201 CMR 17: A New Tea Party!!
Ariel Silverstone, CISSP and Kenneth P. Mortensen, Esquire, CIPP
On these shores, often is the case that laws, rules and regulations are passed as a response to public outcry. Much as the old Bostonians, dressed as native Americans, tossed tea in the harbor to protest stamp laws and stand up for their individual rights, comes now the Commonwealth of Massachusetts with a new law and, more importantly, a new regulation for the purpose of safeguarding the personal information of Massachusetts residents (including those Bostonians) and standing up for individual rights.
The new regulations, with the catchy nickname of “201 CMR 17”, is arguably one of the most comprehensive regulations on the books today in any State in the union for the protection of private information. The inclusion of the written comprehensive information security plan (CISP) requirement makes this a leading regulation among 40-odd regulation amalgam in the United States. This law is a must read by anyone with responsibility for Information Security. In this article, we will discuss several aspects of the law, including who is affected, what information is included, and a special “bonus” about encryption.
Why should we care?
While the regulation has the official title of “STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH”, it applies to any entity that handles personal information about a resident of Massachusetts whether or not that entity is formed or even exists within the Commonwealth. According to accepted legal principles, these regulations can and do apply, for example, to a company doing business in Washington state, but which has personal information about individuals who are residents of Massachusetts, even if that company never has any physical contact with the Commonwealth. Thus, the regulations are broad in effect and mean that entities should recognize that they fall under them if they even possibly handle personal information about Massachusetts residents.
In fact, the regulations can apply in situation where the entity does not even take physical control of the information itself, because the regulations apply to entities that “own, license, store or maintain personal information about a resident of the Commonwealth.” Conceivably, it is enough to license access to such information!
Also, note well…one of the raison d’etre of this law is to “protect against anticipated threats …” Isn’t it grand to have a crystal ball?
What is Personal Information?
The definition of personal information focuses here on that information usually associated with an individual’s identity, such as Social Security Numbers, drivers license numbers, and financial transaction information. It does not include information publicly available, which we, in information technology, refer to as “directory information.” What IS included, for example, is name PLUS social or drivers’ license or account numbers.
What do We Have to Do?
In order to comply with the regulation, at a minimum, we must produce a written comprehensive information security program (yes, the term is again CISP) that provides for safeguards consistent with ongoing industry standards, including any base standards required from other state or federal regulations, such as the California data breach notification standard or the federal HIPAA standards under the Security Rule. The point is that we must not appear lacking in our fulfillment of 201 CMR 17 vis-a-vis our diligence to other authorities, including independent standards, like PCI, that we must follow.
Our program must contain certain minimum elements:
- We must designate a main point of contact responsible for the program;
- We must assess the risks associated with our organization’s handling of personal information; This is noteworthy, because perhaps for the first time, this assessment explicitly calls to include the development appropriate controls for personal information going beyond the physical premises of our organization.
- We must apply appropriate mitigation to address the risks, (including, at a minimum, training in the proper handling and safeguarding of personal information)
- We must review compliance with the program on an ongoing basis; at least annually;
- We must detect and prevent security breaches;
- Our program must also provide for training and disciplinary rules for employees to ensure awareness and application of the program to the handling of personal information;
- We must document responsive actions to any incidents or changes to business practices;
- Finally, and this is a big one… we must ensure that third-party vendors implement appropriate safeguards, including receiving a written certification from the provider of the maintenance of a written comprehensive information security program.
The regulation also looks to programmatic implementations to mitigate the risks associated with the handling of personal information to include both the minimization of the collection of personal information to that which is necessary and relevant to a legitimate purpose and identify where this information is collected and stored.
Note that a large part of the regulation deals with allocation, distribution and caring for passwords and similar authentication means. This section appears to be much more coherent and detailed than PCI’s DSS, for example. A close read of this section is suggested to understand fully the requirements.
And yes, congruent with parallelizing ISO 2700x requirements, we must provide additional security safeguards for the physical protection of both paper records and electronic systems.
The Computer Security System Requirements
The regulation goes beyond just a establishing a written comprehensive information security program to specifying certain minimum standards for information security protocols, including those for authentication, access controls, encryption, logging, patch maintenance, and training.
In a very elegant approach, the authentication of users must incorporate secure control of user identifiers and passwords, which should consider the use of biometrics and tokens, and provide for lock-out processes for inactive users or unsuccessful log in attempts. In terms of controlling access to the personal information, we must restrict access to information on a need to know basis and use unique identifiers to control clearly the assignment of roles and responsibilities in connection with the personal information.
Unlike some other, more general privacy and security regulations out there, this regulation calls specifically for the utilization of devices, such as a firewall, to protect every system connected to the Internet. While this call is not the first of its kind, it is clear that a technical mind (or minds) was at work here, to help create the regulation.
Also, the section detailing antivirus protection and patching procedures is well written. As it is not very different than several other regulations’ calls, so further detail is not necessary here, except to state the (obvious) need for automatic signature updates.
Full compliance with the provisions of 201 CMR 17 has been mandated for January 1, 2010, including the encryption piece (more detail in the final leaf, below) of mobile devices, which represents a postponement from the original deadline.
The final leaf:
The encryption standard in the regulation will prove perhaps the most difficult for organizations to employ as it mandates that not only must the transmission of personal information be protected, but also that data at rest need be encrypted when on “laptops or other portable devices.” This includes, for example, thumb/flash drives, external hard drives, CDROM/DVD-ROM discs, Blackberries or smartphones, or mobile phones with storage space. Furthermore, these devices must employ encryption even if the device does not go beyond the physical premises of the entity. – another derivative of this section is Don’t Store (or Collect) What you don’t need!
So… fun and games. But a responsible, more holistic approach to privacy and security than we have seen before from a government body.