Thursday, September 24, 2009

Making sausage, one hearing at a time

John Godfrey Saxe once said "Laws, like sausages, cease to inspire respect in proportion as we know how they are made."  [No, it was not Otto von Bismark; and yes, that is the quote]  I can't say much for "inspiring respect", but watching the creation of Massachusetts' 201 CMR 17.00 has been more like being a vegan and having to watch the manufacture of blood pudding.

Warning: harsh and unpleasant opinions and observations ahead.

On Tuesday I attended the latest public hearing on the data protection regulations, and it was not pretty.  First up, the hearing was moved at the last minute- to a larger room, but still nowhere near large enough.  It was pretty pathetic given the interest in 201CMR17.00 and previous hearings' overflow attendance, I had hoped they would be prepared.  Instead, dozens were left standing and the room quickly became uncomfortably hot and stuffy.  To me, this showed a lack of respect for the attendees and citizens of the Commonwealth.  Maybe it was part of OCABR's plan to keep the proceedings short, if so, it didn't work.  Sure, a handful of people decided not to speak at the end, but a lot of us did testify.  That's where it got ugly, and it got ugly fast.

First up was Scott Schafer, Chief of the Consumer Protection Division of the Mass. Attorney General's Public Protection & Advocacy Bureau.  That title should give you a heads-up for what's coming.  Mr. Shafer read a prepared statement that could only have come from an unholy alliance of Commonwealth PR flaks and attorneys.  He spoke for quite a while without saying much- but it appears the AG's office likes the latest version of the regs, undoubtedly because they are vague enough to prevent the AG's office from ever having to prosecute except in the most egregious cases.  I was particularly impressed with his lack of awareness of the data loss landscape, highlighted by his reference to the TJX breach putting thousands of consumers' records at risk.  First, 96 million is a lot of thousands.  Second, fraudulent charges were made on compromised accounts- but he's just an attorney and so can't be expected to respect the significance of linguistic subtleties.  Not that the difference between "at risk" and "exploited" is subtle.  [Note that once again I am forced to give someone the benefit of the doubt by assuming them ignorant, because to assume otherwise would mean the statements were intentionally misleading].

Speaking of uninformed, many speakers who followed Mr. Shafer raised their objections to the exclusion of many Commonwealth agencies and offices from 201 CMR 17.00.  Much weeping about it, actually.  Too bad the whiners were so oblivious to the regulatory landscape that they were unaware of Executive Order 504, mandating security and confidentiality of personal information for the Executive agencies of the Commonwealth.  It is my understanding that EO 504 has not been repeatedly weakened or delayed, state agencies are dealing with it now.

There were actually several speakers with very specific concerns over definitions, requesting clarifications and tuning of individual sections of the regulations.  Those in this group have my respect, even when I disagree with them.

Of course we had a few of the "I'm here to be heard but have nothing to say, look at me, look at me" minority you get at any gathering of people.  At least none of these bloviators said "where are the TV cameras?"  Well, not aloud.  [There weren't any].

Another set of speakers fell into the category of "we need an exemption for our industry".  There were a handful of these, I had no sympathy for any- except the public service orgs, and I doubt they will get any relief.

I did testify, if you read my last post on the topic you will have a good idea what I said.  I highlighted a few of the key weakenings of the regs that concerned me, such as

  • Removal of the requirement to monitor the CISP
  • Removal of the requirement to minimize the amount of PII retained
  • Removal of the requirement to identify and classify PII
  • Removal of the requirement to have a written PII access policy
  • Evisceration of the encryption requirements
    • And misleading information regarding encryption in the FAQ issued by OCABR

Then I reminded everyone that 201CMR17.00 was mandated by 93H, which was stuck in legislative stupor until the TJX incident- and I asked if full compliance with 201CMR17.00 would have prevented that breach.  My answer was no, the initial compromise vector was WEP, and with the weakened encryption requirements WEP could be argued to be adequate.  I then opined that 201 would not have prevented the Heartland or Hannaford breaches, and pointed out the lack of web application security guidelines to protect PII.  I reminded the panel of the credit and debit cards re-issued in recent months, all due to breaches.  I raised the 263,471,744 lost records (as of that morning) on the Privacy Rights loss list- not counting the "unknown number of records" incidents on that list.  I suggested that the lack of strong guidelines, the lack of established penalties, and the repeated changes and delays made for a lack of real risk for non-compliance with their risk-based scheme.

In closing, I may have indulged in a bit of hype and hyperbole by saying that the regulations provide enough leeway and plausible deniability that they would simply be a regulatory and policy-writing burden on those who do business in the Commonwealth, without significantly improving security- and if that was the case, the Commonwealth was wasting time and money by imposing a needless and pointless burden on business.  I ended by observing that security is hard, and negligence is easy- until you suffer a failure.

One later speaker remarked that he disagreed with me and said that he was confident that any business making a good faith effort at compliance with 201 CMR 17.00 would be more secure.  I really wished I had a unicorn to give him.  While what he said was technically true- we are where we are because organizations have repeatedly failed to make "good faith" efforts at security.  "Good faith" without a big stick backing it up is nothing but unicorn droppings.