Wednesday, December 03, 2008

Letters You Will Need to Know: 201 CMR 17.00

Props to Ed at SecurityCurve for informing me of 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, a new Massachusetts law. Section 17.03 sets the basic tone;

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.

Unless you're prepared to figure out how to separate PII on Massachusetts residents from non-MA residents, this law now applies to all PII in your organization.

Jack Daniel has written several great posts on what this new law means. References for Mass 201 CMR 17.00 is really helpful. You can also access a video of a presentation he just made to the Boston chapter of the National Information Security Group. The slides don't render in Firefox but I was able to download the .wmv video and I'm viewing it now.

If you don't want to download the video (large) you can access an audio recording.

Bill Brenner wrote a good article titled Why Mass. 201 CMR 17 Deadline Was Extended, explaining why the compliance deadline moved from 1 Jan 09 to 1 May 09.

Cynthia Larose and Elissa Flynn-Poppey wrote Privacy Compliance 101: Why Massachusetts Data Security Standards DO Affect You for CIO magazine. They mention potential financial penalties:

What Happens If You DON'T Comply: Penalties

It is crucial for businesses to understand and comply with the newly enacted data breach legislation to avoid potentially severe monetary penalties. Massachusetts, unlike the majority of states, provides for civil penalties in cases of non-compliance with its data breach notification statute, Massachusetts General Law 93H [the law which created the guidelines of 201 CMR 17.00]. In particular, a civil penalty of $5,000 may be awarded for each violation of 93H. In addition, under the portion of 93H concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal.
(emphasis added)

I decided to see how the law might affect detection and response. Looking for references to monitoring or response in the law found the following:

[E]very comprehensive information security program shall include, but shall not be limited to...

(iii) means for detecting and preventing security system failures...

(j) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks...

(l) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information...

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements...

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information
(emphasis added)

I think this law is going to have a real impact. I'm not sure when; companies aren't going to be ready by 1 May 09.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

13 comments:

Anonymous said...

Okay this is absurd.

My daughter lives in Boston and I am co-signer on her car loan - of which the paperwork was electronic (pdf form). The pdf is on my computer now, and it has her SSN and bank account info (along with mine) in it.

So now, according to this law, I could be liable for up to $5,000 on Jan 1 - unless I:

a) print the doc out and put it in my filing cabinet
-or-
b) write up a "comprehensive information security plan" to tell myself how to maintain my own systems.

Yeah.. Thats a great step in the right direction. WTFO?

Richard Bejtlich said...

I guarantee if you find your computer part of a botnet you will be glad the bank information and SSN of you and your daughter is NOT on your computer.

Anonymous said...

Richard you are missing the point.

The anonymous poster above laid out only one silly scenario of many that could arise from this law.

The verbiage is incorrect and the word person should be changed to business of any sort , like this:

Every word other than person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.


What if a criminal has PII on his machine for illicit purposes, but did develop, implement, maintain and monitor a comprehensive, written information security program? Is he then liable for the use of the PII?

We can come up with silly scenarios all day, so I applaud the effort behind this law, but I am not at all enthused about the initial effort

Richard Bejtlich said...

Ah, the person v business comment is interesting. Does business include nonprofit, school, church, etc.?

Anonymous said...

I would think business does include non profit, and not being a lawyer I haven't a clue how to word that, but it is easy to poke holes when it is 'person'

Cynthia Larose said...

Thanks for picking up our article, Richard - and I agree with the concerns of the posters. There are holes and questions galore.

The regulations actually use the word "person" and define that term as any "natural person, corporation, association, partnership or other legal entity..." and there are no exemptions in the regulations. Therefore, these regs do apply to for-profit and not-for-profit corporations and other entities . They also do apply to "natural persons", and although the first anonymous post sets up an extension of the regulations that, by its terms, could be possible, it's unlikely that the AG's office will be interested in pursuing enforcement under those circumstances.

Richard - your response to the first anonymous post is more to the point. Either encrypt it if you have to keep it on your hard drive, or get it off.

Jason said...

While I appreciate Cynthia's clarification, it is a little disconcerting that an individual or "natural person" would have to rely on the good graces of the AG to not pursue a violation. It still puts said "natural person" in violation of the law. I also understand that it is indeed an attempt to control PII but onerous in it's application. What jurisdiction does the state of MASS have over a company that has no physical presence in the state?

Chris said...

A legal person is generally distinct from a natural person. A corporation is considered a legal person, but not a natural one.

Cynthia Larose said...

Correct, Chris, but the MA regulations specifically define "person" as including a "natural person". Those of us working in this area, along with industry groups, are pushing to get some further clarification on some of these "gray areas". Stay tuned.

Anonymous said...

As long as we're dreaming up scenarios...while I understand the concerns regarding "natural persons" being included, isn't it only natural that they are included? For example, if a professor transfers files with students' grades and SSNs to his personal laptop*, so that he may work from home, and he loses this laptop (not encrypted, of course)...the law wouldn't be able to reach him if natural persons are not included, no? I guess the recourse would be to go after the university where he/she is employed, but if this is one renegade prof** who's flaunting established university policies, going after the university won't curb his/her actions...? And what if he has tenure? The university won't be able to do anything either...

What's interesting to me is that Cynthia's article mentions that the law applies to paper records as well. Now there's a headache.

*(universities shouldn't be using SSNs for tracking purposes, but that's an entirely different matter...)
**(one wishes all professors were like, I don't know, Socrates or Gandalf, but there are plenty of asses out there as well.)

aiyipianni said...
This comment has been removed by a blog administrator.
aiyipianni said...
This comment has been removed by a blog administrator.
lucas law center said...

Great Chris. A meaningful message you have.

Great article Richard.

LLCT