01.19
FRSecure has worked with companies in Massachusetts and other companies around the country that will be affected by Massachusetts 201 CMR 17.00 “STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH” compliance. We thought we should provide a little guidance for our valued clients and anyone else who may be interested. We will cover the 201 CMR 17.00 standard, and provide comments in this post. In a subsequent post, we will provide a simple checklist that you can use to measure your own level of compliance.
The compliance deadline is Wednesday March 10, 2010.
This standard DOES NOT only apply to Massachusetts organizations. This standard applies to “all persons that own or license personal information about a resident of the Commonwealth.” We will touch on this later in this guidance.
NOTE: It has been and still remains FRSecure’s stance that compliance will likely not equate to adequate information security control in your organization. While compliance is mandatory, it should be built into a broader, risk-based information security program.
201 CMR 17.00, Section 17.01 Purpose and Scope
This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts.
Chapter 93H can be found here.
This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.
Due to the fact that breach notifications have largely proven to be ineffective in the prevention of breaches involving personal information, the State of Massachusetts is now instituting “minimum standards” of protection that must be implemented by organizations. Expect to see more states, and/or the federal government to follow suit (some already are).
The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth
This standard essentially applies to any person or organization that collects, stores, or transmits personal information belonging to a Massachusetts resident. If you have any customers from Massachusetts, and you collect their personal information, you must comply. The implications extend far beyond the borders of Massachusetts.
201 CMR 17.00, Section 17.02 Definitions
Breach of security, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.
This is a pretty standard definition, but we did notice one new difference. The definition now includes the disclosure of encryption keys. Many states considered the data safe from unauthorized disclosure if the data were encrypted, without consideration of encryption keys. Enter encryption policy AND key management policy.
Electronic, relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.
Encrypted, the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.
Owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.
“Owns or licenses” is also a definition of custodianship. If we use our standard roles, the person who could be identified by the information is the owner, and the organization is the custodian.
Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.
Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Here we are provided with a little more detail around scope. If you collect, store, process and/or transmit a first and last name, or first initial and last name of a Massachusetts resident AND his/her
- Social Security number, and/or
- Driver’s license number, and/or
- State-issued ID card number, and/or
- Financial account number,
then you are required to comply with this standard.
Record or Records, any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.
We find it interesting that spoken information is included. This could put an added emphasis on customer service or other personnel working in call centers.
Service provider, any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation.
201 CMR 17.00, Section 17.03 Duty to Protect and Standards for Protecting Personal Information
The actual standards…
(1) Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.
Covered entities must develop, implement, and maintain a comprehensive information security program. The language in this subsection is not entirely clear, meaning that there is room for interpretation. Although there is room for interpretation, we suggest that our clients create, implement, and maintain a comprehensive, risk-based information security program. If you aren’t sure what this means, get in touch with us, and we will be glad to explain. The standard continues with requirements for the information security program.
The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.
(2) Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:
(a) Designating one or more employees to maintain the comprehensive information security program;
The organization must designate and information security program "custodian". One or more employees must be tasked with the responsibility of information security program maintenance.
(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
1. ongoing employee (including temporary and contract employee) training;
2. employee compliance with policies and procedures; and
3. means for detecting and preventing security system failures.
17.03(b) mandates best practices such as risk assessments, terms and conditions of employment, security awareness training, management accountability, disciplinary processes, logging, system monitoring, intrusion detection, et al. There is much more to 17.03(b) then meets the eye at first glance.
(c) Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.
Data classification, information labeling and handling, records retention, removable media management, and media and equipment disposal practices.
(d) Imposing disciplinary measures for violations of the comprehensive information security program rules.
Disciplinary processes.
(e) Preventing terminated employees from accessing records containing personal information.
Employee termination procedures.
(f) Oversee service providers, by:
1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and
This subsection relates to overall third-party service provider risk management. Risk assessments, monitoring and review are all important to effective third-party security management.
2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person’s behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.
(g) Reasonable restrictions upon physical access to records containing personal information,, and storage of such records and data in locked facilities, storage areas or containers.
Physical security controls.
(h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.
(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
17.03(h) and (i) require periodic reviews (at least annual) of the information security program including risk assessments and program effectiveness. Independent reviews are best.
(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
Incident handling policies and procedures.
201 CMR 17.00, Section 17.04 Computer System Security Requirements
Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:
(1) Secure user authentication protocols including:
(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
17.04(1) includes requirements that may be satisfied through access control policies, password policies, password management, privilege management, user registration and identification, logon procedures, and user access rights review.
(2) Secure access control measures that:
(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls
(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
Typically covered in encryption policy.
(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;
“Reasonable” should be identified through risk assessment (independent). Monitoring controls should be identified in policies and/or procedures that outline logging requirements, system monitoring, intrusion detection, and review schedules.
(5) Encryption of all personal information stored on laptops or other portable devices;
Again an encryption policy topic, and also included in a mobile computing policy.
(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
Should be documented through or in network architecture standards, network device patch management procedures, operating system patch management procedures, and application patch management procedures.
(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
Controls against malicious software should be documented through policies and procedures that cover anti-virus controls, anti-spyware controls, and mobile code controls.
(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.
This is the 2nd time that employee security awareness training is mentioned.
201 CMR 17.00, Section 17.05: Compliance Deadline
(1)Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.
And there you have it. We have covered the Massachusetts 201 CMR 17.00 standard and introduced some of our comments. This standard fits nicely within a well-run, risk-based information security program. If you have already implemented an risk-based information security program, chances are good that you will need to make few changes to comply with this new standard.
We will provide our Massachusetts 201 CMR 17.00 Compliance Checklist soon, so please check back often!
About FRSecure
FRSecure LLC is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. FRSecure works with businesses of all sizes, in all industries; enabling our clients to achieve optimal results per information security dollar spent. Every one of our clients is in business to make money, so we design secure solutions that drive business, protect sensitive information assets, and improve the bottom line.
Regulatory and industry compliance is built into our solutions.
Visit us online at http://www.frsecure.com, follow us on Twitter, or catch-up with is on our Facebook page!
No Comment.
Add Your Comment