Companies are struggling with privacy regulations, perhaps no more so than in Massachusetts.
A morning session on the Massachusetts Privacy Law (CMR 17.00) at SC Congress Boston delved into the challenges faced by those security professionals charged with safeguarding the networks and databases of enterprises either based in the state or conducting operations with Massachusetts-based businesses.
Jon Wilkinson, privacy officer at Phillips Healthcare, led off, noting the health care industry has undergone a tremendous shift. Health care, he said, used to lag behind in technology, unable to do actionable data analytics. Systems have caught up. But, with the introduction of a lot of new technology to facilitate health care systems, security concerns have increased, he said.
For one, added Javed Ikbal, vice president, information security and risk management at Bright Horizons, who is challenged by the fact that while his company is based in Massachusetts, his company reaches across the country and into Canada as well as Europe, so the data on hundreds of thousands of children and their parents stored and transmitted by his firm must comply with a range of regulations, not just CMR 17.00.
The introduction of the mandate received a lot of pushback, Ikbal said, as it softened some standards already in place. However, he pointed out, it defined rules and offered actionable and specific requirements – such as designating a person to be in charge of security and mandating that companies must have a security plan. The law, he said, is easily understandable and actionable.
"Prescriptive standards that people considered onerous in 2008 [when the law was introduced] are not so anymore," echoed Wilkinson.
But, has the law been effective in protecting data? Wilkinson mentioned that TD Bank had been fined for losing some unencrypted drives, but the bigger measure is to look at the costs in terms of reputation, he said.
Plus, it's not the state that prosecutes the majority of infractions, Wilkinson said. The state's attorney general office, working with federal and state agencies, often forwards complaints to the federal level.
As to the issue of aligning security implementations so as to get them in sync with privacy, Ikbal said that security people often think that auditors are the enemy. "Wrong," he said. "Confidentiality is not just keeping data protected. If you have a breach, there's an impact. People care about their children's data more than they care about credit card data."
Security and privacy have to work hand in hand to protect information, said Wilkinson. "People don't understand the distinction between the roles."
And, as far as the role of the security officer, he added, "I'm not here to say 'no,' but to propose other ways to make sure you're compliant, to find a way to move forward with little to no risk."
Ikbal agreed. "We need to stay in compliance. If we're not in compliance, we're done."