Reading Tea Leaves – The Difference Between Old And New CMR Rules Part II

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
This entry is part of a wonderful series, [slider title="201 CMR 17 Revision"]Entries in this series:
  1. Reading Tea Leaves - The Difference Between Old And New CMR Rules Part I
  2. Reading Tea Leaves - The Difference Between Old And New CMR Rules Part II
  3. Reading Tea Leaves - The Difference Between Old And New CMR Rules Part III
[/slider]

 

As I reported earlier this week, here, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued an update to 201 CMR 17:00, the Massachusets data breach notification rules.   Yesterday I started going line by line and analyzing the differences between the "old" and the "new" CMR rules.

So let’s continue… As you can see below, the regulation has become far more lenient and relaxed than the original intent.

 

Comparison Between 201 CMR 17 Versions, Part 2

 

Comparison between versions of MASS 201 CMR 17 Part 2

 Section

Old

 New

Meaning of Change

 17.03

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information. (1) Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written… Beyond the change I specified yesterday, about no longer being applicable to organizations that monitor or store information, the requirement to monitor such a program has been dropped.  Depending on what they meant by monitoring, this can be a minor clarification or a major reduction in scope, if the intent is to no longer require monitoring of the performance of such program.
 

Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to…

…ensure the security and confidentiality of such records.  Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated.

in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to…

…The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and

This is a minor re-write.  However,the phrase "information of a providers" here does not make sense to me.
 

Whether the comprehensive information security program is in compliance with these regulations for the protection of personal information, shall be evaluated taking into account

(i) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program,

(ii) the amount of resources available to such person,

(iii) the amount of stored data, and

(iv) the need for security and confidentiality of both consumer and employee information.

…(a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program;

(b) the amount of resources available to such person;

(c) the amount of stored data; and

(d) the need for security and confidentiality of both consumer and employee information…

Not a real difference
 

Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:

(a)        Designating one or more employees to design, implement and coordinate the maintenance of the comprehensive information security program;

(b)        Identifying and assessing internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information in each relevant area of the person’s operation, and evaluating and improving, where necessary, the effectiveness of the current safeguards for minimizing such risks, including but not limited to: (i) ongoing employee (including temporary and contract employee) training; (ii) monitoring employee compliance with policies and procedures; (iii) upgrading information systems, including network, system and software design, as well as information processing, storage, and transmission, as necessary; (iv) storage of records and data in locked facilities, storage areas or containers; and (v) improving, as necessary, means for detecting, preventing and responding to security, including but not limited to security systems, failures.

(c)        Developing security policies for employees who telecommute that take into account whether and how such employees should be allowed to keep, access and transport data containing personal information.

(d)        Imposing disciplinary measures for violations of the comprehensive information security program rules.

(e)        Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.

 

Whoa!  This is a major difference.  The regulation just became a lot looser and less defined.   Risk assessment is no longer a requirement, nor is assigning a data security person.  The disciplinary measures are missing, and so are the mandatory requirements to handle terminated employees’ access.

 

In my view, this is a shortcoming which will be decried for years to come, especially regarding the responsible person and the risk assessments.

 

This lack of risk assessment make the entire rule worthless.   Just write a piece of paper and you are done.

 

(f)         Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information, including

(i) selecting and retaining service providers that are capable of maintaining safeguards for personal information; and

(ii) contractually requiring service providers to maintain such safeguards. 

 

Prior to permitting third-party service providers access to personal information, the person permitting such access shall obtain from the third-party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations.

2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed to be in compliance herewith, notwithstanding the absence in any such contract of a requirement that the service provider maintain such protective security measures, so long as the contract was entered into before March 1, 2010.

The changes here have several meanings.  The first is that contracts signed prior to a (new) date of March 2012 with third-party provider are automatically assumed to be compliant.   Doesn’t matter how long they will last.

