Great article today in the Boston Globe, our hometown newspaper, on one of the most stringent state-based privacy regulations in the US. We think this is just the beginning of updates to numerous state privacy regulations and the start of a trend that moves beyond the notification requirement to include a set of preventative controls. A number of companies in Massachusetts are concern with meeting the requirements of CMR 17. But remember that this mandate applies to any organization inside or outside the state that stores personally identifiable information (PII) on a resident of the Commonwealth of Massachusetts. Interesting to see that preventative controls for access to PII is specifically called out, as well as an audit review process to ensure control effectiveness.
http://www.boston.com/business/technology/articles/2010/02/26/theft_proofing_your_identity/
Theft-proofing your identity – by Hiawatha Bray
On Monday, tough new regulations to protect personal information collected from consumers will take effect in Massachusetts, and companies throughout the US are scrambling to get ready.
The new Massachusetts data security regulations apply to businesses and other entities that collect or process such private information as individual Social Security and credit card numbers. Although the rules did not apply to government bodies, Governor Patrick issued an executive order holding executive branch agencies to the same standards. The rules do apply to anyone with such information regarding Massachusetts residents, including companies from out of state.
By March 1, businesses that have such information must:
■ Create a written data security plan that identifies all sensitive information, security risks, and controls such as passwords
■ Designate an employee to be responsible for data security
■ Encrypt such information if it is stored on laptop computers or sent over the Internet
■ Lock up computers or other equipment on which the information is stored
■ Train employees on security procedures
■ Ensure any outside parties that might have access to the information, such as contractors, are in compliance with the regulations
■ Conduct an annual audit to ensure controls remain in place
“We get requests almost daily from New Jersey, Texas, California, pretty much everywhere in the country,” said John McDonald, security evangelist for RSA, a division of Hopkinton data storage giantEMC Corp. that makes products used by businesses and governments to protect sensitive data.
The new rules are meant to protect the loss or theft of confidential information about consumers, such as Social Security and credit card numbers. They were set to take effect in January, but implementation was delayed to give businesses more time to get ready.
In recent years, confidential information regarding one out of six Massachusetts residents was compromised in data breaches that included hacker attacks on banks and companies that compile consumer data, such as retailer TJX Cos., headquartered in Framingham, and supermarket chain Hannaford Bros. Co., based in Scarborough, Maine.
Under the rules that take effect Monday, any institution that holds personal data about residents of Massachusetts must create a written policy for protecting the data, and must train employees to follow the rules.
In addition, organizations must encrypt any personal information – scrambling files to conceal their content – when it is transmitted over the Internet or a wireless data network. Data must also be encrypted when it’s stored on portable devices like laptops or thumb drives, to protect against identity theft if the devices are lost or stolen.
A preexisting law, enacted in 2007, requires institutions to inform state regulators if they suffer a loss of data that could result in identity theft. Organizations that fail to comply with the new regulations, and which suffer such a data breach, can be fined up to $5,000 for each violation.
Many small companies may be unprepared to comply with the new rules. Frank Vincentelli, chief technology officer of Integrated IT Solutions Inc. in Waltham, helps small and midsize businesses upgrade their computer systems to comply with the law. Vincentelli said that the cost of compliance can vary greatly, depending on the number of employees and customers a company has. It cost one client just $1,000 to get ready, while another had to spend $35,000.
“I know there are companies that have unmet requirements, and there’s no practical way they’re going to have these requirements met by the deadline,” Vincentelli said.
Bob Baker, president of the Smaller Business Association of New England, said many of his group’s members haven’t focused on the issue.
“I think people are still anesthetized by it,” Baker said. “I don’t think there’s been a call to action, even though there’s been big data breaches and plenty of publicity.” He predicted that many of the state’s small businesses will not be in compliance on Monday.
Barbara Anthony, the Commonwealth’s undersecretary of consumer affairs and business regulation, was more optimistic.
“I think most companies are ready,” said Anthony, although she admitted that many small businesses may still be out of compliance. Anthony said that there’s no provision in the law for conducting audits of local companies to confirm they’re obeying the law.
Some major companies that have been victimized by identity thieves say they are ready to comply with the new law.
“With much of the work already completed, TJX intends to be in compliance with the new Massachusetts data security law when it takes effect,” spokeswoman Sherry Lang said in an e-mailed statement. Miami hacker Albert Gonzalez pleaded guilty last year to aiding the theft of more than 40 million credit card numbers from TJX.
Another company allegedly victimized by Gonzalez, the supermarket chain Hannaford Bros., also says it’s prepared.
“We have reviewed the requirements of the Massachusetts data privacy law, and we are confident that we are compliant with those requirements,” said spokesman Michael Norton in an e-mailed statement.
The new rules don’t apply to state government agencies, which hold vast amounts of personal data. But a 2008 executive order by Governor Deval Patrick applied the same standards to the state’s executive branch as of last September. Dan Walsh, the Commonwealth’s chief security officer, said that about three-quarters of the state’s agencies have submitted self-assessments to demonstrate their compliance, and that the other agencies should have completed their assessments by June.
The cost and complexity of meeting the new standards may be offset by avoiding the high cost of a data breach. The Ponemon Institute, a privacy and information management research firm in Traverse City, Mich., surveyed 51 companies that had suffered security breaches. The affected businesses lost $204 for every customer record that was compromised. Repairing the damage cost the least-affected company $750,000, while one firm’s identity theft cost it $31 million.
