I previously talked about how the new "201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH" regulations might affect me and my customers. Here I'd like to take a closer look at what the regulations seem to require.
Please remember that I am not a lawyer and not a certified security expert. My purpose here is simply to raise questions that you and your customers may want to discuss with a lawyer, insurers and or a security firm. As the fines for non-compliance could be quite large, this is not something you should ignore.
So. let's get started. The regulation starts off like this:
(1) Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.
The interesting part here is that "the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data." Does that mean that there is going to be more lenience toward the "little guy"? There seems to be some indication of that, but I doubt it means that a Mom and Pop shop can just ignore this entirely.
(2) Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to: (a) Designating one or more employees to maintain the comprehensive information security program;
OK, that's easy enough: George, this is your problem. Start documenting.
(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
1. ongoing employee (including temporary and contract employee) training; 2. employee compliance with policies and procedures; and 3. means for detecting and preventing security system failures. (c) Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.
Now we start getting into areas where I'd have questions. Who is qualified to identify and assess "reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information"?
I have over 30 years experience in computer systems and I know a lot more about potential risks than most of my customers do, but I don't think I'm fully qualified. What standards will be used here? Do you need to hire certified people?
(d) Imposing disciplinary measures for violations of the comprehensive information security program rules. (e) Preventing terminated employees from accessing records containing personal information. (f) Oversee service providers, by:
1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and 2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person's behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.
OK, looks like some outs here. If you hired me before March 1st, 2010, it looks like neither of us need do anything. That can't be as simple as it sounds, though. If I have access to personal information that you store, I just can't imagine that I and you are exempt from all this just because you contracted with me before March 1st. That makes no sense.
(g) Reasonable restrictions upon physical access to records containing personal information,, and storage of such records and data in locked facilities, storage areas or containers.
Does that mean that servers holding personal information need to be in locked server rooms where nobody ordinarily has access? If so, does it mean that the door has to be locked all day long or only outside of business hours? I don't know.
(h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks. (i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
Does this mean we need Intrusion Detection Systems or is this just human monitoring?
(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
See Mike Desrosier's Incident Response article. My question: who does this? The designated person referred to above or does this need to be a security professional? Does it matter whether you are Jan's Card and Gift or T.J. Maxx ?
17.04: Computer System Security Requirements
Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a
security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements: (1) Secure user authentication protocols including: (a) control of user IDs and other identifiers;
What does "control of user id's" mean? Does it mean that Mary can't know Sam's login information? How about "secure user authentication protocols" - how secure? Obviously the hundreds of systems I know that have accounts with no passwords wouldn't comply. How about the systems where the admin password is written on a Post-It note tacked on the monitor? I think not.
Does this require enforced changing of passwords? Some people insist that it does, but I don't see that it actually says that. Does "technically feasible" let you off the hook if you are running a very old system that can't do those things?
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (d) restricting access to active users and active user accounts only; and (e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
So - no passwords tacked up on the wall. Login lockout - I can't think of too many systems that don't do that, but does that include VPN's? I know a lot of systems running simple PPTP VPN's - I don't know, but I'd guess that most of those couldn't meet these requirements.
Oh, and then there are the Samba systems that aren't authenticating against some other machine. Many of these are setup with shares that use "Connect as a different user" and a fixed name/password to make for easy acess. Compliant? I'd guess probably not.
(2) Secure access control measures that: (a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
Now we are inside application software. Some apps have these user level controls, some don't. Most have their own internal password systems - do those systems and methods have controls and lockouts? Most don't. Should they? I don't know.
(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
I know many a system where logins are related to a physical station. That is, if you are using the station nearest the front door, you are supposed to login as "pos1". Multiple people use that login and the system assigns resources like printers based on that. My guess would be that you can't do that anymore.
(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
Here's a big problem. You have users accessing a server and inputting or accessing personal information. If they are wireless, that's plain enough: you have to encrypt. If they are accessing it remotely from home or a hotel room, you have to encrypt.
Encrypt to what standards? Is ROT13 encryption? OK, that's silly, but are older PPTP VPN's compliant? Older ssh? I don't know.
(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information; (5) Encryption of all personal information stored on laptops or other portable devices;
Again, is that Intrusion Detection Systems?
(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
Is a $50 Linksys firewall compliant? How about if you've never updated the firmware?
There are many, many Multitech firewall appliances out there. Multitech no longer manufacturers these. Does that matter?
OS security patches? What if you are running an old server where the vendors no longer provide patches? Are you required to upgrade? What if your application software won't run on a newer operating system? That's reality for many small businesses.
(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
What is "reasonably up-to-date"? Three days old? Three weeks? Three months?
Is this just for the servers or (more likely) all systems that access the server? What about those VPN and ssh users - are you responsible for auditing their home operating systems? You obviously can't audit public access systems - how will you handle that?
Malware and virus protection? How exactly is that defined for Unix/Linux systems? What about very old Windows systems again?
(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.
Company meeting? Memo? Formal training by outside folks? Would this include janitors who might access that locked computer room? OK, that's maybe silly, but it is vague.
This law could cost small businesses a lot of money. At best it will be annoying, confusing and inconvenient.
As I said before, I suspect it will cause problems for small consultants also. As just about anything you do on a computer is likely to have security implications, companies may feel they need to hire larger firms with formally trained and certified security professionals on staff. The small consultant may not be able to afford the training and certifications necessary - or at least perceived to be necessary. Nothing here specifically says that I can't interpret and apply my best efforts to help someone comply, but a client concerned about compliance might not see it that way and honestly, I think they'd be correct to protect themselves in that way.
Some people have said that Massachusetts can't realistically enforce this law today. That is probably true, but I don't think it makes good business sense to ignore this on that basis.
See 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH.
If this page was useful to you, please help others find it:
More Articles by Anthony Lawrence
- Find me on Google+
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.