Several states are jumping on the information security and privacy legislation train, and it is leaving the station at full speed. Similar to the data breach laws that are now in place for 44 states now, we can expect a similar rush by states to initiate similar laws calling for specific security measures to be enacted to protect personal information, and liability for companies that have breaches
Massachusetts for example passed the following legislation, which calls for some very specific controls and measures to be enacted to comply with the state law.
This regulation is applicable for entities who “own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts”.
According to the regulation personal information and records are defined as such:
"Personal information," a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
“Record” or “Records,” any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.
Two of the more interesting and detailed requirements are:
“The encryption of all personal information stored on laptops or other portable devices, and “to the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly”
“Each covered entity must train employees on the proper use of the computer security system and the importance of personal information security.”
Nevada has similar legislation that went into effect on October 1, 2008, which prohibits businesses from transmitting unencrypted personal information on consumers on external networks.
So how can your organization begin to comply with this type of legislation?
- Consult internal and external counsel on these matters and ensure you have someone specialized in privacy & data security law.
- Ensure you have a written information security plan that uses a published industry standard to use as a guideline (ISO, PCI, etc.). Most of the legislation is based on using “reasonable” security measures that cover (and this is the de facto language) administrative, technical, and physical safeguards.
- Once your standard is in place in your program – work to achieve that standard, by performing a risk assessment against the organization so you know where to start, and where to properly spend money and resources.
- Know where your important and confidential data is within the organization, and how people are using it. Get line managers that are responsible for this type of data together and ask them in a very non-accusatory manner how the organization is using and protecting this type of data.
- Exercise control over service providers and require them to contractually protect your data and follow your standards, as well as auditing them to ensure they are doing so.
- Have a plan ready in case none of this work and you have to report a breach.
Obviously, these are all very high-level requirements and are by no means an exhaustive list. Every organization is different and requires different controls and processes. The more you understand the data flows, and the risks to the organization the better you will be when the worst happens.
One quick note - in the definition of person, the commonwealth intentionally left any of their agencies out of this definition so they wouldn't have to abide by this legislation - NICE!
