After regulators granted more than a year's delay of compliance enforcement, the Massachusetts Data Privacy Law 201 CMR 17 finally went into effect on March 1. Unlike most of today's state-based data privacy laws, which primarily focus on public disclosure once a breach occurs, the new Massachusetts law prescribes that more stringent protective measures be taken to prevent breaches from occurring in the first place.
"A lot of the past state legislation has had to do with notification, [which] was a reactive model. It didn't really stop it from occurring, but when it did occur, it was, like, 'Hey, sorry, dudes. We messed up,'" says Thom VanHorn, vice president of global marketing for Application Security Inc. "So this is stronger in that it is a proactive measure, making sure that [companies] have got the proper policies in place before a breach happens."
Because the law is not a federal or industry regulation, such as Sarbanes-Oxley or PCI DSS, VanHorn believes there could be more teeth to the enforcement of the rules. If so, businesses could pay mightily, with stiff penalties of up to $5,000 in the works for those who do not comply with the measures set out by Massachusetts. The primary regulatory drive behind the new law is to ensure companies have an overarching security policy framework and the means to enforce the policy in order to protect sensitive data stores.
"There's actually quite a lot of detail in the law about the types of security provisions that they'll need to have, and that they will actually have to document security compliance policy and have that in place," says Peter Simpson, vice president of alliances and marketing for Secerno. "In the future they'll be audited against whether that policy is in place and the controls to enforce it."
The mandate is meant to apply to any company that keeps personal information of Massachusetts citizens, regardless of where the company is based, making this law something of a concern to the majority of U.S. enterprises.
Though there are no provisions requiring specific database security products, security experts believe database policies and protective measures will play a significant role in efforts to comply with this newly enacted law.
"There aren't specific things in the law that say you need a database firewall or database monitoring, but it's basically saying that you need to be taking reasonable steps to secure your data," Simpson says. "Because the majority of the critical data is within the database, the ability to monitor database transactions will give organizations better comfort, one, that they can show [the auditors] who's actually seeing information, and when and where they're doing it, and, two, that breaches will be minimized."
Already, database security companies are responding to the new law by adding updated reporting and security functionalities meant to address the Massachusetts regulatory compliance concerns. For example, AppSec this week released a new update to its database security products to help customers prove compliance with the law. But experts such as AppSec's VanHorn believe companies that are already addressing database security will not need to adjust their course too much. The law is actually designed to add another set of consequences for those with no means of securing the data into doing something about it.
"I think it's another stick," VanHorn explains. "If you're doing your job, personally identifiable information should be protected to begin with. This is just another penalty and another audit that you may have to live up to. It is specific to Massachusetts residents, but you ought to be doing it for all of your data."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.