Security solution providers should become familiar with the Massachusetts data security regulation, 201 CMR 17.00, which has undergone a series of revisions. These changes aim
It is expected that the regulation, after being postponed more than once, will go into effect on March 1, 2010. The revisions have been influenced by various stakeholders, including Massachusetts citizens, the state government and both in-state and out-of-state businesses who work with Massachusetts residents. The major changes are described below.
A risk-based compliance approach
The most important change to the regulation is the requirement to take a risk-based approach to data security. A risk-based approach emphasizes enterprise security controls that are appropriate for the level of data breach risk that an organization faces. It avoids a prescriptive one-size-fits-all approach as each organization would have its own risk profile. Here is an example to illustrate the point: If someone wanted to protect a $10 bill, a shirt pocket would suffice. A nice wallet would do for $100. For those lucky enough to have the problem of needing to protect $100,000 in cash, a minimum a secure bank vault with steel doors should be employed. It's easy to see how the cost and scale of protection increases with the amount of money and the associated risk of loss and the accompanying pain.
Similarly, the Massachusetts data security regulation's risk-based compliance approach to data protection takes several factors into account. These include the size and scope of business, the amount of data that is captured or stored, the resources available to the company and the level of security expected based on the nature of the business. The risk-based approach provides business opportunities for consultants who can evaluate the level of risk an organization faces and recommend appropriate security controls to mitigate the risk.
There are several questions that solution providers can ask to gauge the risk in their customers' businesses:
- Is it a small retailer with ten employees or is it a large financial-services company with thousands of employees and millions of customers?
- Are only a few records handled or are millions of records being stored?
- Are they detailed records that contain several types of personal information, or is it only a small part of the entire record?
- What resources are available to the company in terms of people and budgets?
- Due to the nature of the business or specific processes, would there be any special security considerations?
The expectations and requirements for each size and type of business can vary, so solution providers should carefully evaluate their customers' situations based on the criteria outlined above and suggest appropriate controls. Note that the regulation itself does not prescribe the type of technology a business must implement; each business must come to its own conclusion. Security risks must be carefully balanced against cost, convenience and feasibility. For this reason, solution providers have the opportunity to become trusted advisors to customers and help them become compliant while ensuring the most efficient use of resources.
This risk-based approach aims to help small companies implement security controls appropriate to the scope of their business. For example, when it comes to email encryption, to save costs and resources while still complying with the regulation, a smaller company may prefer an email security product that combines multiple functions -- such as antispam, antimalware and email encryption -- into a single appliance. A larger company may choose to deploy a standalone email encryption appliance with more complex features that requires a separate budget and resources to manage. Solution providers can once again serve as valuable resources for companies determining which product best fits the scope of its business.
In keeping with the risk-based approach, some of the specific security requirements listed in the law have been modified to read as "guidance" that companies should follow and implement based on the size and scope of their business.
Other changes to MA data security regulation 201 CMR 17.00
The mandate's definition of encryption has been broadened, changing from an "algorithmic" process to a "confidential" one. This change gives customers flexibility in choosing the type of data security controls they employ, but the help of solution providers again may be necessary to ensure that data continues to be effectively protected from breaches.
Although the definition has changed, the technical security requirement to include encryption of laptops and portable devices remains the same. All the technologies listed are commercially available today; this allows solution providers to recommend a range of practical options suitable to the business. The phrase "to the extent technically feasible" has been applied to the implementation of the technical requirements. Based on a careful data security risk assessment and availability of resources, solution providers can help businesses in deciding which technologies they choose to skip or implement as the responsibility is now with the businesses.
The requirement for third parties to secure personal information has been changed to be consistent with federal data protection laws wherever applicable. Businesses are expected to take reasonable steps to ensure that third parties take appropriate security measures. The regulation's revisions also recognize that businesses may have prior contracts with third parties, so it is important for businesses to re-read the fine print and dates in their contracts to ensure they stay compliant.
Solution providers have several opportunities based on the changes made to the regulation. These opportunities include becoming trusted advisors to their business customers, helping customers and their business partners interpret the regulations from a technical perspective, and helping assess the risks to the security of data across the enterprise. Specifically, smaller customers may also need help creating an information security plan, selecting and implementing appropriate security solutions, and monitoring and updating these deployments regularly.
The updated regulations, FAQ and other useful documentation can be found on the Massachusetts 201 CMR 17.00 official website.About the author
Nagraj Seshadri is the senior product marketing manager at Sophos.
This was first published in January 2010