|
TELECOMS AND SOFTWARE NEWS
|
|
|
Massachusetts raises the bar for personal data protection, globally
Graham Titterington
Massachusetts raises the bar for personal data protection, globally
Massachusetts regulation 201 CMR 17.00 requires a change in corporate attitudes to securing personal data and it will have a global impact. It requires every person who owns personal information about a resident of Massachusetts to be in full compliance on or before 1 March 2010. This requires every organization holding such information to make substantial changes in its data management and security practices to secure this data. As with breach notification laws that also started at a state level, the practical difficulties of distinguishing data dependent on where the data subject lives means that this legislation will come to effectively apply across the US, and internationally.
What is covered by this regulation?
The regulation relates to “personal information”, which is defined as social security number, driver's license number, state-issued identification card number, financial account number, and credit or debit card number, in conjunction with the person's name. This is a much narrower definition of “personal information” than is, for example, used in European privacy legislation. It does not include biographical information, health information, employment history or the person's address. The regulation appears to be directed at reducing the incidence of identity theft and financial crime. It applies to both electronic and paper records. Organizations that employ residents of Massachusetts will be hit first and most onerously. However, the inclusion of payment card data means that any company that does business with Massachusetts residents is also required to observe the new rules. What must organizations do?
Everybody holding this type of information must implement a comprehensive and written information security program containing administrative, technical and physical safeguards that are appropriate to the person/organization, the amount and type of information held, and the security needs. These must be aligned with state and federal regulations relating to the type of data. The regulation is generally vague in specifying what is “reasonable”, while being prescriptive in specifying the aspects that must be covered in the program. Several steps are mandatory, including designating an individual to be responsible for the policy, conducting a risk assessment, providing ongoing employee training, monitoring compliance, preventing terminated employees from accessing records, and providing a means of detecting and preventing security failures. Organizations must restrict physical access to data; for example, by keeping it in locked cabinets. The response to all incidents has to be documented and the security program has to be reviewed at least annually. Overseeing service providers
The most far-reaching requirement in regard to the future of the IT industry is the requirement that contracts with third-party service providers must explicitly require the service provider to meet this regulation. This also applies to contracts between the service provider and its subcontractors. This is likely to be a particularly difficult requirement to comply with. There is a limited derogation until March 2012 for existing service contracts. Most cloud service providers today will fail to meet this requirement.Technical requirements will boost IT security vendors
A broad range of IT security vendors will find marketing opportunities in this regulation - particularly vendors in the identity and access management field. The regulation mandates the encryption of all data that is transmitted over a wireless network or across a public wired network, or held on mobile devices, including laptops. It also requires secure access controls and effective user authentication at all points where personal data is accessible. It requires user access policy to be aligned with a “need to know” philosophy. Network monitoring is required. Will it be observed?
This regulation requires a change in attitudes as well as significant investment in technology and processes - particularly in process improvement. These take time to deliver. While it should be effective in the medium term, universal application will ripple out gradually. We have seen how the much more limited Payment Card Industry standard is taking years to roll out. In the short term it is likely that the weight of the legal system will be turned on organizations (particularly in the US) that suffer an information breach, as an example to encourage the others.
About:
This article is an extract taken from Ovum's Straight Talk service. This daily email bulletin provides our expert's views and opinions on important news and events in global IT and telecoms. If you have a comment or question regarding this article then please submit your details here:
If you would like to find out more about Straight Talk please contact StraightTalk@ovum.com
If you would like to find out more about Ovum services then please click
here for details
|
|
|
|
|
|
|
|
Search
|
|
|
|
|
Contact Us
|
|
|
Expertise
|
|
|
|
|