This, again, is a major weakening of the rules.  And on several levels:  first, remember how people that store or monitor the data are not responsible under this, new, version?  Well guess what – here the third party does not own the data.   So Who is responsible?  Second, this is a license, in perpetuity, as far as I can tell, to never be compliant, as long as the contract gets signed in time…

Next, the dual dating of March 1 2010 and 2012 here is quite confusing.  I asked three legal professionals to read this paragraph and they all indicated this writing is confusing and clearly done in a rush.

One additional, fourth point, on these paragraph changes is that the data owner no longer has to take reasonable steps.  As long as the owner has a contract, he or she are in the clear!

And finally, the requirement that the 3rd Party Provider has any sort of a CISP program is tossed out of the window.

 

(g)        Collecting the minimum amount of personal information necessary to accomplish the legitimate purpose for which it was collected; retaining such information for the minimum time necessary to accomplish such purpose; and permitting access to the smallest number of persons who are reasonably required to know such information in order to accomplish such purpose.

(h)        Inventorying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to identify those records containing personal information.

NONE

Are you kidding me?  Removing both the requirements to keep least records for least amount of time and the least access?  These are major tenets of Information Security, not to speak of Privacy.   Why?

I guess inventory of what you have records on is no longer important.  That together with the row above that no longer requires risk assessment make this entire rule weaker by 90%.

    (g) Reasonable restrictions upon physical access to records containing personal information,, and storage of such records and data in locked facilities, storage areas or containers.

While this seems like a good improvement, it is completely meaningless.   Wait for the courts to define "Reasonable"? 

My opinion:  Worthless

 

(i)         Regularly monitoring and auditing employee access to personal information in order to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information. 

(j)         Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information. 

(k)        Documenting responsive actions taken in connection with any incident involving a breach of security or the potential therefor, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

(h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.

(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

While this seems almost identical, let me call out the omission of four small words.  By removing those words, an almost-breach no longer needs to be investigated.

Further weakening of the Rule, by another 80%.   100-90= 10.  10-80%= 2% of original strength?

 

Further purposes are to

(i) ensure the security and confidentiality of such information in a manner consistent with industry standards,

(ii) protect against anticipated threats or hazards to the security or integrity of such information, and

(iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents

This seems to be a minor, cosmetic change.  This "further" piece is mostly aimed to clarify to the public what this policy is all about.

 

 

So I ask you, OCABR,  "What the heck?"  Who wrote this for you?  Why the rush?  Why so watered down?

The usual disclaimer:  I am not a lawyer.  I don’t even play one on TV.  This is not a legal advice.

Thursday, I will continue the analysis of the difference between both new and old version of the 201 CMR 17 rules.

 

Permalink

6 thoughts on “Reading Tea Leaves – The Difference Between Old And New CMR Rules Part II

  1. Just a note about the third party contract requirements — this clause had been taken out a couple of revisions back, and was just now put back in. This is one of the only ways this newest revision is actually getting stronger. Were you comparing the newest revision with the original rule, or with the previous rule which had a January 1, 2010 start date. The previous (i.e. before August 17th) version of the rule had _no_ requirements for contracts or written compliance statements from third parties.

    The language from the previous version went:

    Taking all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00; and taking all reasonable steps to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00.

    You can see the previous version at http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf

  2. As a small business, compliance with this third-party contract rule may be difficult if I have to hire a third-party who may have incidental access to personal information. For instance, maybe I have to hire Quicken support services to help me fix a bug in my accounting software — however the likelihood that the Intuit corporation is going to be willing to sign any contract with a small business before performing this work is small.

    • Patrick,

      That is correct, but it would also serve, had it stayed in, to make sure businesses, large and small, both (a) look for the privacy policies provided by companies like Intuit (which should, themselves, assure compliance) and (b) create a demand for such compliance by 3rd parties from more and more businesses.

  3. Ariel,
    I agree — I am torn between wanting an absolute right to control what third parties do with _my_ information, from a privacy and consumer protection standpoint.. but also wanting something that will be reasonable for small businesses. The OCABR has been very straightforward in asserting that they have no idea whatsoever how the Attorney General’s office is going to enforce these regulations; it will be interesting to see what happens on that front.
    — Patrick

Leave a Reply

Your email address will not be published. Required fields are marked *


*