With the nation's strictest data security law set to take effect Jan. 1 in Massachusetts, mobile phone merchant Dennis Kelly plans to parlay the regulations into a competitive advantage.
Kelly will display signs at each point-of-sale device inside 28 Wireless City shops, of which he is co-owner, stating that the company complies with the state's new mandate and that protecting customers' personal information is a company-wide priority.
He says that as his business has grown in a few short years, adhering to the new requirements – namely, establishing an official information security policy and deploying more stringent access control solutions – was necessary, regardless of the impending legal obligation. And now he wants to show that investment off.
“We can set ourselves apart from competitors by communicating that we take this stuff seriously,” he says. “I think we will be somewhat unique in that regard.”
Kelly's take on the regulations – the first time any state has issued such a comprehensive and prescriptive list of measures that must be taken to protect data – appears to be in direct contrast to most other business owners across the Bay State.
Since the provisions were borne out of an identity theft law approved by Massachusetts lawmakers about 18 months ago, business leaders have been deeply critical of them. A majority of their complaints boil down to an issue most Americans can relate to these days: money. They contend that the amount of time and the high cost that compliance would require, especially for those sectors not currently required to meet any industry data security guidelines or federal mandates, clashes with the current state of the economy.
The original compliance date was scheduled for Jan. 1 of this year, and then pushed back to May 1. But on Feb. 12, roughly three weeks after scores of business leaders protested the regulations at a public hearing in Boston, the state extended the deadline once again – this time to Jan. 1, 2010.
“We were evaluating the ability of business to be able to comply with the regulations and it became clear to us that in the economic hurricane that is buffeting us, the business community needed more time,” says Daniel Crane, former undersecretary of the state Office of Consumer Affairs and Business Regulation, charged with developing the requirements. “They may have other issues in the operation of their business to which they may need to devote more immediate attention than, in their judgment, protecting personal information.”
(Editor's note: Citing personal reasons, Crane resigned in March after two years as undersecretary. As of press time, his replacement was not named.)
The announcement of the emergency delay also came with a finalized set of regulations, which contained some concessions to appease business owners. But there are no more planned extensions. Any business that handles personal information on Massachusetts residents – defined by the state as a name used in combination with a Social Security, bank account or credit card number – must take a number of steps to protect it, even if those businesses are not based in the state.
And the rest of the country should keep a close eye on the situation. Assuming Congress doesn't pass federal legislation, many experts believe the Massachusetts regulations could turn out like California's pioneering SB 1386, which mandated victims be notified in the event of a data breach. In the five years since the state passed the law, some 45 states have adopted similar measures.
Encryption a “key” component
Despite the regulations, Massachusetts has no interest in playing “Gotcha!” with companies – but, compliance should be a part of the cost of doing business, Crane says.
“I think that there's much more sensitivity in the business community to the impact that this has on customer relationships,” he says. “It happens in subtle ways. The consumer starts thinking twice whether I want to do business with someone who has suffered a breach when I can go to a competitor.”
Crane says carrying this type of mindset is especially important now, considering the state of the economy. “You don't want a self-inflicted wound because of exposing customer information.”
He points to a recent study that analyzed the reported breaches in the state during the 10 months that followed the passage of the identity theft law. Crane's office received 318 notifications of data-loss incidents, impacting 625,000 state residents. In 194 of the cases, the breach was caused by criminal acts – in many cases, the theft of a laptop or hard drive.
Those statistics, Crane says, give credence to the decision by his office to include a specification in the new regulations that businesses must encrypt removable media if it contains personal information on Massachusetts residents – believed to be the first such stipulation of its kind in the nation. (Nevada recently approved a law that requires encryption on data in flight).
“Encryption is that next layer of protection and is viewed by many people as the strongest form of protection for sensitive data,” says Katie Curtin-Mestre, director of product marketing for data security products at Bedford, Mass.-based RSA.
Thus, it is no surprise that Forrester Research is predicting a surge in full-disk encryption adoption this year, particularly for laptops, says principal analyst Natalie Lambert. Regulations will be the main driver, and not because companies are trying to be proactive. That is why, she says, other technologies that are useful, but not prescribed under any law, are not receiving the levels of deployment that many expected, such as data loss prevention.
But the Massachusetts encryption provision – which also covers all files containing personal information traveling over public networks and across wireless transmissions – presents one of the most onerous tasks for companies, according to the business community.
Alan Macdonald, executive director of the Massachusetts Business Roundtable, a 70-member group of business leaders, says adding encryption could prove challenging for certain legacy systems that may not accept the technology. In addition, the cost could prove burdensome, particularly for small businesses.
“It's just that some companies already have what they believe to be pretty good systems [to protect privacy],” Macdonald says. “The new laws say to get rid of those systems and use the new technology that meets the prescription of the new regulation. Everybody needs to have privacy as a company doing business. Their reputation and their ability to stay in business depend on that. But they know that if you tell them how they have to attain it, it's going to be one unnecessary expense.”
According to a study performed by Crane's office, the average small business stands to spend no more than $6,000 to meet the requirements. The study concluded that this hypothetical company would spend no more than $1,000 to hire a computer consultant to identify confidential records – another requirement – and no higher than $2,000 to meet the encryption mandate (taking into account the free solutions that are available).
Those numbers still may prove too costly, says Jon Hurst, president of the Retailers Association of Massachusetts. He would have preferred the state hold off for a federal data security law, even though such legislation has been held up in Congress for years. “For a struggling small business with small margins that are actually seeing their sales drop in this economy, they're kind of scratching their heads here saying, ‘Why are we doing this again?'”
But Crane defends the regulations, saying that state government is appropriate in taking the initiative. Besides, he says, verticals such as health care and financial services likely already are “well beyond” these regulations.
With that said, the regulations were refined to assuage some concerned business owners. In the finalized version, the state eliminated a controversial section that required businesses to receive from their service providers written certification that they also were adhering to the requirements. The new version now only requires companies to take “reasonable steps” to verify this is true.
Bruce Schneier, chief security technology officer with BT, says he is not a fan of laws that prescribe certain ways to achieve something. Regulations such as these, he says, tend to discourage innovation and often fail to contain stringent enforcement and penalties.
“I prefer that you specify results and not methodologies,” he says. “People focus on tactics and not the broad threat. Bad guys change tactics. I like to see laws that say if you expose information, we're going to send you to jail.”
The Massachusetts regulations do not carry any prison penalties, though violators are subject to a fine of up to $50,000 per incident. Crane is quick to note those numbers do not include potential civil lawsuits and the cost of lost customers.
Enforcement, though, is likely to be spotty. The Attorney General's Office only will check for compliance if a business suffers a breach, Crane says.
Schneier, despite being opposed to the design of regulations such as these, says he has no sympathy for companies reluctant to spend money on security. “If it's too expensive for you to collect personal information, don't,” he says. “If you want the benefit of the data, pay the price.”
Crane says awareness, even more than money, is a critical part of adoption. That is why his office, in conjunction with trade associations and chambers of commerce, are hosting some 20 information sessions between Jan. 1 and May of this year.
Meanwhile, some state-based businesses that offer solutions answering to the requirements are leveraging the regulations to educate and gain new customers.
“One of the biggest shortcomings here for everyone is awareness, and the first step in the process is to understand what is being expected of you and what it all means,” says Kurt Baumgarten, VP of information security at Peritus Security, provider of compliance solutions.
In addition, encryption firm Utimaco plans to host a portal on its website to provide business owners with information on various regulations around data security.
Joseph Lazzarotti, a lawyer who specializes in data security, says he is counseling clients to remediate the “low-hanging fruit,” or provisions that do not require much effort. Then, for the shortfalls in their security stance that will consume the most time to resolve, they should conduct a risk assessment, develop policies and construct a roadmap.
Crane says businesses shouldn't be fearful of the new regulations. “If they're doing a good job now, then I'm sure they're in compliance with the regulations,” Crane says. “These regulations represent the minimum standard.”