Reading Tea Leaves – The Difference Between Old And New CMR Rules Part III

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
This entry is part of a wonderful series, [slider title="201 CMR 17 Revision"]Entries in this series:
  1. Reading Tea Leaves - The Difference Between Old And New CMR Rules Part I
  2. Reading Tea Leaves - The Difference Between Old And New CMR Rules Part II
  3. Reading Tea Leaves - The Difference Between Old And New CMR Rules Part III
[/slider]

 

As I reported earlier this week, here, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued an update to 201 CMR 17:00, the Massachusets data breach notification rules.   Tuesday I started going line by line and analyzing the differences between the "old" and the "new" CMR rules, which I continued on Wednesday and now…. the rest of the story.

 

Comparison Between 201 CMR 17 Versions, Part 3

 

Comparison between versions of MASS 201 CMR 17 – Part 3

 Section

Old

 New

Meaning of Change

17.04  Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements: very person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements

The first change is, as we discussed before, removing the need from organizations that store or mainitain information to be compliant.

The second change is the addition of the phrase "to the extent technically feasible".  I take this phrase as non-needed nonsense.   If it was not possible, no one would anyways be required to do it, right?

17.04(1)

(1)        Secure user authentication protocols including:

(i)         control of user IDs and other identifiers;

(ii)        a secure method of assigning and selecting passwords consisting of at least seven letters and numbers;

(1) Secure user authentication protocols including:

(a) control of user IDs and other identifiers;

(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

The first change is the addition of the word "reasonable".  Again, a "fluff" change.   What’s reasonable?  I guess the courts will have to decide.

The second change is more reasonable, removing the need for "at least seven…".  Not sure why they picked that number to begin with, so this is a good change.

The third change is really cool.   Mass is now cognizant that we are at the end of the 20th century, or maybe even in the 21st, and there are other ways than passwords to secure access.

  (iii) control of data security passwords to ensure that such passwords are kept at a location separate from that of the data to which such passwords permit access; (c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

I really have no comment.  Sigh.  Scratch that.

There are two changes here, and one error.

Firstly, the removal of password safekeeping as an explicit call is ok, because of the way it is clarified.

Secondly, the addition of "or format" hints at encryption, which is also cool with me.

The error is that, again, OCABR apparently let different people write and not anyone that understand computer technology, review, this paragraph.   Look. they forgot the phrase just above about technologies other than passwords.   So – how should tokens or keys be kept?

 

(iv) restricting access to active users and active user accounts only; and

(v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(d) restricting access to active users and active user accounts only; and

(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

No change
17.04(2)

(2)        Secure access control measures that:

 

(i)restrict access to records and files containing personal information to those who need such information to perform their job duties; and

 

(ii)  assign a unique identification plus a password, which is not vendor supplied, to each person with computer access;

 

 

2) Secure access control measures that:

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and

(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

The change to add the word default is a welcome clarification.

However, as if to negate the value of the clarity, they went and added the "that are reasonably….".  Meaningless.  Even if it HAD meaning, the word reasonably is one of those weasel words that negates all the value of any addition.

17.04(3) (3)        Encryption of all transmitted records and files containing personal information, including those in wireless environments, that will travel across public networks.  (3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

This is not a change at all.  Just a clarification.

17.04(4)  (4)        Periodic monitoring of networks and systems, for unauthorized use of or access to personal information, and recording the audit trails for users, events, dates, times and success or failure of login; 4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

What a weasel-y change!

Removal of periodic and using the word "reasonable" again.  I can imagine the discussions that led to that word being inserted so vacuously.

Then, the removal of monitoring of networks.    Don’t they understand what this mean?  Now only individual system need to be monitored, allowing network pieces, including wireless networks, to simply not being looked at.

And to make matters much worse… removal of the requirement for an audit trail….  Just this simple change means the Rule has lost 99% of its value.   Why?  Because without an audit trail, you can’t prove anything.

17.04(5) (5)        Periodic review of audit trails restricted to those with job-related need to view audit trails; NONE Together with the removal of creating an audit trail (above), they removed the need to review it from time-to-time.  Sigh.
  NONE (5) Encryption of all personal information stored on laptops or other portable devices;

The single, only, change for the better, in this Rule is the mandatory addition of encryption to mobile devices.

I wonder what this means, however, to iPhone users holding private data of their friends…

17.04(6)

(6) For files containing personal information on a system that is connected to the Internet, there must be firewall protection with up-to-date patches,including operating system security patches

A firewall must, at a minimum, protect devices containing personal information from access by or connections from unauthorized users.

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and

operating system security patches, reasonably designed to maintain the integrity of the personal information.

Big changes.   Firstly, the weasel-word "reasonably" has shown up again and negates the value of the intent in the original Rule.

Then, there is an addition, requiring reasonably patched operating systems holding the data.  This is now not a reference to the firewall.   However, I can not see where most operating systems, other than Level C and above secure operating systems, are designed to maintain the integrity of the personal information.  I suspect this will not stand the test of time.

17.04(7)

(7) The most current version of system security agent software which

must include antispyware and antivirus software

, including up-to-date  patches and virus definitions,

or a version of such software that can still be supported with up-to-date patches and virus definitions, and which includes security software that is set to receive the most current security updates on a regular basis.

7) Reasonably up-to-date versions of system security agent software which

must include malware protection

and reasonably up-to-date patches and virus definitions,

or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

I am reasonably sure that by now you are, too, sick of this word.

The other change is clarification of antispyware and antivirus into "malware".

All other changes here are cosmetic.

 

  (8)        Education and training of employees on the proper use of the computer security system and the importance of personal information security. 8)        Education and training of employees on the proper use of the computer security system and the importance of personal information security. Glad they didn’t take this part out.
 

(9)        Restricted physical access to computerized records containing personal information, including a written procedure that sets forth the manner in which physical access to personal information is restricted. When notified of any unauthorized entry into a secure area by either an employee or any other unauthorized person, the integrity of the computerized records must be reviewed.

NONE

This is a major change, for the worse.  Even PCI regulations demand a modicum of sensitivity to physical security.   Now Mass OCABR does not.

Further, to make it MUCH worse, the removal of the mandatory review in case of unauthorized access, removes the need/duty to do so and therefore perhaps find that the systems/networks have been tampered with.

 

 

 

 

The usual disclaimer:  I am not a lawyer.  I don’t even play one on TV.  This is not legal advice.

 

Permalink