Home | About | Advertising | Subscribe | Events | Contact

• A-Z Business Toolbox
  • Accounting Toolbox
  • Computer Networking Toolbox
  • Direct Mail Toolbox
  • Insurance Toolbox
  • Law Toolbox
  • Marketing Toolbox
  • Mobile Communications Toolbox
  • Tourism
• Archives
  • 2004 Dec/Jan
  • 2005 Apr/May
  • 2005 Aug/Sep
  • 2005 Feb/Mar
  • 2005 Jun/Jul
  • 2005 Nov/Dec
  • 2006 Jan/Feb
  • 2006 Jul/Aug
  • 2006 Mar/Apr
  • 2006 May/Jun
  • 2006 Nov/Dec
  • 2006 Sep/Oct
  • 2007 Jan/Feb
  • 2007 Jul/Aug
  • 2007 Mar/Apr
  • 2007 May/Jun
  • 2007 Nov/Dec
  • 2007 Sep/Oct
  • 2008 Jan/Feb
  • 2008 Jul/Aug
  • 2008 Mar/Apr
  • 2008 May/Jun
  • 2008 Nov/Dec
  • 2008 Sep/Oct
  • 2009 Jan/Feb
  • 2009 July/August
  • 2009 Mar/Apr
  • 2009 May/June
  • September 2009
• Business Connect
  • Business Connect articles
  • Program information
  • Workshop presentations
• By The Numbers
• Chambers of Commerce
  • Brewster
  • Cape Cod
  • Cape Cod Canal Region
  • Chatham
  • Dennis
  • Eastham
  • Falmouth
  • Harwich
  • Hyannis Area
  • Mashpee
  • Orleans
  • Plymouth Area
  • Provincetown
  • Sandwich
  • Truro
  • Wellfleet
  • Yarmouth
• Custom Publishing
  • Canal Region
  • Chatham
  • Dennis
  • Falmouth
  • Harwich
  • Sandwich
  • Yarmouth
• Economic Development
• Health & Wealth
• My HR Advisor
• Newsletters
• Plymouth County Business
  • Eye on Duxbury
  • Eye on Hanover
  • Promising Plymouth
• Profit Green
• Real Estate
• Second Homes
• Small Business Showcase
• Stats

Does the new computer security law apply to your business? If so, watch out

by Cape Business staff

Very few businesses are even aware that a new law will be implemented by April – and it promises to add time and expense to your operations.

Massachusetts CMR 17.00 covers Standards for The Protection of Personal Information of Residents of the Commonwealth, with specific provisions for computer security. If a business does not comply with CMR 17.00, that company can be found professionally negligent. If they are not complaint and a verdict is awarded, insurance will not cover the loss. This can easily put a business into bankruptcy.

This new law will apply to your company if you electronically store a single Massachusetts resident’s last name and first name on a computer as well as one of the following:

• Social Security number
• Driver’s license number
• Financial account number (credit card or debit card)
• Access code that would allow you to access that person’s financial information.

We asked our network security consultant, Kevin MacArthur of Secure Networks for Small Business in Centerville, to interpret the law for our readers. Here’s his take, in his own words:

• You need to make sure that all users IDs and passwords are unique.
• Use more complex passwords – letters plus a special character plus numbers such as tsifoxboro!2008.
• Do not store passwords on the same application that passwords are needed for. For instance, if you have a database called HR, do not use a field in the HR database to store the passwords of the people who have access to the HR database.
• If a user is no longer with the company or doesn’t use an application, remove access to it.
• Most operating systems provide a mechanism to block a user after a certain number of unsuccessful attempts to access an application. I recommend this to everyone.
• Make sure that all users who have access to applications containing personal information have appropriate credentials.
• All vendor-supplied passwords should be replaced with your own passwords. Assign each person with computer access their own User ID and their own password. Do not share them.
• If you are using wireless networks, make sure that the access points or wireless routers are properly encrypted.
• If your business is connected to the Internet and if you keep personal information, you now must use a certified firewall.
• I strongly recommend spending an hour or two with your employees and explain what they can do to assure your organization meets all compliance requirements.

Here are MacArthur’s tips for business owners and managers:

• Designate one or more employees to maintain your comprehensive information security program.

