Over the years there have been many new regulations in corporate governance and financial accounting but recently many US states started developing privacy laws mainly due to the concerns regarding individual privacy and security of corporate and individual data. GLBA is one such law at the US Federal level and EU data protection requirements is a similar one for Europe.
One of such laws is the Massachusetts Privacy Law or "201 CMR 17", the deadline for compliance with this law is March 1, 2010. The date has already been pushed back three times, hopefully this is the final one. This regulation lists comprehensive requirements to protect Massachusetts residents from fraud and identity theft from data loss. The law establishes a minimum standard to be met for the protection of Massachusetts resident's personally Identifiable information (PII) contained in both paper and electronic records. The compliance document lists the purpose as
"The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer."
One important requirement is about third party contracts where organizations need to make sure that third parties they deal with all need to compliant with this law. I think this is a bold step towards making sure that organizations take the third party interactions seriously. Many of the recent data breach reports have mentioned that third party or partner connections are the cause of many intrusion attempts and data breaches.
Vendors looking for comments like "application security", "web application", "penetration testing", "data leak", etc would be disappointed as the document does not state any specific requirements in these areas. However, organizations should look at this and other regulatory requirements as "minimum standards" and look upon setting up a higher level for themselves. Remember that Compliance != Security.
In order to ensure compliance with this regulations, the following activities should be performed.
- Identify the requirements
- Map compliance requirements to organizational risks
- Collect application inventory data, this should include the details of the data within those applications
- Work with data owners to identify if the application/database contains PII data
- Identify the servers and databases where this data reside
- Identify the encryption requirements
- Map the technical controls for these applications, servers and databases
- Identify the missing controls (both technical and non-technical)
- Implement the missing controls
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
4 comments:
Thanks for the insight, what are some of the recent changes that businesses that operate in US should worry about
Good post… there is another take on the Mass 201 law here: http://blog.maas360.com/massLaw
… wondering if this will become a trend?
@Anon - There are many regulatory requirements specific to states, for a detailed listing check the below link.
State breach laws http://www.privacyguidance.com/files/USStateandTerritoriesBreachNotificationLaws032209.pdf
@Jason, Yes, you are correct. Even though this is a big deal for SMEs, most larger financial institutions have these requirements in place for a while no, so it should not really affect them
Post a Comment