The Massachusetts Data Privacy law, effective as of March 1, 2010, states that all businesses that collect personal data from or about Massachusetts residents will need to adopt a comprehensive written security program. Unlike most state-based data privacy laws, which focus primarily on public disclosure once a breach occurs, the new Massachusetts law prescribes that more stringent protective measures be taken to prevent breaches from occurring in the first place.
The Massachusetts law is more actionable than most data security regulations as it prescribes specific technical measures that must be taken to protect Personally Identifiable Information (PII), hence it forces businesses to become proactive in securing technology. Many of the measures outlined in the bill are actions that companies should already be taking, such as ensuring that the enterprise is adequately protecting PII. While this initiative seems intuitive and straight-forward, it has proven to be challenging for many organizations.
The new regulations require companies to limit the amount of data they collect, maintain a written security policy and keep a detailed inventory of all personal data and where it is stored. The regulations also require any business that handles sensitive personal information on citizens of the Commonwealth of Massachusetts to encrypt that data as it is transmitted via the Internet or stored on external mobile devices such as laptops, USB drives and other mobile storage equipment.
Companies working to ensure they are compliant with the law face many similar challenges, but also numerous issues that vary depending on industry and company size. Many enterprises face the issue of understanding the information flow as it pertains to PII and where within the environment this data is stored, if indeed it is stored within the company's environment and not with a third party organization. In the past, this was more straight-forward as most organizations tended to store data on databases in data centers or, in the worst case, on desktop and laptops. This has become more challenging with the widespread deployment and adoption of mobile based devices, remote and portable storage, in addition to acceleration of cloud and virtualization based technologies and services.
Smaller companies tend to have different challenges than larger enterprises in determining where and how to get started. In many cases these smaller companies lack the resources, both in headcount and financially, to put in place the security plan, policies and procedures needed. In addition, it is difficult for smaller enterprises to put in place the appropriate technology based controls required to ensure they adequately protect the data of concern. Larger companies are more challenged in determining where the information in question is located, how it is accessed and who has access to it. This is often the case as larger companies tend to have a more distributed environment using different technologies ranging from operating systems and hardware platforms to multiple applications collecting and processing data. The core issue tends to be one of understanding information flow and storage in a highly complex environment.
So what approaches can you use to make sure you remain on the right path?
From a process perspective
* Make sure you review and understand the Massachusetts law as it relates to data privacy. Be sure to do your due diligence.
* Understand the information flow and specifically the data of concern (PII data): where is it entered, where is it transmitted and where is it stored? Make sure you assess beyond where you know the data currently resides. Organizations most often fail when PII data ends up in systems and locations that were never anticipated. You should review your broad environment on a periodical basis to ensure you know where the pertinent data resides.
* Review what information within your organization falls into the category of PII and is applicable to regulation under the new law.
* Review how you may be able to leverage your existing security capabilities around protecting the information. Once reviewed, determine what changes should be made in the controls and processes to be compliant, including how you will encrypt information.
* You may be able to use existing policies and information you have for compliance with other regulatory requirements that cover data protection, including SOX, HIPPA, PCI or GLBA documentation.
From a technology perspective
* Ensure the encryption of applicable data while in motion and at rest. Remember, in many cases this information could extend well beyond your data center into mobile and virtual environments.
* Log events and review key security devices and applications in order to monitor your environment with regards to where the data resides and who is accessing it.
* Better define and create actionable security plans, policies and procedures to ensure that they integrate with your technology road map and risk profile as an organization. Ultimately you need to ensure that you align plans and technology with your primary business drivers and objectives. The key to remember is that this should be an on-going process.
* Frequently assess the information security capabilities of your environment to ensure the appropriate controls are in place and operational.
Robbie Higgins is vice president of security services at GlassHouse Technologies and is responsible for the strategy and development of security services, supporting sales and overseeing customer engagements. Higgins brings more than sixteen years of experience in the technology arena to his work at GlassHouse. In his most recent role he served as chief executive officer of CSSG Security Services.
Previously, he served as managing director of the security services division within Motorola.
This story, "Privacy in a mobile world: Massachusetts data privacy law" was originally published by CSO.