To arms. To arms. 201 CMR 17 is coming!
To arms. To arms. 201 CMR 17 is coming!

A new privacy regulation in Massachusetts evokes anxiety for many, but getting in line may prove to be no big deal, reports Greg Masters.

After a few delays, what has been termed the nation's strictest state data security regulation is set to go into effect on March 1 in Massachusetts. The legislation, 201 CMR 17.00, details a number of requirements that all companies, no matter where they are based, must follow to safeguard the paper or electronic records in their possession of any Massachusetts resident.

Businesses that possess personally identifiable information (PII) of Bay State residents will now be required to encrypt all devices and transmissions. In addition, businesses must have an employee dedicated to security efforts, restrict access to company data to only those employees requiring access, regularly monitor enterprise security programs, and develop, implement and maintain a “comprehensive information security program.”

The Massachusetts legislation goes further than most data security regulations by prescribing specific technical measures that must be taken to protect PII, says Boaz Gelbord, executive director of information security at a New York-based company that assists educators and students, and the founder of Security Scoreboard. It's the legislation's degree of specificity, he says, that distinguishes it from the generic language typical in such regulations.

“In most regulations, you have to maintain confidentiality, but you don't see references to specific technology,” Gelbord says.

Also, this legislation differs from other state disclosure bills because it forces businesses to become proactive in securing technology, says Gretchen Hellman (right), vice president of security solutions for Vormetric, a data security solutions provider. It insists that organizations take measures to protect information, as opposed to other guidelines that only require companies alert customers should their data be compromised, she says.

In short, the Massachusetts bill puts together requirements to prevent breaches from happening in the first place, she says.

Robbie Higgins (left), vice president for security services at GlassHouse, a global provider of IT services, adds that, in most cases, the regulation lays out what any business should already be doing as far as security goes. “It may be a little heavy in certain areas, like encryption, but it makes sense,” he says.

Higgins, who works out of the Chicago office of the Framingham, Mass.-based GlassHouse, sees one of the bill's primary challenges for companies as identifying where information is with which they need to be concerned. "Once they determine where the personally identifiable information (PII) is – whether it's on a disk or email –  then they can address it."

But, he warns, some companies don't understand where the data is, while others mistakenly believe they need to encrypt everything. Another big challenge is figuring out what percentage of employees deal with this information.When it comes down to it, though, Higgins says this regulation is not going to address all security concerns.

 “It's not a roadmap for security in the business environment, it's more a guideline,” he says. “Yes, you need to make sure to comply, but that in itself is not a security blueprint if you're looking to properly secure your environment.”

Many businesses have been following HIPAA and PCI mandates, but that has not been enough to prevent major data breaches, he points out.

“As things become more distributed, determining where data is and how much access and control a business has brings challenges,” he says. Virtualization, for example, depends on hosting data with a third party. Is this site multi-tenanted, he asks. It can be difficult to audit against.

The Massachusetts data privacy regulation is just one rule in a cascade of regulation aimed at protecting sensitive data, agrees Stephen Marsh (right) at Portland, Ore.-based hosted email archiving and compliance vendor Smarsh.

"With 40-odd state laws and multiple federal rules already in place, chances are that any given company is already subject to some regulation about data security. And the Mass. law won't be the last."

He points out that the Red Flags Rule is coming in June, requiring financial institutions and creditors to institute a written program to address identity theft risks.


Easing regulation anxiety

When strict data breach security regulations were first proposed in Massachusetts around two years ago, IT leaders at a lot of small businesses were anxious, says Jim Lippie (right), president of Staples Network Services by Thrive, an outsourced IT provider based in Lawrence, Mass. But, as the company began working with clients, Lippie found that the regulation is not, in his words, that big a deal, particularly for those companies that adhere to industry best practices. By this he means health care businesses already toeing the compliance line owing to HIPAA mandates, or enterprises that process credit cards already governed by PCI guidance. “They have the right procedures in place,” he says.

One example he points to is a large insurance company that contacted his team when the regulation was announced. “They were very anxious, but after an initial assessment, it only took a few fixes.”

Technology specifics

“The regulation does much better when it advises on procedural issues more than the technical issues,” Gelbord says. The trend in these types of laws, he says, is to avoid specific requirements for technology as these can quickly become out of date. “The government is not the best place to dictate technology matters,” he says.

Specifically, Gelbord cites the law's narrow focus on anti-virus software, operating system security patches, firewalls and encryption. The problem is that these traditional security measures are not sufficient to address the threat posed by web-facing application vulnerabilities. The weakness in the regulation is not focusing enough on higher risk issues, he says.

“It's behind the times in the kinds of threats it seeks to address. It focuses on network security and anti-virus while ignoring the risk posed by web application vulnerabilities, like SQL injection. In today's internet, proper input validation for a web application is just as important as maintaining up-to-date virus definitions when it comes to protecting PII,” Gelbord says.

And, while language in the document has been altered in response to criticism, there are still some concerns. The definition of encryption was too specific in the original version, says Nagraj Seshadri (left), senior product marketing manager, Sophos. The mandate's original definition of encryption has since been modified, changing from an “algorithmic” process to a “confidential” one.

Further, Seshadri points out that there is too much ambiguity with the phrase “to the extent technically feasible,” applied to the implementation of the list of technical requirements. It places a responsibility on the businesses to determine what is, in fact, technically feasible.

“From a technologist's point of view, all the technologies listed in the requirements are available today, so if companies choose not to implement certain technologies, they should have a very good reasoning behind it in case they are called to defend their position,” Seshadri says.

