Letters You Will Need to Know: 201 CMR 17.00

Props to Ed at SecurityCurve for informing me of 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, a new Massachusetts law. Section 17.03 sets the basic tone;

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.

Unless you're prepared to figure out how to separate PII on Massachusetts residents from non-MA residents, this law now applies to all PII in your organization.

Jack Daniel has written several great posts on what this new law means. References for Mass 201 CMR 17.00 is really helpful. You can also access a video of a presentation he just made to the Boston chapter of the National Information Security Group. The slides don't render in Firefox but I was able to download the .wmv video and I'm viewing it now.

If you don't want to download the video (large) you can access an audio recording.

Bill Brenner wrote a good article titled Why Mass. 201 CMR 17 Deadline Was Extended, explaining why the compliance deadline moved from 1 Jan 09 to 1 May 09.

Cynthia Larose and Elissa Flynn-Poppey wrote Privacy Compliance 101: Why Massachusetts Data Security Standards DO Affect You for CIO magazine. They mention potential financial penalties:

What Happens If You DON'T Comply: Penalties

It is crucial for businesses to understand and comply with the newly enacted data breach legislation to avoid potentially severe monetary penalties. Massachusetts, unlike the majority of states, provides for civil penalties in cases of non-compliance with its data breach notification statute, Massachusetts General Law 93H [the law which created the guidelines of 201 CMR 17.00]. In particular, a civil penalty of $5,000 may be awarded for each violation of 93H. In addition, under the portion of 93H concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal. (emphasis added)

I decided to see how the law might affect detection and response. Looking for references to monitoring or response in the law found the following:

[E]very comprehensive information security program shall include, but shall not be limited to...

(iii) means for detecting and preventing security system failures...

(j) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks...

(l) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information...

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements...

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information (emphasis added)

I think this law is going to have a real impact. I'm not sure when; companies aren't going to be ready by 1 May 09.

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Comments

Anonymous said…
Okay this is absurd.

My daughter lives in Boston and I am co-signer on her car loan - of which the paperwork was electronic (pdf form). The pdf is on my computer now, and it has her SSN and bank account info (along with mine) in it.

So now, according to this law, I could be liable for up to $5,000 on Jan 1 - unless I:

a) print the doc out and put it in my filing cabinet
-or-
b) write up a "comprehensive information security plan" to tell myself how to maintain my own systems.

Yeah.. Thats a great step in the right direction. WTFO?
5:18 AM
Richard Bejtlich said…
I guarantee if you find your computer part of a botnet you will be glad the bank information and SSN of you and your daughter is NOT on your computer.
7:34 AM
Anonymous said…
Richard you are missing the point.

The anonymous poster above laid out only one silly scenario of many that could arise from this law.

The verbiage is incorrect and the word person should be changed to business of any sort , like this:

Every word other than person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.


What if a criminal has PII on his machine for illicit purposes, but did develop, implement, maintain and monitor a comprehensive, written information security program? Is he then liable for the use of the PII?

We can come up with silly scenarios all day, so I applaud the effort behind this law, but I am not at all enthused about the initial effort
8:27 AM
Richard Bejtlich said…
Ah, the person v business comment is interesting. Does business include nonprofit, school, church, etc.?
8:37 AM
Anonymous said…
I would think business does include non profit, and not being a lawyer I haven't a clue how to word that, but it is easy to poke holes when it is 'person'
8:56 AM
Anonymous said…
Thanks for picking up our article, Richard - and I agree with the concerns of the posters. There are holes and questions galore.

The regulations actually use the word "person" and define that term as any "natural person, corporation, association, partnership or other legal entity..." and there are no exemptions in the regulations. Therefore, these regs do apply to for-profit and not-for-profit corporations and other entities . They also do apply to "natural persons", and although the first anonymous post sets up an extension of the regulations that, by its terms, could be possible, it's unlikely that the AG's office will be interested in pursuing enforcement under those circumstances.

Richard - your response to the first anonymous post is more to the point. Either encrypt it if you have to keep it on your hard drive, or get it off.
9:49 AM
Unknown said…
While I appreciate Cynthia's clarification, it is a little disconcerting that an individual or "natural person" would have to rely on the good graces of the AG to not pursue a violation. It still puts said "natural person" in violation of the law. I also understand that it is indeed an attempt to control PII but onerous in it's application. What jurisdiction does the state of MASS have over a company that has no physical presence in the state?
12:33 PM
C said…
A legal person is generally distinct from a natural person. A corporation is considered a legal person, but not a natural one.
3:10 PM
Anonymous said…
Correct, Chris, but the MA regulations specifically define "person" as including a "natural person". Those of us working in this area, along with industry groups, are pushing to get some further clarification on some of these "gray areas". Stay tuned.
3:37 PM
Anonymous said…
As long as we're dreaming up scenarios...while I understand the concerns regarding "natural persons" being included, isn't it only natural that they are included? For example, if a professor transfers files with students' grades and SSNs to his personal laptop*, so that he may work from home, and he loses this laptop (not encrypted, of course)...the law wouldn't be able to reach him if natural persons are not included, no? I guess the recourse would be to go after the university where he/she is employed, but if this is one renegade prof** who's flaunting established university policies, going after the university won't curb his/her actions...? And what if he has tenure? The university won't be able to do anything either...

What's interesting to me is that Cynthia's article mentions that the law applies to paper records as well. Now there's a headache.

*(universities shouldn't be using SSNs for tracking purposes, but that's an entirely different matter...)
**(one wishes all professors were like, I don't know, Socrates or Gandalf, but there are plenty of asses out there as well.)
7:06 AM
Anonymous said…
This comment has been removed by a blog administrator.
8:36 PM
Anonymous said…
This comment has been removed by a blog administrator.
8:44 PM
lucas law center said…
Great Chris. A meaningful message you have.

Great article Richard.

LLCT
5:26 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti...
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technica...
Read more