Legal

A Massachusetts privacy law is stalking your network

You may not be located in Massachusetts, but its tough privacy law could have serious consequences for your organization if data breaches were to affect any MA residents. Other states are following suit: what does it mean for your network security/compliance measures?

While provisioning yet another server or fielding a call from Sales for a password reset, you get the call. "Why didn't you tell us about those Massachusetts files?" There's no panic, because you haven't the faintest idea what the caller is talking about. Yours is a Florida company. There's not even a field sales office in Massachusetts.

What comes next is more disconcerting. "This is over my head. Expect a call from Legal."

You check your inbox. Had you missed a broadcast about a class action lawsuit?

A few minutes with your favorite search engine turns up "MA 201 CMR 17," and more than a few casual citations. Yours is mostly a regional company based in the Southeast, but you've got some -- hundreds? thousands? -- of records from Massachusetts citizens.

Compliance issues? You're a computer professional. Perhaps privately sensing that perhaps this work is nontechnical, nonetheless you dutifully read on. Some of the Massachusetts requirements are unsurprising. Perhaps the bases are already covered: a Written Information Security Plan (WISP), encryption from laptops to servers, policy controls on third party access, yada yada. You realize you're not there yet, but already steps have been taken in the right direction.

Fines? $5,000 per breach or lost record. Lose records for a thousand Massachusetts residents and the firm could be out $5M. Okay, that's serious.

MA 201 CMR 17 will seem to mandate protections similar to those required for the Payment Card Industry Data Security Standard (PCI DSS): secure authentication and access controls, firewalls, systematic patching and anti-malware protection, user training. But many firms who have judged themselves exempt from PCI DSS may have to contend with MA 201 CMR 17.

My assessment of the principal risks and compliance difficulties are presented in Table 1. Note: PII = Personally Identifiable Information.

Table 1

Risk Challenge
1. PII leakage Insider threat. With worker longevity being the exception rather than the rule, unhappy turnover and internal dissension may tempt some employees and contractors with access to PII to commit acts of mischief or sabotage.
2. Complacency: Casual use of PII Constant exposure to PII, such as in CRM or marketing records, can lull workers into lax practices, such as improper use of USB sticks, unauthorized data sharing, public exposure of address books and lists, and ETL applications. Casual use of email addresses is a major concern.
3. Under-encryption The law mandates encryption of data on laptops, smart phones, USB sticks and like platforms.
4. Wireless data leakage Even if wired and wireless on-premises networks are in compliance, is PII secure once employees leave your facility with smartphones and iPads in tow?
5. Smartphones By now most have come to think of the smartphone as just another computer on the network, but is the PII on the phone in compliance? How can you be sure? What about employee-owned phones that connect and synch?
6. Training: De facto instructional design You may find yourself the de facto "Data Security Coordinator" responsible for CMR 17.00 compliance. Duties will include ongoing user training and revisions to the WISP - including contractors with access to data or system environments.
7. Physical safeguards The law requires a combination of "technical, administrative and physical safeguards." Workstations and servers may be password protected, but what if the box is simply carried off and the disk contents examined? You may have a state-of-the-art firewall, but do your perimeter protections guard against walk-offs?

Other states may follow suit with Massachusetts. Blogger Brian Klumpp cites privacy laws already on the books in Connecticut, Michigan, New Mexico, New York and Texas.

Check your inbox again

Just when you think the coast is clear, another email arrives from Legal. The messages are infrequent and almost never good. Subject line: "Directive 95/46/EC: Compliance Questionnaire." Mentally you survey the landscape of online stores, newsletter lists, sales inquiries, reseller contacts, and customer repair histories. Someone else's problem, perhaps. Network security? Encryption? Your problem.

We'll touch on EU Data Protection Directive compliance and how it affects U.S.-based network administrators in my next article.

What do you think? How will a state-by-state patchwork of privacy policies affect compliance practices - especially training?

About

Mark Underwood ("knowlengr") works for a small, agile R&D firm. He thinly spreads interests (network manageability, AI, BI, psychoacoustics, poetry, cognition, software quality, literary fiction, transparency) and activations (www.knowlengr.com) from...

