Props to Ed at SecurityCurve for informing me of 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, a new Massachusetts law. Section 17.03 sets the basic tone;
Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.
Unless you're prepared to figure out how to separate PII on Massachusetts residents from non-MA residents, this law now applies to all PII in your organization.
Jack Daniel has written several great posts on what this new law means. References for Mass 201 CMR 17.00 is really helpful. You can also access a video of a presentation he just made to the Boston chapter of the National Information Security Group. The slides don't render in Firefox but I was able to download the .wmv video and I'm viewing it now.
If you don't want to download the video (large) you can access an audio recording.
Bill Brenner wrote a good article titled Why Mass. 201 CMR 17 Deadline Was Extended, explaining why the compliance deadline moved from 1 Jan 09 to 1 May 09.
Cynthia Larose and Elissa Flynn-Poppey wrote Privacy Compliance 101: Why Massachusetts Data Security Standards DO Affect You for CIO magazine. They mention potential financial penalties:
What Happens If You DON'T Comply: Penalties
It is crucial for businesses to understand and comply with the newly enacted data breach legislation to avoid potentially severe monetary penalties. Massachusetts, unlike the majority of states, provides for civil penalties in cases of non-compliance with its data breach notification statute, Massachusetts General Law 93H [the law which created the guidelines of 201 CMR 17.00]. In particular, a civil penalty of $5,000 may be awarded for each violation of 93H. In addition, under the portion of 93H concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal. (emphasis added)
I decided to see how the law might affect detection and response. Looking for references to monitoring or response in the law found the following:
[E]very comprehensive information security program shall include, but shall not be limited to...
(iii) means for detecting and preventing security system failures...
(j) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks...
(l) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information...
Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements...
(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information (emphasis added)
I think this law is going to have a real impact. I'm not sure when; companies aren't going to be ready by 1 May 09.
Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.