The Massachusetts Data Privacy Law Debacle

As an InformationWeek blogger, I often feel like I'm preaching from the pulpit about the technology events of the day. But today, I'm reaching out to you, our loyal readers, for help with how you're approaching the new Massachusetts Data Privacy Law. For you attorneys out there, that's 201 CMR 17.00. Don't do business in Massachusetts? Read on anyway, you might still be affected.I'm not sure that anyone would question the need for increased vigilance when it comes to protecting our private customer/employee data and intellectual property from data thieves. As information security professionals, it's not only in our best interests to protect our data at all reasonable costs, it's our job. But what happens when progressive governments like the state of Massachusetts and the state of California begin drafting legislation that essentially mandates PCI-like compliance for ALL businesses in Massachusetts? My prediction...Mass Hysteria, and court challenges out the wazoo (is that a real word?).

For those of you unfamiliar with the new data privacy legislation, set to go into place in Massachusetts on May 1, here's the CliffNotes version of what's happening as deciphered by an IT professional who plays lawyer at home.

If you store the personal information of a Massachusetts resident, regardless of whether or not you have a business presence in Massachusetts, you are subject to penalties set forth in 201 CMR 17.00. What are the penalties? I'm not exactly sure, and I'm not sure Massachusetts is, either. According to MA General Law 93I, there's a $100 fine per record lost, with a maximum of $50K per "incident". MA General Law 93H states that there will be a $5,000 fine per "violation." It's unclear what the correlation is between an individual record lost and an "incident or violation".

The regulation goes on to define "Personal Information" as a combination of a resident's first and last name connected to one of the following: A driver's license number, a credit card number, or a Social Security number.

OK, now we understand what we need to protect. Let's move on to CMR 17.04, where the state Legislature summarily redefines the security strategy for every Massachusetts business in 2009. Here's the CiffsNotes version of what all businesses need to do from an operational perspective.

1) Designate a "champion", a CISO of sorts, who will design, maintain, report and enforce the security policy. If you're a small business owner, sorry, that's probably you.

2) You need to "Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information". My translation, you need to be a mind reader and predict how hackers will attack your personal information in the future. Think I'm being a curmudgeon? Just wait until an attorney is retained on behalf of a consumer and attacks you in court based on your failure to "reasonably foresee" a breach. Note to Martha Coakley, Massachusetts Attorney General: get ready for this provision to be challenged in court because "reasonably foreseeable" is highly subjective.

3) You need to have a security policy in writing, discipline violators, prevent terminated employees from accessing data, destroy hard copies of personal information, vet third parties that have access to your data, lock up all hard copies that contain personal data, report and record violations of the policy, and regularly monitor and review the scope and effectiveness of the policy.

Piece of cake, right? (That's sarcasm.) Here's my problem with #3. What if you're a single-employee small business? Assuming that you actually have time to stop generating revenue so you can write up a comprehensive security policy, will you have to fire yourself if you break it?

Oh, and who will determine if your security policy is up to snuff? Most likely a judge who really has no idea how much it costs and how difficult it is to truly protect all digital and print assets to the degree called for in this legislation. How will this judge determine your ability to comply? According to CMR 17.03, using the following guideline: "(i) the size, scope, and type of business of the person obligated to safeguard the personal information under such comprehensive information security program, (ii) the amount of resources available to such person." In other words, the court will determine whether or not you've documented your policy and communicated it clearly to your employees. The court will determine whether or not you've made adequate investments in technology to prevent leakage. The court will determine if you should have used more of your organization's financial resources to prevent a given leakage. You can tell your customers, business partners, and employees you're compliant, but are you prepared to PROVE it in a court of law?

Of course, when you ultimately find yourself being cross-examined in court, you can be sure the cross-examining attorney will be sure to point out just where you failed to meet the data security standard, no matter how well you executed the data security plan.

The regulation goes on to define what technologies and strategies need to be implemented, from a systems perspective, in order to adequately comply with the new regulation. Some of which are completely out of the reach of small businesses to effectively implement.

If you're a strong consumer advocate, I respect your position. But please, before you even think of drafting hate mail to me, consider my position of being in the crosshairs of legislation that's in many ways vague and unclear. I'm looking for a pragmatic solution that achieves compliance, protects us from lawsuits, and avoids breaking the bank during an extremely tenuous economic climate.

In Oprah-like fashion, I'm looking to a Dr. Phil out there to guide me as to how you're approaching this new legislation. I'm particularly interested in how small businesses are tackling compliance: What's your strategy, what technologies have you added to your security mix to help with compliance?

If you work in the Attorney General's office, please don't shoot the messenger, I speak for the people!