APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

New Mass. Data Security Laws

Massachusetts has a new data security law going into effect on March 1st, 2010. Frankly, it scares me.

Here's the problem: most of my customers are in Massachusetts or do business with MA residents. Most of my customers are NOT in compliance with these new regulations and I am very concerned about my exposure to lawsuits if they are ever sued because of that.

I am not a lawyer. I may have some idea of how the new law applies to specific situations, but I'm not in a position to interpret regulations. Do you need to upgrade an old RedHat 8 or SCO 5.0.6 system because they may not meet security requirements and are on the same network as a machine that handles personal information? I DO NOT KNOW.

I'd sarcastically note that your lawyer doesn't really know either: if there's a security breach and somebody wants to sue you, their lawyers will be looking for anything they can blame on anyone, so my bet is, yeah, they'd be trying to pin blame on any old OS on the network. But - I DO NOT KNOW.

I am not a security expert. I don't even like thinking about security. I'm a trusting person: I trust people, I want them to trust me. I truly hate that there are people in this world that you cannot trust, so that makes it very hard for me to get interested in security. Does your Windows 2000 server present a security risk? Probably, but I DO NOT KNOW. Frankly, I don't WANT to know.

I had a conversation this morning with another consultant who hires me now and then when he has Linux or Unix customers. He asked me if I could set password policies for those customers. Sure I can - but is that enough? I DO NOT KNOW. And I don't want to know.

We talked about a specific job where we are moving from a SCO server to Linux. The servers store credit card information. "They need to be in a locked room", he said. I don't know if that's true (I am not a lawyer, remember?) but the room that they are in is often locked - though people work in that room also. Where does that leave me if they want me to assist with the transfer? Should I work on the system? Am I exposing myself to potential liability?

Another of his customers wanted a Samba share added for a particular user. I can think of at least 20 ways this guy is not in compliance. Do I refuse to add the share?

We talked about liability insurance. He's never carried it and neither have I. It's doubtful that it could protect us anyway. It definitely wouldn't cover work we did years ago and unless we were certified security experts, I can't imagine that any insurance company would be dumb enough to cover us for this stuff anyway.

So what do we do? We both agreed that if we were financially able, we'd close our businesses today and retire. That's not an option for either of us.

Do we refuse security related work? Fine, but almost anything is security related in some way. If we do refuse it, we both know damn well that we'll probably lose ALL work from that customer because someone really no better equipped than we are will step in and tell the customer that they CAN advise them on this stuff. That they will likely be lying is no comfort: they'll have the business.

Do we ask for indemnification? Great, you get your customer to sign something that says he won't sue you. Do you think he'll agree to indemnify you if someone sues him AND you? Not likely.

So what do you do? I know a lot of the folks who read this are in similar situations. Maybe your State hasn't passed this sort of legislation yet, but odds are that they will. What are you going to do? What are WE going to do?

I DO NOT KNOW.

See also Questions about the new MA data security law



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> what to do about new data security regulations


15 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Mon Feb 22 16:41:11 2010: 8105   TonyLawrence

gravatar


The small businesses who have to comply with this law are stuck, too. This can get expensive - certified security consultants charge big bucks and upgrading operating systems can get very expensive. This could put some firms right out of business.







Mon Feb 22 16:46:52 2010: 8107   TonyLawrence

gravatar


One of the other things I thought of is PPTP VPN's. I would be very surprised if these would be allowed, yet many of my customers depend upon these. Changing to more secure VPN's will be significant expense and again I have to ask myself if I should be involved in that in any way. I just do not know.



Mon Feb 22 16:57:25 2010: 8109   rbailin

gravatar


There must be dozens, if not hundreds of rules and regulations out there you're responsible for, and totally ignorant of, from OSHA to the IRS on down to last year's regulations dealing with credit card acceptance and safety. I wouldn't lose a minute of sleep over any of it.

The last paragraph in the article states it best:

“Nothing will happen until somebody has a problem,” she said. “Compliance will then be viewed in hindsight with a magnifying glass after a breach has occurred."

You're more likely to be hit by that proverbial truck than get caught up in one of these compliance issues.



Mon Feb 22 16:59:14 2010: 8111   BigDumbDinosaur

gravatar


We talked about liability insurance. He's never carried it and neither have I. It's doubtful that it could protect us anyway.

I've had a professional liability policy for many years and fortunately, have never had to use it. It does cover legal costs should one of my clients sue me for whatever.

That said, how typical of liberal politicians to think they can solve a problem (computer security) with a law. Next, they'll come up with a tax to fund investigation and enforcement,

Almost all of the security issues I run across are carelessness on the part of the computer users. How do the political wonks in Massachusetts plan to address that? Throw 'em all in jail? The whole state would be covered with prisons to house that many people.