Mom-and-pop shops

Another part of the law that's unclear is just how much leeway small companies will have when it comes to implementing the technical safeguard requirements, says Gelbord. Some of the requirements could prove costly for small businesses that do not have enterprise-grade IT systems in place, but the regulation contains language that appears to weaken the requirements for SMBs.

Further, while bigger enterprises are likely already in line with the state's provisions from following other laws, for mom-and-pop shops, it's a big deal to secure their business, says Vormetric's Hellman.

Sophos's Seshadri agrees. He says that one of the biggest concerns about the initial versions of the regulation was that it followed a one-size-fits-all approach regardless of the size or scope of the business and the amount of data stored.

“It was felt that this placed undue burden – in terms of resources, cost and required expertise – on smaller businesses because they would be held up to the same standards as large businesses,” says Seshadri.

“The requirement to take a risk-based compliance approach to data protection takes several factors into account, including the size and scope of business, the amount of data that is captured or stored, the resources available to the company and the level of security expected based on the nature of the business. Smaller businesses could use this approach to consolidate technologies and deploy more manageable and cost-effective solutions,” he says.

He adds that the initial version of the regulation that required businesses to review and possibly rewrite all their contracts was a practically impossible exercise. “As a result, in the amended regulations, the requirement for third parties to secure personal information has been changed to be consistent with federal data protection laws wherever applicable,” he says.

Businesses are now expected to take reasonable steps to ensure that third parties take appropriate security measures. “The regulation's revisions also recognize that businesses may have prior contracts with third parties, so it is important to businesses to re-read the fine print and dates in their contracts to ensure that they stay compliant.”

Another challenge many businesses face, says Smarsh's Marsh, is keeping internal policies and processes in compliance with an ever-changing regulatory landscape. "And every time a policy changes, the business must invest resources to train staff, enforce adherence to the rules and evaluate the policy's effectiveness."

Marsh calls the Massachusetts law the most progressive state mandate when it comes to the encryption of sensitive client data, at rest and in transit.

"Beyond the stiff noncompliance penalties that I anticipate we'll see in Massachusetts, data breaches can create severe reputational damage. Other states have followed California's model and detailed specific customer and public disclosure policies in the event of a data breach. A robust data protection policy can even be a competitive advantage, with many customers asking to know what their vendor is doing to protect them before they share personal information."

Wait and see

It will take time to decide whether the regulation is a good model, says Vormetric's Hellman. “It's hard to regulate good security. Security is a consistent effort. Regulations will always fall short. It's impossible to put together a regulation that applies to all companies and says this is what makes you secure.”

By and large, though, says executive director Gelbord, most companies with reasonable security measures in place, should be in good shape. “It will be interesting to see whether this law will be replicated by other states in the future, whether this will prove to be a model going forward, and to see what actions are taken as a result,” he says.

However, contrary to what many vendors say, there's no silver bullet technology that lets you press a button and automatically be in compliance now and ever after, says Marsh.

"Compliance is the result of sound policy, enforcement and evaluation," he says. "Technology will help ease the burden of enforcement – policy-based email encryption solutions, for example, will automatically encrypt emails that contain sensitive data using pre-defined rules. Technology will also help measure whether or not your policy works as designed."

For its part, Staples Network Services has assembled a 26-point matrix it uses as a compliance checklist to determine what clients must do to meet security requirements. Taking it further, Lippie says the company has put together pieces of legislation from all over the globe to have the most stringent privacy protection plan in place.

“Once we take the time to understand what the policy is, it shouldn't be overwhelming,” says Lippie. “It isn't the huge change that people once thought it would be.”

However, questions remain about how 201 CMR 17.00 will be enforced. Unless there's a breach, there's no way to determine whether a company is following the guidelines, says Lippie.

Nevertheless, for most businesses in Massachusetts the regulation should have no effect, GlassHouse's Higgins says. “They should have these systems in place. For most companies, it should be fairly straightforward. If companies implement security controls and follow industry best practices for a good security program, they shouldn't run into any challenges,” he says, adding that only time will tell whether the mandates have any real impact.

[sidebar]

Case study: Encryption in action

A.I.M. Mutual Insurance Companies is one of the top providers of worker's compensation in Massachusetts. While it implements basic security measures, these were not enough to be fully compliant with the new state regulation.

Ray Pata, manager systems and programming, A.I.M Insurance Companies, and his team conducted a review of the standard offerings available, but, after an assessment and trial period, they chose a solution from BitArmor, recently acquired by Trustwave. “We especially liked the fact that we didn't have to maintain any additional hardware. BitArmor support was great to work with. Pricing was extremely competitive and it was quick to deploy,” he says.

AIM uses BitArmor Managed Encryption across the internet to manage its encryption environment, after software has been deployed on vulnerable laptops in the company. The tool provides a single integrated solution for full-disk encryption, USB encryption and email attachment encryption, says Patrick McGregor, CEO, BitArmor. “This enables the customer to protect the most vulnerable points in their environment and helps them to be compliant with state data privacy laws and federal regulations, such as HIPAA.”

Most vendors, McGregor (left) points out, can't service small- and medium-sized organizations since they require dedicated management servers to be installed and managed inside the company. Or, if they provide a service from the cloud, they do not have multi-tenant server capabilities that completely and cryptographically separate one customer from another.

“Multi-tenancy is critical for solid data security and it provides economies of scale,” he says. The lack of such a multi-tenant architecture will increase costs and therefore will not be affordable for smaller organizations.

“Right now, we are deploying the BitArmor tool to all of our laptops,” says AIM's Pata. “We have road warriors that live and die by their laptops and because of the mobility, we want to ensure that these devices are fully protected.”

– Greg Masters