Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:35 PM
Connect Directly

States' Rights Come to Security Forefront

Massachusetts' new data protection law reaches beyond its borders. Are you ready?

The new Massachusetts data security law, 201 CMR 17.00, is a prime example of the increasingly aggressive role states are taking to protect their citizens. More than 40 states have data breach notification laws already on the books--a trend that started with California's SB 1386 but certainly didn't end there. Much like those other laws, Massachusetts' has impact beyond the state's borders and could spur similar legislation in other states.

Federal action is also a distinct possibility.

If you hold personal information on a Massachusetts resident, you were on the hook as of March 1. The question for security groups is, How do we comply with the myriad state-mandated data security laws without putting an undue burden on the business? And comply you must, because CMR 17.00 raises the stakes in terms of potential penalties. The law will be enforced, quite literally, in the breach, and companies can potentially be fined $5,000 per violation and per record lost. One stolen laptop loaded with a database containing the names and Social Security numbers of 200 Massachusetts residents puts you in the hole for a cool million.

The Massachusetts law isn't remarkable in its overall requirements, but it is special in two areas. First, it requires businesses to attest that they have a working data security program in place to protect any personally identifiable information (PII) they've collected from state residents. Companies must maintain a comprehensive written information security program (WISP) that includes "technical, administrative, and physical safeguards" to protect PII. Covered businesses range from neighborhood dry cleaners to Fortune 100 companies, but the law stipulates that the program be appropriate to the size and resources of the business.

The Massachusetts law also stands out by mandating encryption of data in motion and at rest, including on laptops and other portable devices like smartphones, USB drives, and MP3 players. That's going to be a sticking point for many shops; our InformationWeek Analytics State of Encryption survey found we're still moving in fits and starts despite the momentum that compliance frameworks like PCI have generated. While 86% of the 499 business technology professionals responding to that poll employ some encryption, 31% of those respondents say it's just enough to meet regulatory requirements. Only 14% characterize their encryption as pervasive, and just 38% say they encrypt mobile devices.

That puts a majority of respondents on a collision course with CMR 17.00.

Other directives cover, in fairly general terms, most of the areas you'd expect: secure authentication and access controls; firewalls; up-to-date patching and endpoint anti-malware protection; and user training in the technologies, policies, and proper handling of PII. In addition, an individual or a team must be named the official data security coordinator. This person is charged with the plan's initial implementation, training of those involved, as well as with ongoing testing and evaluation of the WISP to ensure it evolves as business realities change. The coordinator also must assess third-party service providers' ability to comply.

Companies must file their WISPs with the state to show that they have data security programs in place and confirm that they're compliant. That's critical, because there's no other auditing or oversight mechanism.

With any compliance mandate, IT's goal should be to implement a program that doesn't impose onerous changes to the way business is done. But the fact is, some business processes may need to be adjusted to meet compliance requirements. End-user training is a critical, and often overlooked, component as well. These are the people on the front lines. Skimping on education could cost you.

The best approach is to break up your compliance effort into three phases: assessment, execution, and management and monitoring.

Phase 1: Assessment

Data security laws can be difficult to decipher, so take your time and understand the new rules--and yes, that means meeting with corporate counsel.

Next, identify the stakeholders who'll be affected. Pound the carpet and schedule meetings with business leaders responsible for departments that handle PII. Ask lots of questions about what information is being consumed and disseminated, and how.

Finally, chart out all processes that involve PII. See what changes you'll need to make, if any, to the way you do business. In our experience, a thorough analysis of corporate practices will yield surprising results. At best, you'll need to tinker around the edges. At worst, you'll discover egregiously insecure business procedures.

The table below provides examples of the types of processes you'll want to document as you make your way across the business.

Phase Two: Execution

Sensitive data is everywhere: on file servers, in databases, in your in-box, and sitting on your printer. It's on removable media, on laptops and desktops, and on smartphones. And compliance mandates keep piling up. A scant minority of the 379 respondents to our June 2009 InformationWeek Analytics Regulatory Compliance survey are wrestling with just one standard, compared with the almost 80% who are dealing with at least two regulatory requirement sets simultaneously--and since March, maybe more.

Clearly, defining cross-regulatory security controls is crucial. Whatever protections or processes we put in place should address multiple needs and be as extensible as possible. To that end, plan how to overlay technology on the at-risk processes you flag in your analysis. Pilot test with key personnel. Of course, you're not going to go purchase and implement expensive tools, especially for something as complex as encryption, without getting buy-in from the business, when you're changing the way they do business.

The last step is staff training and moving changes into production. Educate users on how to handle PII in tandem with training them in the use of the tools that will ensure compliance.

Phase Three: Monitoring And Management

Develop and enforce alerting and reporting policies. Say you have DLP, encryption, and log management deployed--how will you actually sift through and react to all of the alerts and other information that you're receiving? It's vital to assign someone the responsibility of monitoring and responding, and make it a top priority.

Continually review policies and strategies. Threats evolve, users come and go, and the rules of the compliance game change. Some regs, like Massachusetts' data security law, explicitly require businesses to conduct annual reviews of their compliance programs. As the threat and legislative landscapes shift, you need to adapt.

Finally, engage in regular penetration testing. This is just good security practice, regardless of whether you're subject to compliance mandates. Aim to find system vulnerabilities that may lead to data leakage--and that could land you in court and cost you big.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-19
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract...
PUBLISHED: 2021-09-19
loop_rw_iter in fs/io_uring.c in the Linux kernel through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation.
PUBLISHED: 2021-09-19
All versions of package com.jsoniter:jsoniter are vulnerable to Deserialization of Untrusted Data via malicious JSON strings. This may lead to a Denial of Service, and in certain cases, code execution.
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations.