Mass. 201 CMR 17: The Darkness and the Light

Some security experts say Massachusetts' new data protection law (Mass. 201 CMR 17) is among the toughest they've seen. Three IT security practitioners who must deal with the law opine on whether it's too harsh or not tough enough. (Part 3 in a series)

Debate is under way in Massachusetts regarding a tough new data protection law designed to prevent security breaches and identity theft. Specifically, discussion is centered around whether the new law is too tough, just right or too little, too late.

Issued in September, the regulations require that businesses encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data, and deploy up-to-date firewalls to create "an electronic gatekeeper" between the data and the outside world that only allows authorized users to access or transmit data.

Because of the economic crisis and concern from companies that need more time to digest the provisions, the compliance deadline has been moved from Jan. 1, 2009 to May 1, 2008.

CSOonline recently reached out to IT security practitioners in and out of the state to measure the mood. What follows is feedback from three such professionals:

  • David Escalante
  • Director of computer policy and security
  • Boston College

"I think 'too tough' is the wrong question. 'Is it what's needed' is indeed a good question. The problem with 201 CMR 17.00 in general is that it isn't well thought out in terms of its broader implications. There's nothing wrong with it as a grab-bag of security best practices. But there's no apparent consideration of the fact that there are other regulations individuals, institutions, and businesses must follow that consist of a set of security best practices, and how it integrates with those. There is also no apparent consideration of how it integrates with existing federal and other state regulations.

"They seem to be going down the same road the PCI gang went down, taking a fairly reasonable list of security practices (with a few notable gaffes in there as well) and foisting them on the world without getting significant input from the world. What happens then is that the initial effort is, from a practical point of view, non-implementable for some affected parties. Those parties complain bitterly, and a version two and a version three come out, and over several years it morphs into a fairly reasonable standard. You will recall that when everyone was supposed to be complying with PCI, by VISA's own count, only maybe 40 percent were. But the number is up quite a bit now that they're pushing it harder and they've made it more reasonable to comply.

"In the 201 CMR 17.00 case, however, it is logical to assume that the 40-plus state breach laws will be supplanted by a federal law in the next several years, which makes them, and 201 CMR 17.00, obsolete. So it is unlikely to evolve to a reasonable standard. Not because it's too tough. Just because it's not "battle-hardened" by back and forth with the regulated parties, and by the time it is, it will be obsolete.

To their credit, they've tried to recognize that the Mass. Legislature stuck them with a poorly worded, ridiculous statute in the first place, and to work around that, and to make accommodations for small businesses (see their FAQ and sample policy for small businesses). What they haven't done is give anything except ambiguous wriggle room to bigger businesses operating in multiple states or countries.

"There ought to be a section in the regulations that says something like, 'If you're already doing ISO 27001 or COBIT or PCI-level protection for your MA PII, you don't need to do anything else or follow our different set of security standards.' Instead, they seem to be on a kick to encrypt the world. They ignore the fact that some of the devices they expect to do encryption actually don't, etc. The problem isn't 'too tough' per se, the problem is 'done in a vacuum.'"

  • Jim Huddleston
  • Director, information security
  • Publicis Advertising
  • Greater Chicago area

"It depends on the size of your company. For large companies this includes much of what they should already have and includes a few things like disk encryption that many don't have. For small companies this could be quite onerous for them to put in place and maintain.

"Not that they shouldn't protect personal information but the implementation of a comprehensive security program could be overkill for them vs. the basic implementation of security measures like disk encryption, maybe a few policies and basic network security.

"It could also depend on what and where the information is that needs to be protected in a small company. They may not have much of the infrastructure that is stated that needs to be secured. So then what do they do? Unfortunately it may boil down to either ignoring the regulation (many companies do this with existing regulations) or interpreting it as best they can and only doing what they can afford and support.

"Certainly the regulation is better than nothing and includes much of what information security professionals have been preaching the need for years. But like SOX it may require some tweaking since rarely does one size fit all."

  • Peter Bamber
  • VP, IT security services
  • Security Management Partners
  • Greater Boston area

"With all the phishing attacks, pretext schemes and ID thefts out there these days, it seems sensible in many ways to protect personally identifiable information in this way.

"But the fact that it is all encompassing of any business handling that type of information makes it problematic. Smaller, less sophisticated companies will have a hard time understanding and implementing what is expected of them. Regulated industries are used to the burden and will shoulder the additional compliance and costs associated with it far easier than an organization facing this type of requirement for the first time.

"They are still faced with tying this in with Red Flag requirements as well as other federal (GLBA) and state requirements into an overall effective information security program. I have heard a number of banks make this complaint. I suspect many non financial companies may not implement anything until they are forced to due to a breach or the economy improves and their bottom line allows implementation.

"The economics of implementation in the time frames currently allotted (now increased but enough?) may not result in 201 CMR 17 succeeding as planned."

Editor's note: This is the third in a series. Here are the previous installments:

Why Mass. 201 CMR 17 Deadline Was Extended

Audio: Security Pros' Concerns Over 201 CMR 17

Copyright © 2008 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)