Strictest data law in nationThe Massachusetts Office of Consumer Affairs and Business regulation (OCABR) recently extended the deadline for compliance to Mass. 201 CMR 17 from Jan. 1 until May 1. This state law, which requires that data of Mass. residents be protected (notably by encryption) by “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts,” is said to be the strictest data security law in the country.
But many are expressing concerns that the law may be too strict.
“The concerns that we have heard from our commercial customers and colleagues have had two dimensions: the scope of the law and the compliance deadline,” says Eddie Schwartz, CSO of NetWitness. “The scope is an issue because this law essentially imposes PCI-like information security control structures across any sort of company that maintains PII for Massachusetts residents. While some industry sectors already have implemented many of the security policies and controls inherent in the Mass law due to PCI and other compliance requirements, other sectors will be starting from scratch.”
The level of effort and cost for the latter could be significant and time-consuming, Schwartz adds. “The deadline has been moved out a bit, but the compliance date still may be unrealistic, given change management realities and the current economic environment and necessary cutbacks in IT and security budgets.”
It is unrealistic, he says, to expect potentially material IT investments in new hardware, software and code changes in an environment when some sectors are struggling to stay profitable.
But others regard the law as a model.
“There is a strong likelihood that it could become the standard for more stringent state-level data security legislation, since banking and other lobby groups will work hard to make this happen,” says Avivah Litan, vice president and distinguished analyst in Gartner Research.
“Specifically, financial institutions and other custodians of sensitive customer accounts (for example bank accounts, health care records) will likely use these types of state laws (and ultimately a federal one if they get one passed under the new Congress) to extract penalties and reimbursement fees from organizations responsible for data breaches that lead to fraud that they pay for.
There are several reasons the Massachusetts data-breach legislation is likely to be the new standard bearer, says Michael Maloof, CTO, TriGeo. “It's the first, state-based initiative to focus on prevention. With 44 states enacting breach notifications, and little measurable impact on the identity theft crime rate, it's no surprise legislators have shifted the focus to prevention.”
The legislation is unique in that it explicitly holds state agencies to the same or higher standards that are required of businesses operating in the state, he adds. “This sends a clear message that they're serious about the issue, and committed to broad acceptance and implementation.”
It follows well understood security best practices that combine assessment, education, real-time monitoring and response – all exercises focused on being proactive rather than simply reactive, he says.
Those companies already compliant with regulations, like PCI, GLBA, HIPAA, SOX, and many others, will have little difficulty complying with the new legislation because there is nothing unusual or unreasonable included in it, says Maloof.
“It will, however, expand the scope of regulations to include businesses that may have previously avoided any formal compliance requirements because of their size or industry focus.”
Unlike the EU, which has broad data privacy legislation for member states (EU Data Directive 95/46/EC), the U.S. does not have a holistic approach to protecting personal information, says Phil Neray, VP of marketing at Guardium. “Instead, it is left to individual states, as well as regulators (HIPAA, GLBA) and ‘self-regulation' by industry (PCI-DSS).”
He agrees that the new Massachusetts law will likely become a standard for stricter laws in other states because it goes far beyond simple breach notification. “For example, the Massachusetts law has a strong emphasis on insider threats, with requirements for employee training, ongoing monitoring to identify unauthorized access, and ensuring that users aren't sharing credentials or using vendor-supplied default accounts.”
It's also the first state law to require discovery and inventory of sensitive data, he says. This is important because most organizations don't even know where all their sensitive data is located, especially if they've been through a couple of mergers and acquisitions, he points out.
Another reason why this law could become the model for other states is that it establishes a clear legal standard of “due care” (“the level of diligence that a prudent and competent expert would exercise under a given set of circumstances”), says Neray. “This will make it easier for plaintiffs in civil lawsuits to persuade judges and juries that organizations that lost data are negligent. For example, banks could now sue retailers that were breached in order to recover costs from resulting credit card fraud, as well as the costs of consumer notification letters and free credit reporting services.”
Will enforcement of data breach laws become stricter? Litan says it depends on the criminals. “All signs do point to heightened and more frequent criminal activity against the backdrop of an ailing economy. Banks and other institutions which house sensitive customer accounts will be anxious to shift fraud and customer service costs onto the companies that are responsible for the initial data compromises.”
She believes it will be enforcement by example. “Once a data breach is discovered, the laws will be used to force the companies responsible for the data breach to pay back the banks and other companies who suffer the fraud and customer service costs on behalf of their customers (since they don't typically make the customers pay). I don't think there will be proactive enforcement of the laws since the government agencies don't have the resources to do that.”
NetWitness's Schwartz says he believes that many states that have traditionally adopted strong consumer protections will pass similar legislation over time. “It remains to be seen whether the compliance dates will be as dramatic, given the current economic environment,” he says.
The law is likely to have a broad impact on IT generally, says Ed Moyle, a founding partner at SecurityCurve. But, he posits, how does a business know if someone's a Mass. resident or not?