Mon Feb 22 17:14:12 2010: 8112   TonyLawrence

gravatar


You're more likely to be hit by that proverbial truck than get caught up in one of these compliance issues.

I'm not sure about that. Security breaches are fairly common, and it seems to me that this law opens up more lawsuit opportunities.

Almost all of the security issues I run across are carelessness on the part of the computer users.

Yea, that's the point: careless security is what this law hopes to remedy. The point is to protect YOU - if you hand over your credit card, it should be safe. We both know that in many places it is not. I agree that the law may not really do much to change that, but it DOES change the legal landscape and that's what worries me.






Tue Feb 23 13:53:51 2010: 8117   RickBrandfass

gravatar


Unfortunately, when something goes wrong many people look to see who can be sued. So, if something goes wrong with a system you installed, you may find yourself in front of a judge trying to explain that you only did what you were asked to do. On the other hand, if I hire an electrician or carpenter, I expect the work to be done within "code" so if someone hiring your may expect you to know the difference between what's legal and what's not. It may be time for you to meet with a lawyer to carefully word a nice disclaimer to give to your clients.



Tue Feb 23 18:54:24 2010: 8121   TonyLawrence

gravatar


Apparently there is no disclaimer that helps. You might stop your client from suing, but you can't stop some third party from suing both of you.



Tue Feb 23 22:13:12 2010: 8123   DaveThacker

gravatar


Are you really responsible for your customer's compliance? In the land of Payment Card Industry, small firms do their own audits (sometimes with the help of aforementioned security experts) and present them to the card companies for the thumbs up or down. Maybe it's time for a disclaimer on your engagement letter. Good Luck. I'll be following this in case my state gets similar ideas.

Dave



Wed Feb 24 00:09:42 2010: 8124   anonymous

gravatar


If you don't have commercial liability insurance I highly recommend getting some. I'm assuming you are incorporated, if not do that first.

Vermont has very friendly incorporation laws. You want to incorporate as an LLC. This will keep your personal assets protected if your corporation is sued. Next, get a Commercial Umbrella policy for your LLC. Limits usually start at $1,000,000 and will cost you less than $500 a year. I'd also get a personal umbrella. I have a million dollar one and pay $8.00 a month for it through State Farm.

If you EVER, EVER are unsure whether some new law will affect you, make sure your *redacted* is covered if you make a mistake.



Wed Feb 24 00:29:27 2010: 8125   TonyLawrence

gravatar


No, I'm not responsible. That's not the point - a third party can sue anyone they think they can prove responsible. Even if you ultimately are found blameless, it's going to cost money. And of course you might not be found blameless.

I'm really not sure how I'm going to handle this. I may just drop all customers who are subject to this (not all customers are - it's only those who store personal information like payroll or credit card info). Or I may just tell them that they need to hire someone else for compliance and take my chances. I just do not know.






Wed Feb 24 00:33:15 2010: 8126   TonyLawrence

gravatar


I'm assuming you are incorporated

I used to be. The protection is illusory. I dropped it years ago.






Sat Feb 27 23:51:12 2010: 8157   MichaelDesrosiers

gravatar


Being a security professional, I believe that this law is a proven first step in providing personal information data protection. Under the law, Massachusetts will require any entity that stores or transmits residents' personal information to encrypt that data when it's stored on portable devices or transmitted via the Internet. The law also wants businesses to have a written information security program (WISP), which is nothing more then procedures or best practices your business says they will follow to safeguard this data. In today's world there is risk in everything that we do. There are people and businesses that look for an easy way out with everything that they do. Laws like Mass.CMR 201 17.00 will help establish minimum guidelines to protect this information.



Sun Feb 28 00:29:34 2010: 8158   TonyLawrence

gravatar


I agree - and I think it's a good law.







Tue Mar 2 13:48:50 2010: 8166   TonyLawrence

gravatar


This is the email response I just sent to a customer who asked if their systems were in compliance:


No.

That's the short answer.

The long answer is that you have to comply with the new MA security law.

I'm not a lawyer, but I've read the law and there are gray areas - things where I'm not sure what someone can or cannot do.

I'm not a certified security expert either so I can't say with authority that your systems meet or do not meet the requirements.

However, my best guess would be that you aren't even close - as I read the law ( (link) ), none of your systems would be in compliance.

I could suggest a number of things that could bring you closer - all of them would be inconvenient, annoying and possibly expensive. However, I am NOT a lawyer and not a certified security expert.


------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Talent does what it can; genius does what it must. (Edward G. Bulwer-Lytton)

The danger of computers becoming like humans is not as great as the danger of humans becoming like computers. (Konrad Zuse)







This post tagged: