Why should you be concerned about a security rule that is part of the State law of Massachusetts — especially if you aren't in business there? Donovan Colbert explains how compliance regulations have far-reaching effects in IT.
I spent the last week researching and writing a policy for compliance with statute 201 CMR 17.00 of the Massachusetts General Law. I'm pretty happy with the results, but I'm concerned about the direction this law shows IT regulation and compliance headed, and I think it foreshadows a troubling future for businesses and IT professionals.
At its heart, 201 CMR 17.00 is an attempt to regulate the practices of businesses, with a focus on information technology security, in order to protect consumers and individuals from the threat of identity theft or financial exploitation. Because it is a State level regulation and it covers much of the same ground already handled by other similar programs such as HIPAA and PCI compliance, many businesses are either unaware of 201 CMR 17.00 or think they already have measures in place that meet or exceed anything that a State regulation could require. Additionally, many businesses think that because they're not in the state of Massachusetts, they're not subject to the regulations enacted there.
Unfortunately, all of those assumptions are incorrect:
Compliance with HIPAA, PCI, Red Flag, or other similar info security policies and regulations does not meet the requirements for 201 CMR 17.00.
It does not matter where your business is located, if you collect information from customers or residents of the state of Massachusetts, you are subject to the requirements described in the regulation.
The good news is that if you are already compliant with one of the other regulations, you're probably a good part of the way toward being compliant with this regulation. In fact, most security rules designed to protect personal information are stricter than 201 CMR 17.00.
The bad news is that until you create a Written Information Security Plan (WISP) that addresses each criteria of 201 CMR 17.00, you're not compliant even if you're already practicing equal or superior security practices to those required under the Massachusetts statute.
You may think, "So what! If I am compliant with stricter rules, I'll never have to deal with a breach that would expose me to liability in Massachusetts." The truth is that even with well implemented HIPAA policies and practices, ePHI breaches still frequently occur in the healthcare industry. In that example, if your organization had a ePHI breach and your HIPAA policy was well defined and practiced, you would probably face minimal repercussions from the Department of Health and Human Services. If that ePHI breach also contained patient "Personal Information" as defined under 201 CMR 17.00 and you had no WISP defined though, you could still face prosecution and heavy fines in the state of Massachusetts despite your HIPAA policy.
If you're in Massachusetts you probably already know about this statute and have taken steps to implement it in your organization. For any other business that deals with residents from Massachusetts and stores certain combinations of their personal information in any form, knowing about 201 CMR 17.00 and having a written policy described is essential.
Some key points of 201 CMR 17.00
- You must have a unique WISP on file, even if you meet other compliance standards.
- Some provisions of 201 CMR 17.00 are flexible based on your scope, resources, and risk assessment. Others are not. This can be confusing to sort out.
- You must meaningfully practice the provisions detailed in your WISP, including audits and improvements if warranted.
- All companies gathering data from residents in Massachusetts are subject to this statute regardless of their physical location.
- Audits by the Commonwealth are rare - but a breach affecting Massachusetts residents is likely to cause a response.
- If you believe you store data that qualifies as "Personal Information" under 201 CMR 17.00, seek qualified advice to evaluate what your response should be.
The current state of affairs is like the situation which led to the federal Interstate Commerce Act of 1887. In that case, various States passed their own laws in response to concern of abuses by the railroad industry in setting rates for long and short haul transport of goods. In protecting the businesses that depended on the railroads for transportation, a confusing patchwork of regulation that varied greatly from state to state arose, causing chaos for all parties involved. The railroads, businesses and consumers had to cope with different laws that changed at each State line. Being unaware of the different laws meant that a business transporting goods across multiple states might ship through a state where laws were more lenient toward the railroads, resulting in unforeseen shipping rates. The railroads in turn had to manage and be aware of the different laws in each state, causing pricing, accounting and compliance nightmares for their industry. Finally, the Federal government stepped in and passed unifying laws.
Working with 201 CMR 17.00 shortly after leaving a HIPAA-covered industry made me realize that there are a number of state regulations like this out there, and the number grows every day. I think most IT shops are not familiar with these different regulations, and that even among the best organizations, many are hoping that compliance to one of the tougher standards is sure to cover them in any case where they run afoul of a State statute. This is a potentially expensive assumption to make that could result in hundreds of thousands of dollars of fines and in some cases, criminal penalties.
Clearly it isn't practical for most small businesses to discover all regulations that apply to them and create individual policies to ensure they are compliant. Most businesses will simply operate without a safety net until some situation forces them to respond. Generally that situation will be an important customer insisting on compliance in a contract, or a reactive response to a breach and resulting legal action. Eventually, the burden of dealing with all of these individual attempts to ensure protection of customer information must be consolidated or it creates an unrealistic burden for the industry.
In the meantime, if you're already compliant with any other data security rule, you do interstate business, and there is any chance you may have customers from Massachusetts now or in the future, it is a good idea to familiarize yourself with this rule and spend the time to quickly create a WISP so you are prepared for the worst case scenario.