New Mass. Data Security Laws
© February 2010 Anthony Lawrence
Massachusetts has a new data security law going into effect on March 1st, 2010. Frankly, it scares me.
Here's the problem: most of my customers are in Massachusetts or do business with MA residents. Most of my customers are NOT in compliance with these new regulations and I am very concerned about my exposure to lawsuits if they are ever sued because of that.
I am not a lawyer. I may have some idea of how the new law applies to specific situations, but I'm not in a position to interpret regulations. Do you need to upgrade an old RedHat 8 or SCO 5.0.6 system because they may not meet security requirements and are on the same network as a machine that handles personal information? I DO NOT KNOW.
I'd sarcastically note that your lawyer doesn't really know either: if there's a security breach and somebody wants to sue you, their lawyers will be looking for anything they can blame on anyone, so my bet is, yeah, they'd be trying to pin blame on any old OS on the network. But - I DO NOT KNOW.
I am not a security expert. I don't even like thinking about security. I'm a trusting person: I trust people, I want them to trust me. I truly hate that there are people in this world that you cannot trust, so that makes it very hard for me to get interested in security. Does your Windows 2000 server present a security risk? Probably, but I DO NOT KNOW. Frankly, I don't WANT to know.
I had a conversation this morning with another consultant who hires me now and then when he has Linux or Unix customers. He asked me if I could set password policies for those customers. Sure I can - but is that enough? I DO NOT KNOW. And I don't want to know.
We talked about a specific job where we are moving from a SCO server to Linux. The servers store credit card information. "They need to be in a locked room", he said. I don't know if that's true (I am not a lawyer, remember?) but the room that they are in is often locked - though people work in that room also. Where does that leave me if they want me to assist with the transfer? Should I work on the system? Am I exposing myself to potential liability?
Another of his customers wanted a Samba share added for a particular user. I can think of at least 20 ways this guy is not in compliance. Do I refuse to add the share?
We talked about liability insurance. He's never carried it and neither have I. It's doubtful that it could protect us anyway. It definitely wouldn't cover work we did years ago and unless we were certified security experts, I can't imagine that any insurance company would be dumb enough to cover us for this stuff anyway.
So what do we do? We both agreed that if we were financially able, we'd close our businesses today and retire. That's not an option for either of us.
Do we refuse security related work? Fine, but almost anything is security related in some way. If we do refuse it, we both know damn well that we'll probably lose ALL work from that customer because someone really no better equipped than we are will step in and tell the customer that they CAN advise them on this stuff. That they will likely be lying is no comfort: they'll have the business.
Do we ask for indemnification? Great, you get your customer to sign something that says he won't sue you. Do you think he'll agree to indemnify you if someone sues him AND you? Not likely.
So what do you do? I know a lot of the folks who read this are in similar situations. Maybe your State hasn't passed this sort of legislation yet, but odds are that they will. What are you going to do? What are WE going to do?
I DO NOT KNOW.
See also Questions about the new MA data security law
Got something to add? Send me email.
(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
-> -> what to do about new data security regulations
Inexpensive and informative Apple related e-books:
Take Control of High Sierra
Take Control of IOS 11
El Capitan: A Take Control Crash Course
Take Control of iCloud, Fifth Edition
Take Control of Apple Mail, Third Edition
More Articles by Anthony Lawrence © 2012-06-30 Anthony Lawrence
It's hard to study much history and not dislike religion - (Tony Lawrence)
This post tagged:
Skills Tests
Unix/Linux Book Reviews
My Unix/Linux Troubleshooting Book
This site runs on Linode
Mon Feb 22 16:41:11 2010: 8105 TonyLawrence
The small businesses who have to comply with this law are stuck, too. This can get expensive - certified security consultants charge big bucks and upgrading operating systems can get very expensive. This could put some firms right out of business.
Mon Feb 22 16:46:52 2010: 8107 TonyLawrence
One of the other things I thought of is PPTP VPN's. I would be very surprised if these would be allowed, yet many of my customers depend upon these. Changing to more secure VPN's will be significant expense and again I have to ask myself if I should be involved in that in any way. I just do not know.
Mon Feb 22 16:57:25 2010: 8109 rbailin
There must be dozens, if not hundreds of rules and regulations out there you're responsible for, and totally ignorant of, from OSHA to the IRS on down to last year's regulations dealing with credit card acceptance and safety. I wouldn't lose a minute of sleep over any of it.
The last paragraph in the article states it best:
“Nothing will happen until somebody has a problem,” she said. “Compliance will then be viewed in hindsight with a magnifying glass after a breach has occurred."
You're more likely to be hit by that proverbial truck than get caught up in one of these compliance issues.
Mon Feb 22 16:59:14 2010: 8111 BigDumbDinosaur
We talked about liability insurance. He's never carried it and neither have I. It's doubtful that it could protect us anyway.
