Monday, March 1, 2010

A step in the right direction

Sure, I may have trashed the regulation and regulatory process, but it is still significant.

iStock_000006229191XSmallNot Earth-shattering, but significant, especially here in the US.  Not near as significant as it should be, but a starting point.  Massachusetts' MA 201 CMR 17.00 data protection regulations are now in effect, and that is a huge step forward for the protection of personal information.  Breach disclosure laws are old news, but 201 CMR 17.00 is different, it prescribes data protection specifics, and it is not limited to those in Massachusetts:

"201 CMR 17.01 (2) Scope 
The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth."

Yes, all persons (which includes companies and organizations), regardless of where they are located, are covered if they:

"Owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment."

The standard interstate commerce laws cover out of state jurisdictional issues- being out of the state does not shield anyone.

This is a big deal, for two key reasons. 

First, it is leading the way in state regulation of the protections of our data.  There have been other regulations about protection of data, but I believe this is ground breaking and will be followed by other states (or at least watched from the sidelines with a bucket of popcorn and a cold beer).

Second, it has a very broad reach, it is not industry-specific, it applies to a large number of organizations which have never had regulatory requirements on their IT system before.  Specifically, it applies to:

"Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof."

Oh, and don't get wound up about the government exclusion for Massachusetts, they are covered under Executive Order 504, which mandates similar protection of data for them.

This regulation can put a significant burden on businesses which do business with Mass residents (and bother to comply), and I believe that small businesses face the biggest challenges.  (Let's be honest, the burden is to do what they should already be doing, but are not; that doesn't mean it will be easy).  Small businesses are the least likely to have dealt with regulation before (except in specific regulated fields), and they are the least likely to have the knowledgeable personnel and financial resources required to comply.  Those organizations in the 40-200 user size are probably going to have the hardest time (as they often do)- they're too big for doing everything manually, and not big enough to justify the enterprise tools to help manage some of the tasks at hand.

It will be interesting to see where this goes, if anywhere.  I don't think most people in Massachusetts are aware of this, much less those outside of the state.

Jack

2 comments:

Anonymous said...

the US goverment are just good at lecturing and looking good. take for example the NASA.gov live server exploits listed at pinoysecurity (full disclosure). i mean how do you expect people to take you seriously when you can't even properly secure your own backyard?

Chris said...

This regulation seems to be more a social issue (protecting identity) then IT security to the state of Mass. I wonder if/when other states will adopt similar legislation.

Thanks for the good read. This topic was top of mind for me yesterday and I captured thoughts on a blog entry: http://blog.maas360.com/massLaw