In practice, what we're likely to see happen, he says, is the same thing we saw with California's Breach Disclosure Law (SB-1386): Most organizations will find it too difficult to selectively implement controls just for a subset of their data and will apply it to all data.
“The executive order goes hand in hand with this security ‘push' – it requires state contractors, as well as the state itself – to adhere to this and other legislation and also outlines a set of minimum requirements related to how information security should be organized.”
But compare what Massachusetts is doing with what's going on in Nevada, he says. “The Nevada law looks to apply only to businesses that do business in Nevada – that can be sticky too – but this law is a lot more general. I honestly don't know how a business would segment out which users were Mass. residents to just apply the controls to them.”
Getting a handle on all of this data is a challenge, as many companies will have tens of thousands of customers based in Massachusetts, says Nagraj Seshadri, senior product marketing manager at Utimaco Safeware.
One requirement of the new legislation is proof that every affected company must have a comprehensive, written security plan and at least one employee designated to maintain the plan,” he says. “Additionally, companies must also pay attention to the physical security of their paper documents. Companies will also have to train end-users, many of whom are not security aware on data security best practices.”
Most businesses already have implemented some of the requirements, such as widely used firewalls and anti-virus software, he adds. But, he warns, while these existing measures do help to secure data, they alone are not sufficient.
“Encryption, which makes data unreadable by unauthorized users, will now be the key technology for securing data. The biggest concern for businesses trying to adopt the regulations is their cost and the need for security expertise, which is not core to their business,” says Seshadri.
The legislation, while stating specific goals, does not describe external audit or enforcement procedures, says TriGeo's Maloof. “Given the lack of specific enforcement provisions, I can only assume that legislators expect violations to be addressed with civil suits, which is the legislation's single biggest flaw. It does not specify any fines, procedures that would result in any business interruption or requirements for formal routine audits, which are the teeth in PCI. Likewise, it was the lack of such provisions and genuine enforcement that slowed the adoption of HIPAA regulations.”
It seems inevitable, he says, that formal audit and enforcement procedures will be defined and accepted. “The cost will naturally be passed on to the consumer, and will be weighed against the cost of the identity theft fraud that we're already paying.”
It's unrealistic to expect proactive enforcement in the near term because government agencies simply don't have the resources (nor technical expertise) to go after everyone, argues Neray. “However, I expect that they'll aggressively pursue organizations that have been breached in order to ‘set an example' for other firms. It's unfortunate that we have to do things this way, but the reality is that the vast majority of organizations are still operating with an 80s-style, laissez-faire ‘Novell network' mind-set when it comes to data security, both in terms of attitude and controls,” says Neray.
It is useful for companies to look at how cash is protected in companies, where only specific employees with access rights are allowed to handle cash, says Seshadri. Similarly, he says, if sensitive data is now recognized as something of value, the cash example can offer insight into how a company could approach data security.
“Businesses should carefully review the password rules and recommendations for strong authentication and access control to sensitive information,” says Seshadri. “The regulation emphasizes the proper management of the encryption keys, in addition to just encryption. Companies need to evaluate whether to invest in automated key management systems coupled with encryption solutions.”
In addition, Seshadri adds, users need to be part of any good security solution. “Even the best tools are of limited value if end-users are not properly trained, especially as the new regulations require users to be regularly trained in the security procedures for correct handling of sensitive information.”
Companies can phase out the costs, addressing the highest risk systems first and then extend those to other devices, which have a lower liklihood of being lost or stolen or contain sensitive information, says Seshadri.
“However, since every company's IT systems are a little different from others, companies should carefully evaluate the risks and costs that are unique to them,” he says.
New presidential administration
In terms of what affect the new Obama administration will have, Litan thinks it will back state compliance efforts, but won't get directly involved, and compliance won't be high on its agenda.
“They have much bigger fish to fry,” she says. “Namely, keeping this country from falling further into a deep recession. For now, the fraud costs are minor compared to the costs of unemployment and the freezing of the credit markets, although they too will surely escalate.”
Maloof agrees. “According to the U.S. Department of Justice, identity theft has become the nation's fastest growing crime, and has surpassed drug trafficking as the number one crime in the country. While the threat is real, I believe it's unlikely we'll see national legislation, much less enforcement, for several years simply because the new administration will be focused on core economic, energy and geopolitical challenges.”
While Maloof applauds President-elect Obama's decision to create a new chief technology officer cabinet position, he believes the CTO will be crafting a national technology vision and implementation plan, not taking on the role of CSO.
“Just as we saw states move fairly quickly to enact breach notification laws, I expect that many states will see the value of a proactive approach to security and will continue to act independently,” says Maloof.
Guardium's Neray says that while data security and privacy are critical issues for everyone, he's guessing the feds will let the states handle this for now, especially when states like Massachusetts are now stepping up to the bar and drafting comprehensive legislation like this new law.
The FTC has been silent on a number of issues of this type during the last eight years, says Schwartz. “I imagine we will be seeing more activity from the FTC, other regulatory agencies and Congress on this front. There are times when a uniform federal standard would be preferred over 30 to 50 varying state-level standards.”