Debunking MA 201 CMR 17 compliance mythsDate: May 29, 2010
If your customer tells you that his or her company has achieved MA 201 CMR 17 compliance, don't be so sure. Compliance with the Massachusetts data protection law requires more than just IT controls and more than just one person's word. You need to examine departments like human resources, data retention, physical security and internal audit as well.
There are many myths related to the legislation, and John Moynihan, president of Minuteman Governance, believes that these misconceptions are dangerous and may lead your customers to rely on inadequate technologies. Moynihan reviews where your clients may get the wrong idea and where you can step in and help with emerging state data protection laws.
For more on MA 201 CMR 17 compliance:
- Listen to Dick Mackey of SystemExperts explain how solution providers can position their customers' controls so that they can be ready for emerging data protection laws.
- Video: John Moynihan of Minuteman Governance reviews the technical, administrative and physical security controls that organizations need and often don't have.
Read the full transcript from this video below:
Debunking MA 201 CMR 17 compliance myths
John Moynihan: There are many misconceptions about the law. These misconceptions I find are very dangerous because they’ve caused inertia and they’ve caused a false sense of compliance for organizations. I want to go over some of them.
This one’s brutal: ‘This is an IT law.’ You’re talking about data protection, data security. It’s an IT law, so all you have to do is deploy some type of technology. I think we all know, technology alone will not allow you to achieve compliance. There’s a major non-technical piece of this law, and I think most of the risk and the most of the vulnerabilities right now that exist are associated with the non-technical controls. If a CIO, IT manager or an IT director tells you … I’ve heard this from so many people at our first meetings in various engagements. The CIO will say, “We’re all set. We’re compliant with the law. We’re glad you’re here to check us out, but we’re all set.” Unless that IT director is also responsible for physical security, document retention, human resources, internal audit to conduct risk assessments, employee training; unless that IT director is responsible for all those functions, he can’t tell you they’re all set because they can’t be all set. He can tell you about the patch management, how they authentic users and access control and virus protection and encryption technologies; great. He can tell you about one-third of the law. If there are a lot of organizations being misled, executives in organizations being misled, by people saying, “Don’t worry. We’re all set with the law.”
Misconception No. 2; this is a very common one: "If we’re complete with PCI, HIPAA, [the] HITECH [Act] or [the] Red Flags [Rules], we’re compliant with Massachusetts." [The] Massachusetts [regulation] is just an innocuous little state law. We’ve been compliant for years because we’ve gone through our HIPAA certification, we are PCI-certified, we’ve prepared for the Red Flag rules. It’s just not true. As I say, you go right onto the Mass.gov site and it says to you, “This compliance does not translate into Massachusetts compliance.” The Massachusetts law is more rigorous.
Here’s another beautiful one: "We don’t collect customer information." The vast majority of small to mid-size businesses approach the law this way. Manufacturers, other types of organizations; we only collect information on employees so we don’t have to really protect them because it’s not credit card data, it’s not Social Security numbers. The law applies to employee data. That’s really the trigger that has caused this law to be so expansive. It requires you to protect employee data.
Here’s another good one: "What are the chances we’re going to get caught? We’ll take our chances with the fines." Most people talk about "this law's consequence is the $5,000 fine." While that is quite a consequence, I think it pales into comparison with the other consequence of violating this law, the third-party business disruptions. All of our clients are coming to us now, since this law has passed, every client that came to us, came to us because one of their key business partners asked them to attest to their compliance with the law. I think when people started reading about this law, saying, “$5,000 per breach; that’s if they find out about the breach, what’s the chance they’re going to find us?” That was the perspective and that was the risk companies were taking. Now they’re [saying], “Wait minute. We can’t do business with XYZ company unless, A, they provide us with assurance they’re compliant and they can’t do business with us.”
We just got a major law firm as a client; they do extensive insurance litigation. An out-of-state insurer wrote to them and said they had 30 days to provide them, with … independent [attestation] that they’re compliant with the law. This Massachusetts law firm that was well aware of the law is being compelled to comply to a third party, one of their biggest clients, that’s out of state. People talk about consequences, the $5,000 per record, I think is significant, but it’s not going to have an impact like the third-party requirement.
We’re seeing more activity now with people wanting compliance assessments than before the law, because I think they’re figuring out, both on their own and through contacts by their big vendors, or big clients, that they have to be compliant now. Again, when this law was winding its way through the various revisions, most people thought they’re not going to harm a big corporation doing business in Massachusetts and put people out of work by clobbering us with a fine. No, they’re not; but his law is going to be self-enforced. It’s going to be enforced through the third-party requirement.
Misconception No. 5: "Encrypt everything that moves." You only have to encrypt a laptop, a USB drive, email, backup tape if it contains personal information. Encryption is clearly one of the major pieces of this law and it’s a well-founded major piece of the law because it’s needed. There are so many people still maintaining data on unencrypted devices. But you don’t have to encrypt everything if there’s no data, personal information as defined by the previous slide, on these technologies.
Misconception No. 6: “We don’t maintain any personal information in electronic format”; we talked about that. We haven’t conducted an assessment, as I said, but there were major findings about the way the organization retains, destroys and archives personal information. We have a large client, with 36 different locations in Massachusetts and a separate offsite storage facility. Very robust controls throughout all the three elements: Administrative, technical and physical security. One of my people went down on the last day to conduct a review of where they archive their data. [They have] hundreds of millions of records. It was located in an industrial park, housed with a bunch of other companies. The guy walked in and walked into the door. It was unmanned, there was no one there and the door was unlocked. [At] $5,000 per record, there were probably 50 million records there. Here’s a company that deployed very sophisticated technical controls, had really touched all the administrative bases, but is not locking their door where they keep all their data.
An overlooked piece of data security is this right here; paper records and protecting them.
There are some real serious misconceptions about this law that I think are quite dangerous for a couple reasons: One, and the major reason is, some of the misconceptions have caused organizations to have a false sense of compliance. I think they perceive the law in certain ways and, therefore, have not moved to comply. There are other misconceptions about the law that I think have served to frighten or scare organizations into deploying a technology or a product. While technology is surely a big piece of this law, it’s not the only piece.