Understanding The New Massachusetts Data Protection Law

After months of defining, redefining, extending deadlines and planning, a new law in Massachusetts that affects all businesses that handle personal data of Massachusetts residents is finally about to go into effect. According to Massachusetts 201 CMR 17:

"The objectives of this regulation are to insure (sic) the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer."

The implication for businesses is clear: regardless of where your business is physically or operationally, if you handle or store the personal information of any Massachusetts resident, you are legally obligated to protect that information. Failure to comply with MA 201 CMR 17 could result in fines of up to $5,000 per violation, although "per violation" has yet to be clearly defined.

Barring any unforeseen changes, the deadline for compliance with the new law is March 1, 2010. The date has already been pushed back three times; MA 201 CMR 17 was originally scheduled to go into effect on January 1, 2009, but some parts were delayed until May 1, 2009, and others were then extended until January 1, 2010. The entire law was finally set to enact on March 1, 2010 and some businesses are still struggling with the ability to comply with certain aspects of the legislation. While larger businesses may already have many of the law's requirements in place, such as a security training program or a formal written information security plan, some smaller businesses are still trying to determine how to comply with directives such as:

"Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information."

In most cases, achieving compliance with MA 201 CMR 17 will take not only time and effort but also capital expenses that can affect a business' bottom line.

Under MA 201 CMR 17 subsection 17.04, titled "Computer System Security Requirements", several points address the need for systems to be maintained and monitored:

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information; (6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. (7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

One of the issues commonly discussed regarding MA 201 CMR 17 has been scalability. For smaller organizations with just a handful of computers, compliance with these points may be as simple as turning on Windows Update for operating system patches, turning on daily automatic updates for antivirus software and spot-checking systems on a monthly basis to ensure that updates are applied. For larger businesses such as banks, hospitals and retail chains, managing hundreds or thousands of computers (as well as their entire network infrastructures) generally requires a full-time IT staff. Monitoring each and every node on the network, in addition to other administrative tasks, is a daunting task. Whether monitoring is performed manually or through automated technology solutions, there is the very real possibility that compliance with MA 201 CMR 17 will incur a significant financial expense.

Another commonly discussed issue in the law is that of "Encryption of all personal information stored on laptops or other portable devices". One school of thought states that personally identifiable information (PII) should never be stored on portable devices in the first place. The law defines PII as:

"A Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number[...]"

As the following chart shows, that has not been the case historically and will probably not be the case going forward:

Chart courtesy DataLossDB (http://datalossdb.org/) and the Open Security Foundation

Even though MA 201 CMR 17 addresses encryption of PII on laptops, portable devices and over public and wireless networks, it is a good idea to know exactly where ALL of your sensitive information resides, regardless of whether it is inside your corporate network or "out in the field". Several state breach notification laws specifically exempt entities from breach notification if it can be proven that lost or stolen data was encrypted. However, you have to know where the data was lost or stolen from in order to know whether or not it was encrypted. All devices containing PII must be inventoried and monitored on a regular basis to ensure compliance with MA 201 CMR 17.

Tenable offers a Unified Security Monitoring suite of products that can assist in complying with this new legislation. Through the Security Center, the Log Correlation Engine (LCE) allows you to monitor logs from your assets and alert you when a computer or other device has possibly fallen out of compliance with your security baselines or standards. The Passive Vulnerability Scanner (PVS) continuously monitors traffic across your network, tracks thousands of client and server application vulnerabilities, detects when new hosts are added to the network and detects which applications and servers host or transmit sensitive data. The Nessus vulnerability scanner performs configuration audits, finds missing patches and upgrades and scans for credit card numbers, Social Security numbers and other types of sensitive information. Together, these products offer a powerful and flexible solution to help ensure compliance with a wide variety of security and compliance standards, as well as regulations and legislation such as MA 201 CMR 17.

One last reminder that comes straight from MA 201 CMR 17 itself:

17.05: Compliance Deadline

(1)Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.