15 comments
robertbkk
robertbkk

i LIVE IN THAILAND,AND ALLTHOUGH IM NOT THE GREATEST OR SANEST OF PEOPLE,,I DO KNOW WHEN IM BEING WATCHED! PROVING IT IS ANOTHER THING,,FOR INSTANCE I WALKED THREW A MALL ONE DAY TO HEAR THE THAI PUBLIC SAYING "FARANG MAO" AS IN DRUNK OR CRAZY. THOUGHT NOTHING OF IT TILL I WENT OUT ON THE STREET AND HEARD THE SAME SCENARIO,ONLY TO BE ADDED WAS "FARANG GO HOME". NOW TO MY SURPRISE NO ONE WOULD SPEAK OF WHERE AND WHY THIS WAS HAPPENING,,AS I WOULD IMAGINE THE THREAT OF IT OCCURIN G TO THEM WOULD BE PUNISHMENT ENOUGH,,KNOWING ALL I SAY AND DO,,AND VICE VERSA. THEN I WENT TO GET MY COMPUTER FIXED AND IT HAPPENED,,THE TECHNICIAN SAID HE WOULDNT TOUCH MY COMPUTER AND WOULDNT EVEN TAKE IT AS A GIFT,,HE SAID"FARANG GO HOME" THISA IS AFTYER I ASKED WHERE HE SAW MY FACE.WELL I NOW HAVE BEEN SUBJECT TO "AUDIO SPOTLIGHT" ING WHERE THESE PEOPLE,,USUALLY A MAN AND LADY WILL COMMENTATE MY EVERY MOVE AND OF COURSE BLOG ON VARIOUS CHANNELS AND STATIONS IN ORDER TO DISCREDIT ME. THE POLICE ON THE OTHER HAND HAVE BEEN VERY SYMPATHETIC AS FOR THE SEVERAL TIMES POLICE HAVE SHOWN UP TO TAKE ME AWAY,,ALONG WITH CHEERFUL LAUGHTER FROM COMMENTATORS,,THEY SECRETLY RELEASED ME AT PLACES OF MY CHOICE,,ONCE EVEN GAVE ME A FEW BEERS FOR MY TROUBLES.BUT HOW CAN THEY SEE MY EVERY MOVE? IN MY HOUSE AND OUT? I HEAR A HELICOPTER HOVERING MOST NIGHTS AND EVEN HAD A FEW PASSOVERS WHEN I WAS BUYING BEER,,AND I LIVE IN A SMALL FARMTOWN CALLED PRACHUAP KHIRI KHAN,AWNOI, NIKOM KILO 5.THEY ALSO HAVE TURNED THE TOWN AGAINST ME BY GIVING FREE FOOD,,AND SAYING IM A SICK MAN,,MY GIRLFRIEND WONT EVEN TALK TO ME!!MY SON IS HALF THAI,,VERY WHITE SO I THOUGHT IT WAS NAZIISM,BUT IT SEEMS I WAS VOTED INTO THIS ON A LIST FROM A WEBSITE CALLED FORUMBRZEG.PL AS BASKETBALL PLAYER OF THE YEAR,,I HAVE A SAMSUNG GT-C3222 AND USE AIS-GSM AIRCARD WITH A SIM CARD FOR 3G,,AGAIN IM NOT THE BESTRT GUY IN THE WORLD BUT I DONT DESERVE THIS,,I DONT THINK ANYONE DOES,,ANY INSIGHT?

Ocie3
Ocie3

It seems to me that Mr. Underwood should do some more research before he writes another article about [i]state laws[/i] and maybe consult an appropriate lawyer. I Am Not A Lawyer, but laws passed by the State of Massachusetts are enforceable only within the territory of the State of Massachusetts. The legislature of Massachusetts cannot pass laws which oblige the residents of any other state to do anything, while those residents are not within the boundaries of the State of Massachusetts. Period. That "jurisdiction" principle also applies to the legislatures of each and every one of the other states, too. Whatever privacy law(s) have been enacted by the Florida legislature apply to [i]persons in Florida[/i] who possess P.I.I. about persons who reside in Massachusetts, as well as to such records as they may have about anyone else regardless of where those persons may reside. I live in Florida, and if I do business with a firm in Massachusetts, then that firm must "secure" the records which contain data about me as described in the Massachusetts law, not the Florida law. Which is to say, a "patchwork" of state privacy laws is largely irrelevant, EXCEPT for a business that has agents and/or employees who conduct its operations in two or more states. Consider an insurance company whose agents sells policies in several States. Which State law, if any, applies to their creation, modification and retention of P.I.I. for the people whom they insure? Their agents almost certainly retain printed copies of applications and of policies issued, etc., so they will be subject to the laws of the respective state in which they do business. The insurance company will probably be required to obey the laws of the state in which their [i]records[/i] are stored, if not also where their underwriters and other employees work. However, a State does not have any power to regulate interstate commerce, only Congress can do that. So any company which does business in more than one State probably cannot be compelled to obey any of the State laws, and will be compelled to obey any Federal law on the matter instead. You know, don't you, that privacy legislation is currently pending in Congress? [b]Addendum:[/b] An interesting summary of the proposed federal privacy legislation is presented today (07/27/10) on the Sunbelt Blog in "Privacy bills in U.S. Congress in brief" by Tom Kelchner: http://sunbeltblog.blogspot.com/2010/07/privacy-bills-in-us-congress-in-brief.html It includes links to the texts of the two respective bills. Now tell me why a sysadmin in the USA should care about laws passed by the European Union. Hint: where do they have jurisdiction?

connie1070
connie1070

Let?s not forget Nevada's Privacy law NRS-603A. It has many of the same requirements as MA 201 CMR 17.00, however it does mandate all organizations that accept payment cards for goods or services "MUST" comply with PCI DSS standards. When questioned about the state forcing businesses to comply with PCI DSS in an interview, the Nevada Attorney General replied; all organizations that accept payment cards are contractually required to adhere to PCI DSS, we're just ensuring they meet those requirements. The law also cites NIST and similar agencies as the reputable source for information security programs. I?m a strong believer in not reinventing the wheel. I personally think requiring businesses to comply with NIST and PCI DSS is good for our state. We have a part time legislation that only seats once every two years. Requiring organizations to comply with PCI DSS and NIST allows for greater consumer security in a timely manner without legislators jumping into an area they have no experience in.

