Mass. 201 CMR 17: The Darkness and the Light
Some security experts say Massachusetts' new data protection law (Mass. 201 CMR 17) is among the toughest they've seen. Three IT security practitioners who must deal with the law opine on whether it's too harsh or not tough enough. (Part 3 in a series)
By Bill Brenner, Senior Editor
December 04, 2008 — CSO —
Debate is under way in Massachusetts regarding a tough new data protection law designed to prevent security breaches and identity theft. Specifically, discussion is centered around whether the new law is too tough, just right or too little, too late.
Issued in September, the regulations require that businesses encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data, and deploy up-to-date firewalls to create "an electronic gatekeeper" between the data and the outside world that only allows authorized users to access or transmit data.
Because of the economic crisis and concern from companies that need more time to digest the provisions, the compliance deadline has been moved from Jan. 1, 2009 to May 1, 2008.
CSOonline recently reached out to IT security practitioners in and out of the state to measure the mood. What follows is feedback from three such professionals:
- David Escalante
- Director of computer policy and security
- Boston College
"I think 'too tough' is the wrong question. 'Is it what's needed' is indeed a good question. The problem with 201 CMR 17.00 in general is that it isn't well thought out in terms of its broader implications. There's nothing wrong with it as a grab-bag of security best practices. But there's no apparent consideration of the fact that there are other regulations individuals, institutions, and businesses must follow that consist of a set of security best practices, and how it integrates with those. There is also no apparent consideration of how it integrates with existing federal and other state regulations.
"They seem to be going down the same road the PCI gang went down, taking a fairly reasonable list of security practices (with a few notable gaffes in there as well) and foisting them on the world without getting significant input from the world. What happens then is that the initial effort is, from a practical point of view, non-implementable for some affected parties. Those parties complain bitterly, and a version two and a version three come out, and over several years it morphs into a fairly reasonable standard. You will recall that when everyone was supposed to be complying with PCI, by VISA's own count, only maybe 40 percent were. But the number is up quite a bit now that they're pushing it harder and they've made it more reasonable to comply.
"In the 201 CMR 17.00 case, however, it is logical to assume that the 40-plus state breach laws will be supplanted by a federal law in the next several years, which makes them, and 201 CMR 17.00, obsolete. So it is unlikely to evolve to a reasonable standard. Not because it's too tough. Just because it's not "battle-hardened" by back and forth with the regulated parties, and by the time it is, it will be obsolete.
How to efficiently manage security compliance with PCI DSS and other laws and regulations
PCI's application security requirements
PCI post-audit pain points
PCI shrugged: Debunking the criticisms
The art of the compensating control
SAS 70 myths
SSAE - replacement for SAS 70 coming
A directory of security-related regs, laws, and guidelines
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Gartner Next Generation Network IPS Webcast
- Understand Your Data: The Future of Backup and Archiving
- McAfee Continuous Compliance
- Balancing Increasing Security Requirements with Decreasing Budgets
- Say "Yes" to iPads While Keeping Your Confidential Data Safe
- It was bad of Anonymous to make good on threat to attack Boston PD
Anonymous has taken another opportunity to be useful to the security community and wasted it on another fruitless attack. This time the Boston Police Department website is the victim.
- Overdrive spam campaign targets banks
- VeriSign hit by hackers
More Salted Hash with Bill Brenner