I've had a professional liability policy for many years and fortunately, have never had to use it. It does cover legal costs should one of my clients sue me for whatever.
That said, how typical of liberal politicians to think they can solve a problem (computer security) with a law. Next, they'll come up with a tax to fund investigation and enforcement,
Almost all of the security issues I run across are carelessness on the part of the computer users. How do the political wonks in Massachusetts plan to address that? Throw 'em all in jail? The whole state would be covered with prisons to house that many people.
Mon Feb 22 17:14:12 2010: 8112 TonyLawrence
You're more likely to be hit by that proverbial truck than get caught up in one of these compliance issues.
I'm not sure about that. Security breaches are fairly common, and it seems to me that this law opens up more lawsuit opportunities.
Almost all of the security issues I run across are carelessness on the part of the computer users.
Yea, that's the point: careless security is what this law hopes to remedy. The point is to protect YOU - if you hand over your credit card, it should be safe. We both know that in many places it is not. I agree that the law may not really do much to change that, but it DOES change the legal landscape and that's what worries me.
Tue Feb 23 13:53:51 2010: 8117 RickBrandfass
Unfortunately, when something goes wrong many people look to see who can be sued. So, if something goes wrong with a system you installed, you may find yourself in front of a judge trying to explain that you only did what you were asked to do. On the other hand, if I hire an electrician or carpenter, I expect the work to be done within "code" so if someone hiring your may expect you to know the difference between what's legal and what's not. It may be time for you to meet with a lawyer to carefully word a nice disclaimer to give to your clients.
Tue Feb 23 18:54:24 2010: 8121 TonyLawrence
Apparently there is no disclaimer that helps. You might stop your client from suing, but you can't stop some third party from suing both of you.
Tue Feb 23 22:13:12 2010: 8123 DaveThacker
Are you really responsible for your customer's compliance? In the land of Payment Card Industry, small firms do their own audits (sometimes with the help of aforementioned security experts) and present them to the card companies for the thumbs up or down. Maybe it's time for a disclaimer on your engagement letter. Good Luck. I'll be following this in case my state gets similar ideas.
Dave
Wed Feb 24 00:09:42 2010: 8124 anonymous
If you don't have commercial liability insurance I highly recommend getting some. I'm assuming you are incorporated, if not do that first.
Vermont has very friendly incorporation laws. You want to incorporate as an LLC. This will keep your personal assets protected if your corporation is sued. Next, get a Commercial Umbrella policy for your LLC. Limits usually start at $1,000,000 and will cost you less than $500 a year. I'd also get a personal umbrella. I have a million dollar one and pay $8.00 a month for it through State Farm.
If you EVER, EVER are unsure whether some new law will affect you, make sure your ass is covered if you make a mistake.
Wed Feb 24 00:29:27 2010: 8125 TonyLawrence
No, I'm not responsible. That's not the point - a third party can sue anyone they think they can prove responsible. Even if you ultimately are found blameless, it's going to cost money. And of course you might not be found blameless.
I'm really not sure how I'm going to handle this. I may just drop all customers who are subject to this (not all customers are - it's only those who store personal information like payroll or credit card info). Or I may just tell them that they need to hire someone else for compliance and take my chances. I just do not know.
Wed Feb 24 00:33:15 2010: 8126 TonyLawrence
I'm assuming you are incorporated
I used to be. The protection is illusory. I dropped it years ago.
Sat Feb 27 23:51:12 2010: 8157 MichaelDesrosiers
Being a security professional, I believe that this law is a proven first step in providing personal information data protection. Under the law, Massachusetts will require any entity that stores or transmits residents' personal information to encrypt that data when it's stored on portable devices or transmitted via the Internet. The law also wants businesses to have a written information security program (WISP), which is nothing more then procedures or best practices your business says they will follow to safeguard this data. In today's world there is risk in everything that we do. There are people and businesses that look for an easy way out with everything that they do. Laws like Mass.CMR 201 17.00 will help establish minimum guidelines to protect this information.
Sun Feb 28 00:29:34 2010: 8158 TonyLawrence
I agree - and I think it's a good law.
Tue Mar 2 13:48:50 2010: 8166 TonyLawrence
This is the email response I just sent to a customer who asked if their systems were in compliance:
No.
That's the short answer.
The long answer is that you have to comply with the new MA security law.
I'm not a lawyer, but I've read the law and there are gray areas - things where I'm not sure what someone can or cannot do.
I'm not a certified security expert either so I can't say with authority that your systems meet or do not meet the requirements.
However, my best guess would be that you aren't even close - as I read the law ( (link) ), none of your systems would be in compliance.
I could suggest a number of things that could bring you closer - all of them would be inconvenient, annoying and possibly expensive. However, I am NOT a lawyer and not a certified security expert.
------------------------
Printer Friendly Version
New Mass. Data Security Laws Copyright © February 2010 Tony Lawrence
Have you tried Searching this site?
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.
Contact us
Printer Friendly Version