Comments on: Reading Tea Leaves – The Difference Between Old And New CMR Rules Part III http://arielsilverstone.com/privacy/reading-tea-leaves-the-difference-between-old-and-new-cmr-rules-part-3/ Intelligent Business Security Fri, 14 May 2010 03:58:27 +0000 hourly 1 By: Jack Daniel http://arielsilverstone.com/privacy/reading-tea-leaves-the-difference-between-old-and-new-cmr-rules-part-3/comment-page-1/#comment-166 Jack Daniel Thu, 01 Jan 1970 00:00:00 +0000 http://arielsilverstone.com/?p=2630#comment-166 Great analysis, thanks for the work that went into it. I see this as a thorough gutting of 201CMR17.00. I also think no one who is paying attention will bother acting on it- since there is another public hearing scheduled for September 28, that implies more changes are possible. As far as the FAQ Kamal referenced, I think that raises at least as many problems as it answers. I especially liked learning that "there is little, if any, generally accepted encryption technology for most portable devices, such as... blackberries, netbooks...". Amazingly stupid. And it is "just an FAQ", not a regulation, so it is not enforceable. Not that enforcement has even been broached, as that will have to come from the AG's office, not OCABR. What a waste of our time and effort. Great analysis, thanks for the work that went into it. I see this as a thorough gutting of 201CMR17.00. I also think no one who is paying attention will bother acting on it- since there is another public hearing scheduled for September 28, that implies more changes are possible.

As far as the FAQ Kamal referenced, I think that raises at least as many problems as it answers. I especially liked learning that “there is little, if any, generally accepted encryption technology for most portable devices, such as… blackberries, netbooks…”. Amazingly stupid. And it is “just an FAQ”, not a regulation, so it is not enforceable. Not that enforcement has even been broached, as that will have to come from the AG’s office, not OCABR. What a waste of our time and effort.

]]> By: Ariel http://arielsilverstone.com/privacy/reading-tea-leaves-the-difference-between-old-and-new-cmr-rules-part-3/comment-page-1/#comment-161 Ariel Thu, 01 Jan 1970 00:00:00 +0000 http://arielsilverstone.com/?p=2630#comment-161 Kamal, Thank you. The problem is that they do define "street address" as PII too. As for your 2nd point, I'm not sure what commerce is. Does it include delivering girl-scout cookies? Ariel Kamal,

Thank you.

The problem is that they do define “street address” as PII too. As for your 2nd point, I’m not sure what commerce is. Does it include delivering girl-scout cookies?

Ariel

]]> By: Kamal Govindaswamy http://arielsilverstone.com/privacy/reading-tea-leaves-the-difference-between-old-and-new-cmr-rules-part-3/comment-page-1/#comment-160 Kamal Govindaswamy Thu, 01 Jan 1970 00:00:00 +0000 http://arielsilverstone.com/?p=2630#comment-160 Thanks Ariel! The comparison table makes for a useful study. It looks to me that they have “over-corrected” for the feedback regarding the prior versions being too prescriptive. What this ends up being, however, is a version that will be difficult if not impossible to enforce given the pervasive generalization and use of words like “reasonable”. One only hopes that they will make the necessary changes based on the feedback I expect they will get from the Security/Privacy community at the public hearing scheduled on 9/22. A couple of notes on your comments, however: 1. 17.04(5) You comment about iPhone users Firstly, you need to have one of SSN, Driver’s License number or Financial Account number for the information to be defined as Personal Information under this regulation. As one would normally not store that information about friends, the reg would not apply. Also, it has been clarified in the FAQ that the reg applies only to those engaged in commerce. 2. Also a couple of your other comments have been clarified in their FAQs (e.g. Risk Assessment, Monitoring). http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf Thanks Ariel! The comparison table makes for a useful study. It looks to me that they have “over-corrected” for the feedback regarding the prior versions being too prescriptive. What this ends up being, however, is a version that will be difficult if not impossible to enforce given the pervasive generalization and use of words like “reasonable”.
One only hopes that they will make the necessary changes based on the feedback I expect they will get from the Security/Privacy community at the public hearing scheduled on 9/22.

A couple of notes on your comments, however:
1. 17.04(5) You comment about iPhone users
Firstly, you need to have one of SSN, Driver’s License number or Financial Account number for the information to be defined as Personal Information under this regulation. As one would normally not store that information about friends, the reg would not apply.
Also, it has been clarified in the FAQ that the reg applies only to those engaged in commerce.

2. Also a couple of your other comments have been clarified in their FAQs (e.g. Risk Assessment, Monitoring). http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf

]]>