealth's borders) has a lot of businesses (not to mention their lawyers and compliance advisers) wondering just what to do and when. How do you know what to comply with, and what to finesse? How far do you go in complying with a law that may be changed in the next few months?The buzz over the past few days regarding the ongoing revisions to Massachusetts' new data protection and privacy regulations has centered around what direction revisions in the law may take. At this point, it's anybody's guess, but with the law on the books at least there's a starting point.

The law, 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, establishes minimum standards for data protection, which pretty much requires that:

Businesses encrypt everything relating to records containing information about citizens of the Commonwealth

Businesses designate a specific person responsible for compliance

Businesses establish and enforce written security policies

... all of which is tough, but it gets tougher, as in: "Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated."

Nor have the regulators overlooked the tricky relationship between your customers' information and what happens when that information gets shared/used by outside vendors/partners, mandating that businesses take "reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information.."

The announcement that there would be revisions to the rules, without specifying what those revisions would be (they're due around the first of May) further complicates an already complicated situation.

A situation even further complicated by factors including a) the regulations are aimed at protecting information related to citizens of Massachusetts, which means, as I read it, that if you have a customer/vendor/associate residing in Massachusetts, you're subject to the regulations, and b) adherence to the Massachusetts regs must be "must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated."

When it comes to data protection, are we all citizens of Massachusetts now (and the other 49 states as well)?

Could be. Take a look at this map showing state-by-state data breach notification laws.

While most states follow California's lead and require beach notification in an expedient manner, some have gotten far more specific, as with Florida's requirement that notification be made within 45 days.

This patchwork of laws, rules, acts, regulations is likely only to get patchier. Add the gathering movement to collect state taxes on Internet sales (Florida is looking at a Net purchases tax, for example) and the additional levels of records-keeping (and required records-encryption) and you have a situation where what little time you have left after ensuring that you've met the data protection and encryption and policy regs for every state you do business in will be spent filing (encrypted, of course, as Ben Tomkins pointed out here yesterday)state (and ultimately county and local, no doubt) taxes on your sales.

There are some good things about the Massachusetts rules, not least of which is the insistence upon a written security policy, with clearly defined enforcement and disciplinary actions in the event of violations.

Nice, too, if awfully ambiguous, that the regulations mandates "Education and training of employees on the proper use of the computer security system and the importance of personal information security."

But right above that one, is an example of why these sorts of laws drive so many people crazy:

"For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

"Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis."

Reasonably up-to-date? How about constantly or perpetually or always?

Maybe that's the sort of language that will be adjusted and made more specific in the revisions, when the revisions are made more specific.

Until then, what to do?

The best you can, I guess. None of us wants a data breach, and all of us are aware of areas in which we can tighten up and focus in on potential vulnerabilities, sloppinness, areas where things are a little (or a lot) lax when it comes to data protection, data encryption, data access, while keeping a careful eye on your state (and all the others, it seems) require of you.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27184
PUBLISHED: 2021-05-14
The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.
CVE-2020-27185
PUBLISHED: 2021-05-14
Cleartext transmission of sensitive information via Moxa Service in NPort IA5000A series serial devices. Successfully exploiting the vulnerability could enable attackers to read authentication data, device configuration, and other sensitive data transmitted over Moxa Service.
CVE-2021-32613
PUBLISHED: 2021-05-14
In radare2 through 5.3.0 there is a double free vulnerability in the pyc parse via a crafted file which can lead to DoS.
CVE-2021-24192
PUBLISHED: 2021-05-14
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Tree Sitemap WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers insta...
CVE-2021-24193
PUBLISHED: 2021-05-14
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, wh...