Friday, January 2, 2009

Mass Law - Would You Have Been Ready?

Yesterday 201 CMR 17.00 was supposed to go into effect. 

Never heard of 201 CMR 17.00? Come on, don't you regularly monitor the Massachusetts Consumer Affairs and Business Regulations website for exciting legislative updates? 

Well in case this one slipped past you, 201 CMR 17.00 is a new data protection law in Massachusetts. This regulation is one of the more far reaching state laws. The law is short and written in plain English so I recommend just reading the text of the law instead of the many summaries available online.

What does this law mean for your business? Quite a lot - unless you operate locally or are planning on building a separate database for your Massachusetts customers. But don't panic - at least not for the next four months. The initial go-live date of January 1st has been pushed back to at least May 1st (and CSO Magazine thinks it will be delayed even further).

You can thank {insert name of person you blame for US economic meltdown} for the extension. But if you have been procrastinating, you shouldn't. The regulation is mostly pretty basic security management 101 type stuff - have a security policy, apply access controls, use encryption, etc. If you are not doing most of this already, the government of Massachusetts may be the least of your concerns.

The extension will help companies get a little breathing room, but for companies that haven't even started work on their security programs it may be too little too late. I used to teach a course in information security at the University of Leiden in the Netherlands (a great university in a beautiful city, especially in the spring time). Each semester when I gave students an extension for their term papers it was the same story - the good students didn't need it and the bad students hadn't even started their homework. They were so far behind that they still weren't ready when the second deadline rolled around.

With compliance, it pays to be one of the good students. I believe that compliance will be the major driver of security spending in the coming years. You can talk to your executive board about security ROI and preventing future losses until you are blue in the face, but the law is the law. A major advantage of having a solid information security program in place is that it puts you in pole position when new regulations come around. If you are operating globally, you are subject to literally thousands of data laws and regulations. Having a solid and reasonable information security program is the only way to avoid a losing game of whack-a-mole with this onslaught of new regulations.

This brings me back to a theme I have explored in the past when discussing breach notification laws. Outside of the most regulated industries, security management is about having an overall security narrative. If you have a solid common-sense security narrative in place, achieving compliance will involve applying tweaks where needed and translating your practices into bureaucratic language when requested.
 
Most companies have underestimated the effect future data security regulations will have on their business. One of the main reasons for this in my opinion is the very low rate of enforcement of existing regulations. The FTC, for example, has brought very few actual proceedings against companies for information security breaches. The settlement against TJX received very wide coverage in infosec circles, but is in a sense the exception that proves the rule. PCI does not release figures on fines, but there is no indication that widespread enforcement has really taken hold.

Some final thoughts on the Mass law, leaving aside for now the grand philosophical debate on whether government regulation is good or bad (libertarians please take a deep breath). Contrary to some of the consultant fueled hype, the regulation itself should not have a major impact on businesses that already take information reasonable seriously. The actual text of the regulation makes clear that no one is trying to shut your business down. The words "reasonable" and "reasonably" appear a full 16 times in the short text. It also states very clearly that the protection measures required are proportional to the size, scope, and type of business and amount of data stored.

Companies that are in non-compliance should focus on their security policy. A recent Cisco survey showed that only 77% of companies had an information security policy at all. My guess is that a substantial portion of those 77% have a policy in name only - a dusty pdf sitting in some network share that no one has looked at in months. All the other aspects of the law - the access control, encryption, and everything else - should be explicitly spelled out in the information security policy. And although external consultants can help polish a policy and define a roadmap for implementation, there is no alternative to organically integrating your security policy into your business. A good new year's resolution for all of us and fodder for a future post...





No comments:

Post a Comment