While provisioning yet another server or fielding a call from Sales for a password reset, you get the call. “Why didn’t you tell us about those Massachusetts files?” There’s no panic, because you haven’t the faintest idea what the caller is talking about. Yours is a Florida company. There’s not even a field sales office in Massachusetts.
What comes next is more disconcerting. “This is over my head. Expect a call from Legal.”
You check your inbox. Had you missed a broadcast about a class action lawsuit?
A few minutes with your favorite search engine turns up “MA 201 CMR 17,” and more than a few casual citations. Yours is mostly a regional company based in the Southeast, but you’ve got some — hundreds? thousands? — of records from Massachusetts citizens.
Compliance issues? You’re a computer professional. Perhaps privately sensing that perhaps this work is nontechnical, nonetheless you dutifully read on. Some of the Massachusetts requirements are unsurprising. Perhaps the bases are already covered: a Written Information Security Plan (WISP), encryption from laptops to servers, policy controls on third party access, yada yada. You realize you’re not there yet, but already steps have been taken in the right direction.
Fines? $5,000 per breach or lost record. Lose records for a thousand Massachusetts residents and the firm could be out $5M. Okay, that’s serious.
MA 201 CMR 17 will seem to mandate protections similar to those required for the Payment Card Industry Data Security Standard (PCI DSS): secure authentication and access controls, firewalls, systematic patching and anti-malware protection, user training. But many firms who have judged themselves exempt from PCI DSS may have to contend with MA 201 CMR 17.
My assessment of the principal risks and compliance difficulties are presented in Table 1. Note: PII = Personally Identifiable Information.
|1. PII leakage||Insider threat. With worker longevity being the exception rather than the rule, unhappy turnover and internal dissension may tempt some employees and contractors with access to PII to commit acts of mischief or sabotage.|
|2. Complacency: Casual use of PII||Constant exposure to PII, such as in CRM or marketing records, can lull workers into lax practices, such as improper use of USB sticks, unauthorized data sharing, public exposure of address books and lists, and ETL applications. Casual use of email addresses is a major concern.|
|3. Under-encryption||The law mandates encryption of data on laptops, smart phones, USB sticks and like platforms.|
|4. Wireless data leakage||Even if wired and wireless on-premises networks are in compliance, is PII secure once employees leave your facility with smartphones and iPads in tow?|
|5. Smartphones||By now most have come to think of the smartphone as just another computer on the network, but is the PII on the phone in compliance? How can you be sure? What about employee-owned phones that connect and synch?|
|6. Training: De facto instructional design||You may find yourself the de facto “Data Security Coordinator” responsible for CMR 17.00 compliance. Duties will include ongoing user training and revisions to the WISP – including contractors with access to data or system environments.|
|7. Physical safeguards||The law requires a combination of “technical, administrative and physical safeguards.” Workstations and servers may be password protected, but what if the box is simply carried off and the disk contents examined? You may have a state-of-the-art firewall, but do your perimeter protections guard against walk-offs?|
Other states may follow suit with Massachusetts. Blogger Brian Klumpp cites privacy laws already on the books in Connecticut, Michigan, New Mexico, New York and Texas.
Check your inbox again
Just when you think the coast is clear, another email arrives from Legal. The messages are infrequent and almost never good. Subject line: “Directive 95/46/EC: Compliance Questionnaire.” Mentally you survey the landscape of online stores, newsletter lists, sales inquiries, reseller contacts, and customer repair histories. Someone else’s problem, perhaps. Network security? Encryption? Your problem.
We’ll touch on EU Data Protection Directive compliance and how it affects U.S.-based network administrators in my next article.
What do you think? How will a state-by-state patchwork of privacy policies affect compliance practices – especially training?