“The key here is to designate someone – the owner, CFO, office manager, IT staff – who would be responsible to maintain all documentation and is briefed his or her responsibilities.”

• Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing personal information.

“A basic security audit on your company practices, including electronic and paper disposal policy, access to documents and passwords policy, also would be helpful. You can conduct an audit on your own or hire a professional firm to do this.”

• Develop security policies for employees that take into account whether and how they should be allowed to access and transport records containing personal information outside of business premises

“This policy should be incorporated into your existing employee policies. If you have employees who carry laptops and have access to sensitive personal information, your policy would clearly prohibit this unless the data is properly encrypted using a specialized encryption software.”

• Impose disciplinary measures for violations of the comprehensive information security program rules.

“This should not be an optional compliance, but a requirement with very clear implications if they refuse or fail to comply.”

• Prevent terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.

• Take reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect it.

“You have the right to demand that they provide you with a written document that certifies that they also are in compliance with the new regulations.”

• Limit the amount of personal information you collect; limit the time such information is retained; limit access to persons reasonably required to know such information.

“In my opinion, if you don’t need the information anymore, delete it or store it to external, encrypted media.”

• Identify paper, electronic and other records, computing systems and storage media that contain personal information.

“Only when you have a strong understanding of how you are storing and keeping information can you develop and implement good electronic security measures.”

• Review the scope of the security measures at least annually.

Full text of the law:

17.04: Computer System Security Requirements

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:

(1) Secure user authentication protocols including:

(i) control of user IDs and other identifiers;

(ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

(iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

(iv) restricting access to active users and active user accounts only; and

(v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:

(i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and

(ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls

3) To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

There are several business organizations that are continuing to oppose implementation of the law as time consuming and expensive for its constituents. But it would not be wise to wait.

STATEMENT OF ASSOCIATED INDUSTRIES OF MASSACHUSETTS BEFORE THE JOINT COMMITTEE ON CONSUMER PROTECTION AND PROFESSIONAL LICENSURE REGARDING THE PROMULGATION AND IMPLEMENTATION OF 201 CMR 17.00, STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH.

On behalf of Associated Industries of Massachusetts (AIM), I am Bradley A. MacDougall, Associate Vice President for Government Affairs, the state’s largest nonprofit, nonpartisan association of Massachusetts’ employers. AIM and its 7,000 members would like to thank the Chairmen and members of the Committee for convening this timely informational hearing regarding the promulgation and implementation of 201 CMR 17.00, Standards for the protection of personal information of residents of the Commonwealth.

Further, AIM appreciates the Administration’s recent delay in the effective date of these regulations. It is AIM’s intention to work with this committee, the Administration, the Office of the Attorney General and industry experts during this intervening time to address several concerns and unanswered questions relative to these regulations.

The protection and active security of personal data is a top priority for the business community. As currently written, AIM believes that 201 CMR 17.00 goes beyond the legislature’s intent through highly prescriptive mandates. In many instances, they are not technically or economically feasible. Further, they go far beyond preexisting regulatory frameworks and best practices for the protection of personal information. It is AIM’s hope that today’s testimony will provide you with specific examples that will highlight the business communities concerns.

Although the delay in the effective date is helpful, as a practical matter, it is unreasonable to believe that a regulated entity has a fair opportunity to reach full compliance. Many of these specific regulations represent a fundamental shift and require significant analysis to make changes to business operations. Many of the regulations require immediate compliance, which conflicts with the reasonableness standard established in the statute.

First, an overwhelming number of firms are completely unaware of these new regulations. Since the final regulations were promulgated on September 22, 2008, AIM has taken several steps to notify and educate its members and the business community about the new regulations.

Currently, AIM is hosting statewide education seminars on these new regulations. Even as of last week, many businesses stated that AIM’s communication to them on this topic was the first time that they had heard of these new regulations. A greater public outreach effort by the administration is necessary. Thus far, insufficient outreach has been conducted as compared to the significant number of impacted regulated entities. These regulations are filled with legal, technical and operational perspectives, which demand a considerable amount of human talent, financial resources and consultants.

Second, if leading firms in personal information protection are still confused by the regulations, we should be concerned. AIM and individual member companies have expressed concerns directly to the Administration and to the Office of Consumer Affairs and Business Regulations. As many of these questions remain unanswered, regulated entities run the risk of being out of compliance and the possibility of significant penalties for every deviation from an ambiguous regulatory framework.

Third, these regulations go far beyond the legislative intent through highly prescriptive mandates that exceed existing regulatory frameworks and further do not envision the current global business relationships that Massachusetts firms operate. The administration utilized the authority granted to promulgate regulations that will have far-reaching economic impacts and will hinder Massachusetts’ global competitiveness. For instance -did the legislature intend to mandate encryption immediately for all businesses in the fashion prescribed in the standards? Was it the legislature’s intent to regulate non-Massachusetts firms or foreign entities? Did the legislature expect businesses to make immediate investments in hardware and software? Did the legislature expect businesses immediately to amend all business contracts in less than a year?

Since the regulations were published, AIM urged the Administration to conduct a regulatory impact statement. AIM appreciates that the Administration conducted business impact statement. However, technical experts and business leaders have indicated that the Administration makes inaccurate assumptions about how business operates, as well as the costs of technology and the impact of the mandates on business operation. The Administration’s Fiscal Impact Statement assumes that small business will have minimal costs to implement compliance and that larger firms already have the resources in place to reach full compliance. Operational costs are considered “negligible” and that they can be “absorbed within any currently existing technical support program.”

Further, the study qualifies businesses that have acted “responsibly” should not have any huge burdens. However, the companies that are raising significant concerns are those very companies that have already made significant investments to protect personal data. Compliance for many firms will be difficult because these regulations do not provide specific guidance for businesses of different sizes, resources and technical or legal know how.

The regulations and resources provide some insights for Massachusetts businesses that are fluent in the English language. However, many Massachusetts is home to 33,372 immigrant business owners, which is a total of 2.3% of the total immigrant business owners in the nation. Many Massachusetts companies maintain national and international vendor relationships. For example, in California 30% of all business, owners are immigrants and in New York roughly one-fourth of all business owners are immigrants. Although Massachusetts (2.3%) is lower than the national average (12.5%) of immigrant business owners by state, this law will directly affect contract relationships with those immigrant business owners in other states. These regulations affect vendor relationships with every country and every known language.1

As a remedy, AIM urges the Office of Consumer Affairs and Business Regulations to revise the regulations to track the Gramm-Leach-Bliley Act Safeguards Rule (“GLB Safeguards Rule”), the de facto national standard for data security regulation, which has been in place for more than five years and which the Federal Trade Commission applies to non-financial institutions. As written, the regulations will impose significant costs for all Massachusetts businesses regardless of size as well as any company conducting business in the Commonwealth. These regulations will have a national economic impact as it mandates regulatory compliance for non-resident firms and creates barriers to interstate commerce that raise serious constitutional issues with the Dormant Commerce Clause.

While these regulations are well intentioned, it would actually have unintended consequences. For example, the proposed regulations suggest particular technology which may become outmoded in some contexts, and would force “technology winners and losers” by requiring protection of transmitted data through encryption and thereby rejecting other effective data protection methods unless those methods have been approved by the Office. As more advanced technology evolves in the marketplace, these regulations could restrict the implementation of such technology and curb best practices for data security in the government, non-profit and business areas. These overarching regulations compound our current fiscal crisis. During this period of economic challenge, the speed with which these regulations must be implemented and the significant direct and indirect costs imposed, could cause great harm to our Commonwealth’s economy and could have a negative ripple effect.

Therefore, we respectfully request that the Office of Consumer and Business Affairs carefully consider the significant and detrimental implications of these regulations. Further, we urge all parties involved in these regulations to utilize the intervening time prior to the effective date of May 1, 2009 to meet to address the current challenges with the regulations.

As an overview, AIM included two addenda, which provide members of the Committee with a partial list of the issues and possible solutions for the promulgation and implementation of 201 CM 17.00 as well as timeline.

In closing, thank you for the opportunity to provide comments and I would be happy to answer any questions or provide additional information.

Home About Advertising Subscribe Events Contact

©CapeBusiness Publishing Group,L.L.C. All Rights Reserved.
Website developed by Genevate Corporation