Mass Data Protection Law: Start of a Trend?
by Chris Corbet, Fiberlink
On March 1st, 2010, the state of Massachusetts raised the bar for companies and their IT organizations by implementing tough legislation that requires new protections for customer data. Any organization that has customers located in Massachusetts will have to abide by 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, aka, the Mass Data Protection Law. This regulation applies to all organizations “who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.”
This is a game changer in the security industry, as encryption will quickly become a requirement for all organizations that want to do business in the 3rd most densely populated state. Organizations that do not comply may, in the event of a data breach, be exposed to claims by the Massachusetts Attorney General, businesses and individuals under Massachusetts’ consumer protection statute. Aside from class action law suites and audit costs, non-compliant organizations can also be charged up to $50,000 per incident for improper record disposal, with a maximum fine of $5,000 per violation of compliance standards. In the event of an attack, this could cost a company millions of dollars. When TJX was compromised in 2007, it cost them $250 million dollars in just the first 12 months following the data breach. The Massachusetts state law, if it was in effect at the time of that breach, could have more than doubled this total.
Identify theft is a scary thing… It must feel good to be a Massachusetts resident and know that your state is looking out for your personal identity and holding organizations accountable. Expect other states to follow. Throughout history, Massachusetts has paved the legal road for many social issues, and shortly thereafter other states followed by enacting their own protections. We can be sure that regulations like this are not going away (for example, there’s Nevada’s re-vamped encryption law SB 227, and these regulations will continue to drive organizations to implement security standards and encrypt all data residing on their devices.
Deploying encryption software can strike fear in the hearts of IT organizations throughout the country that are already short of resources. “Companies needing to move quickly to implement data encryption should follow best practices and evaluate managed services that take advantage of cloud computing,” says Mark Nafe of Checkpoint. Other “best practice” recommendations include:
- Select the right technology based on your objectives. Full Disk Encryption tends to be more of a “set it and forget it” product line, which can enable organizations to move fast and gain compliance with this regulation. Other technologies allow you to pick and choose what to encrypt.
- Plan the project and design the solution. Ensure you have the right people in place, and offset burden wherever possible by taking advantage of managed service providers with experience.
- Prepare and configure the software. Be sure to test the software’s configuration on any and all corporate images you manage to minimize potential install failure rates.
- Remember everyone. Don’t forget those users that do not frequently connect to the corporate network.
- Track your roll out. Practice proactive management based on reporting and business intelligence. Watch for potential issues and proactively remediate where needed. Ensure that you have a reporting solution in place that will allow you to prove compliance with this regulation quickly and efficiently.
The key component of the Massachusetts Data Protection Law is this: “Encryption of all personal information stored on laptops or other portable device.” With MaaS360 and Checkpoint, you can protect your devices, and prove it. To learn more about how this managed encryption service can help, click here and request a demo.
about 1 year ago
Great best practices tips. At Boston Interactive, we’ve gotten tons of inquiries from clients wondering exactly what this law means for them. As a Mass. resident I agree it’s a good feeling to know this law has been put in place. But I think residents of other states can feel safer too, as most large corporations do business with Mass. residents or companies and should be complying with these regulations. More on that here: http://www.bostoninteractiveblog.com/?p=170.
about 1 year ago
As a consultant, I am looking at this a little differently than most perhaps. I think about the little ‘mom & pop’ corner deli who might have some of their employee information on a laptop or desktop. What is their exposure? And let us not forget that this extends far beyond electronic data, this law legislates how a business is operated, requiring (for lack of a better name) a ISO be appointed and Security Documentation being created in the form of a WISP.
I am not a proponent of this law as I believe it opens many SMB (Small and Medium size Businesses) to choose between fines or bearing the cost of becoming compliant. In addition, until the first ‘sacrificial lamb’ is brought to slaughter, no one really knows the extent of these penalties will be.
about 1 year ago
Thanks for the comment Sebastian. Look forward to future exchanges with you on our blog.
There is no question that this law could change the game for a lot of organizations… particularly the SMB or “mom & pop” shops with limited resources. They will need help. I think a key part for them will be to create efficiencies wherever possible. Leveraging managed and consulting services for example.
I, too, am curious to see the the extent of penalties imposed on the first violator. There is some gray area in the form of maximum fines that I believe is still up for legal interpretation. The first violator will set a precedence and probably create a “mad dash” toward compliance for those currently choosing to roll the dice.