Yesterday I attended a public hearing [PDF] on amendments to the new Massachusetts data protection law, 201 CMR 17.00. The original amendment delayed implementation of the law by a few months and two sections, certification of third party vendors and encryption of portable devices , were delayed by one year. This hearing was designed to offer interested parties an opportunity to provide input on the amendment and possible further delays or amendments.
The good news was that people were interested in this issue, about a hundred people packed into a small meeting room (which would have been comfortable for 50 at most) and I heard that dozens more came but could not even get near the door. The bad news is that almost everyone was there from a business interest and there was little representation for the consumer (you know, you and me, the people screwed by TJX and their ilk's carelessness with our information). I was only there to observe, but when I signed in and saw who was speaking, I put my name down and waited my turn to inflict my opinions on David A. Murray, General Counsel for the Massachusetts Office of Consumer Affairs and the assembled masses. I heard speakers from several business groups representing a wide spectrum of interests who all said about the same thing, it is too much, it will be too hard, and it will be too expensive. I agree on some points, but strongly disagree on others.
There were three primary objections raised:
- Contracts and Certification of third-party vendors' compliance with 201CMR17.00
- Data transiting public or wireless networks must be encrypted.
- Personal Information on laptops and portable devices must be encrypted.
- Information assets, both electronic and physical, must be inventoried to identify Personal Information to be protected.
- Alternately, all data can be treated as confidential and protected.
The contract and certification concerns are largely legitimate; as currently written all third-parties with access to Personal Information must be contractually required to protect the data by May 1, 2009 and must have written certification that third parties have a written, comprehensive information security program in compliance with 201CMR17.00 by January 1, 2010. Sounds good to me, but it isn't going to happen- you cannot expect everyone to re-write contracts that fast, nor do most smaller businesses have the clout to demand such from larger vendors. I think we need to work towards this goal, but over a longer period of time.
Encryption, this is where I started to get frustrated- many of the business advocates effectively stated that encryption is an immature field, rapidly evolving, and with no interoperability between vendors and systems. It would be charitable to call this misinformation. Encryption can be difficult to manage without the right tools, and the right tools can be expensive- and many smaller businesses can't justify the expense of large PKI or other encryption management infrastructures. I believe a delayed requirement may be reasonable due to cost and complexity, but to say that encryption is immature is, well, immature. And interoperability concerns- that's nonsense, at least as far as the transmission of data- IPSec, SSL, and WPA2 can address that reliably. No, you can't decrypt a TreuCrypt volume with PGP, but there are enough mature players in data encryption to find an appropriate answer for the needs of this law. Oh, and those really small businesses with occasional needs? Both Microsoft Office and OpenOffice offer basic document encryption, between Office's near-ubiquity and OpenOffice's free and cross-platform availability, many small businesses may not need to spend any money on "encryption infrastructure".
The really depressing part was the strong opposition to data inventories, I heard over and over that they would be too hard and too expensive. Let's flip that over, we were effectively told (repeatedly) that businesses large and small, in fields including higher education, law, mutual funds, and insurance- have no idea what information they have or where it is- or this wouldn't be such a big deal, right? This is fundamental security (not just information security), you have to know what you have and where it is if you are going to protect it. If they (we) don't get this done, and done correctly, the rest of the law is pointless.
There will be plenty more on this topic in upcoming posts. I am not a "compliance guy", but this is not only relevant to information security, it is turning into a drama.