avatar_man
avatar_man

I believe that the law is designed to be nebulous and un-attainable, except in those very rare instances where the business management of the comapny "gets" it from day 1. everyone else is playing catch-up and of course this is by design. A great money making machine for the MA courts. They don't have to raise taxes and get a constant revenue stream.

y0shi
y0shi

The biggest issue with this law is that it requires you to notify of a breach even if the data is encrypted. Otherwise it is essentially the same as any other regulation.

dawgit
dawgit

Making this an enforceable impossibility.

santeewelding
santeewelding

When you apply your diktat, Ocie (with which I agree), to "illegal" immigrants on the federal level. These "laws", they enjoin only the rest of us to any one of us. More, they enjoin the rest of us, and not a one of us.

knowlengr
knowlengr

Thanks for posting this. I had contemplating covering other states ... Keep me posted if you learn more about this initiative in NV.

JoeyD714
JoeyD714

I tried to read the PCI DSS one day & became bleary eyed and nervous. Basically what it says is you have to be a MAJOR MULTIMILLION DOLLAR INTERNATIONAL CORPORATION in order to have the MONEY, Manpower & other resources to even try to comply with PCI DSS. And you can't be on a shared hosting type of server, BC YOU can't control or guarantee the hosting companies compliance with the PCI DSS, You have to have your own HIGH Bandwidth UPLOAD speed server (even comcast only allows 2M UPload on a good day) with back up servers & 24 hour operations/monitoring staff in a SECURE building with on-site back up generators & 24 hour security personnel & surveillance equipment. How many small busines' or individuals running an online sales business from home can provide all that? Just Because YOUR stater has lazy legislators, and your states votors allows them to be lazy, don't mean I should be punished & have to shut down my business for them. In Michigan Our legislators work FULL TIME all the time, on a fraction of the money Nevada has I might add, & they have No problem custom writing laws for any situation .

JohnMcGrew
JohnMcGrew

Ambiguous and confusing law empowers politicians and regulatory agencies, giving them immense power over industry.

Slvrknght
Slvrknght

Check out the HealthNet (?) case in Connecticut. This is real, and in the Good Ol' Commonwealth, the due date for this was March 21st. There is at least one group that is going to every business to audit for compliance. And I was told by the kind people at 1 Financial Center in Boston that it's not if, but when, since the task force they are getting together is enormous. The AG's office is also dedicating a large staff to dealing with this. And apparently, they're just waiting for the first breach.

thegreenwizard1
thegreenwizard1

It's just a question of will, money and some caring toward the customers or registered people. People should be over the mighty dollar...

connie1070
connie1070

Joey, You obviously did not read PCI DSS. There are different levels of PCI DSS compliance. It depends how you process your transactions and how many transactions you process. It appears to me you utilize internet based transactions to process payment cards from home. This form of processing has many, many risks involved and requires more security then a simple transactions using a phone line. Therefore the protection requirements of PCI DSS are much more in-depth. If you are using internet based transaction you are required to have your system scanned quarterly among many others which becomes expensive over time. Should you decide not to comply with PCI DSS and your service provider suffers a breach, you are still responsible for all damages because you outsourced to a third party. You really need to reevaluate your needs for credit card processing and decide which method works best for you while providing you and your customers the best protection. I myself outsource my processing through PayPal. Although my students register for my classes at my website, they are taken to PayPal to make payment for the classes. It is up to them to pay by check or payment cards and I never ever have possession of their card or account numbers. This is slightly more expensive; however, it seriously limits my exposure in the event PayPal was to suffer a data breach. Although I perform business in this manner, there are still some requirements I must put in place to ensure Im compliant with PCI DSS but not very much at all. You can always outsource your processes, but you can not outsource your responsibilities. In regards to our Lazy Legislators here in Nevada. We have citizen legislators who run their own businesses and ranches. They are first and foremost business and family people looking out for the state as needed. They are not Professional Politicians living off the backs of the people such as the case with your state. We only have one professional politician in Nevada and we hope to make Dirty Harry available to run for office in your state this November.

y0shi
y0shi

PCI-DSS has different compliance rules and regulations for the categories of Merchants, Service Providers, and Payment Applications. It's important to identify the appropriate category your business falls into. Under the categories are different Levels and Tiers for compliance. A small business performing e-commerce transactions (and NOT storing Credit Card data - which most small business shouldn't do) only needs to use VISA's Quarterly Network Security Scan which is an automated tool making compliance very easy for the small business owner and IT staff. The Massachusetts privacy law is a rehash of most of the privacy laws with one exception - the law requires that if a business stores information on MA residences and that information is lost or stolen the breach must be reported even if the data is encrypted.

wlportwashington
wlportwashington

More of Big Brother taking over. Pretty soon our national drink will be Vodka and we will be calling each other 'Comrad'