Many enterprises are still under the delusion that they can do more or
less what they want with individuals' personal information. The European
Union, many states (including California with its data breach law), and
now Massachusetts are attempting to disabuse them of that notion. But
this situation is not only about how to achieve compliance with
disparate laws; it should also be a wakeup call informing enterprises
that they now have to manage information for more than what they
consider to be their primary business processes.
The impending Massachusetts data privacy law will serve as an illustration of what we expect will be a continuing trend. We shall also examine briefly how vendors are offering a variety of products and services to help organizations comply with the law, but then go on to examine this trend's broader implications.
New Massachusetts Law Protects of Personal Information
The goal of the new data privacy law of the Commonwealth of Massachusetts is to protect the personal information of all Massachusetts residents. The law goes under the very-difficult-to-remember name of 201 CMR 17.00. Personal information is defined as an individual's first name (or initial) and last name plus one or more of the following: Social Security Number (SSN), driver's license (or state-issued ID), financial account number or credit/debit card number (with or without pin or password) that would permit access to a Massachusetts resident's financial account.
Massachusetts requires that those entities subject to the law support a written information security program (WISP). The WISP, which does not exclude any organization, must be appropriate for the size, scope, and type of business conducted by the entity. The WISP must address the administrative, technical, and physical safeguards for the personal information protection of both consumer and employee information.
The WISP is applicable to all forms of media, including paper, as well as electronic records, in addition to the devices that contain them, including portable devices, such as laptops. A designated responsible employee must be assigned to conduct and produce an evaluation of reasonably foreseeable internal and external risks to the personal information being managed. In addition, employee training and monitoring of employee compliance must be carried out.
Enterprises must perform regular monitoring to ensure the WISP is operating in a manner that can be reasonably assumed to prevent unauthorized access to or use of personal information. Finally, they must document actions taken in response to security breaches.
Now Massachusetts' data privacy law includes a number of special technical requirements for electronically stored information (ESI). These include secure authentication protocols, such as control of user IDs and other identifiers, password security, and restriction of access to personal information to active users and active user accounts. Additional requirements include secure access control measures that limit access to personal information records and files to just a need-to-know basis. All personal information sent across public networks must be encrypted in transit. All personal information stored on laptops and other portable devices must be encrypted in place. Massachusetts does not specify the type of encryption that must be used. Monitoring must take place in order to provide alerts to any occurrence of the unauthorized use of or access to personal information.
Altogether the law lays out a lot of requirements. But what if your organization does not have a physical presence in Massachusetts (such as an online Web store that takes orders using credit cards from Massachusetts residents)? Are you subject to the law? The answer is yes. Massachusetts is not likely to check to see if you implement a WISP, but if you expose the personal information of Massachusetts residents and that causes a problem, such as identify theft, your organization may very well be held accountable. States have more power across their state boundaries than you might otherwise think, so what is happening in Massachusetts applies to you, too.
How Can You Comply with the Law?
Let's say that your organization wants to comply with the new law. NuTech Integrated Systems held a compliance luncheon recently in Boston where representatives of the Commonwealth of Massachusetts discussed the law. NuTech and its partners talked about how each could help enterprises achieve compliance. In order to get a sense of what it might take in the way of outside products and services, let's look at NuTech and its partners very briefly.
NuTech is a systems integrator of messaging and network security solutions and so ties everything together with partner solutions appropriate for a particular client engagement. Each of the five NuTech partners in attendance provides specific pieces that overall add up to meeting the total compliance requirement:
- StoredIQ discovers personal information on ESI on a variety of data sources, including disk, tape, and desktops.
- Breach provides real-time, continuous Web application, integrity, security, and compliance solutions related to application threat detection.
- Secerno controls access to databases (where personal information often resides) and, in looking at every single database transaction, monitors, alerts, reports, and protects data in real-time.
- Varonis Systems provides data governance to the non-database side, which includes file data (such as documents and multimedia files). In Varonis' view, data governance is the framework of people, permissions and processes employed in proper data use, and is necessary for scalable data access control, as well as comprehensive and granular auditing of data use.
- BigFix provides essential security configuration, vulnerability management and endpoint protection
The important thing to remember is that whether a company complies with the law totally with internal resources or engages with third-party product and service providers to assist in the process, there are a number of technology issues within IT that need to be addressed. The first issue is to provide basic and advanced security, such as access control, that applies to all information and not just personal information and applies to the Web as well as to standard internal information systems. The second is to be able to discover where personal information resides in the enterprise. The third issue is to be able to put controls on personal information specifically whether or not it is databases or files. NuTech takes a "best of breed" type of approach. Now larger vendors may have some of the pieces, but the pieces are not integrated into an overall package that says this is what you need to do to provide personal information data protection. That means that a "best of breed" approach is the approach that companies will have to take, although they may not choose the same companies that NuTech partners with.