Tuesday, May 12, 2009

Testimony of Sarah Cortes before Massachusetts Senate on Massachusetts Data Privacy and Security Laws

Testimony of InmanTechnologyIT of Massachusetts
Sarah Cortes, PMP, CISA, President
Before Chairman Michael W. Morrissey, Chairman Theodore C. Speliotis and Members of the Joint Committee on Consumer Protection and Professional Licensure in Support of S. 173, and Act Ensuring the Privacy of Certain Data

My name is Sarah Cortes and I am a technology professional in Massachusetts. Among other services, I follow and advise clients regarding the development of rules for the protection of personal information for residents of the Commonwealth, as well as laws and regulations with federal and other state jurisdictions and internationally. I also write extensively about security, privacy, surveillance, and technology. I wish to express my appreciation to the Administration for extending the general effective date of May 1, 2009 to January 1, 2010. As a security professional, I support S. 173, which would improve upon M.G.L. 93H. However, I remain concerned about wide-ranging rules which present significant enforcement challenges and could lead to widespread noncompliance, rendering a setback for overall compliance efforts. I urge the Administration to review rules and regulations in comparison with federal and other states laws, policies and regulations, and to revise them to ensure consistency and enforceability.
I support S. 173 because it:
  • Remains consistent with Federal law and regulations.
  • Avoids technology-specific requirements that will quickly render it obsolete
  • Facilitates for organizations the enforcement of their data security policies on employees who willfully violate data protection rules, regulations and policies.
  • Protecting personal information is a necessary activity and in the interest of the public, including consumers, businesses, and other organizations. The development of a reasonable public policy is vital for our economy.
As a data security practitioner, I see my clients continually struggle with the complex nature of technology and operational implications.These clients include:
  • Fortune 500 financial services, biotech and technology firms headquartered in Massachusetts, who operate in all 50 states as well as internationally
  • Colleges and universities located in Massachusetts but with associated overseas institutions
  • Small web design and social media service delivery firms operating in multiple states
  • Medium-sized training and certification delivery businesses based in Massachusetts but operating in multiple states
  • Medium-sized non-profit organizations operating in multiple states
  • Small non-profit organizations operating only in Massachusetts but with donors residing in many states
The jurisdiction and scope of the Massachusetts law, “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts,” presents issues as well. From a technical standpoint, the difficulty of continually sifting large databases that change minute-by-minute, lead to many possibilities, including:
  • A database that contained no in-scope data and was not subject to regulations, could add a Massachusetts data record and fall in scope within minutes. Detecting the presence of Massachusetts residents in databases from minute-to-minute presents technical challenges and expenditure of resources.
  • Due to failover and disaster recovery technology as well as cloud computing, third party firms engaged in a primary business of storing data for third party clients or providing computing services for such clients could find in-scope data of Massachusetts residents on their servers or storage devices due to a failover or split-second transfer of data. These firms not subject prior to data privacy laws could suddenly find themselves subject in this fashion.
Due to these and many other scenarios, I can testify that the Massachusetts data privacy laws and regulations, as written, essentially could extend far beyond Massachusetts to include many organizations who do little or no business with Massachusetts residents. This is because firms will need to invest time and resources to develop the ability to ensure to themselves and outside auditors and examining bodies that, from minute to minute, they remain exempt.

I advise clients in a number of technology areas, including:
  • Complex Application Development/Implementation, like large projects with over 100 technical staff implementing, for example, trading systems
  • IT Security/Privacy/ Risk/Audit management, performing risk assessments and managing large security implementation projects
  • Data Center Operations Management, including vulnerability scanning but also day-to-day operations
  • Disaster Recovery/High Availability, reviewing infrastructure and network architecture and advising on restructuring for resilience; and
  • Technology Program/Project Management.

In educating and advising my clients about Massachusetts Data Privacy laws, about which there continues to be widespread lack of awareness and understanding, I find a general view emerging. This view holds that the regulations are so far-reaching, yet vague, that they are unenforceable and organizations need not fear enforcement. I do not endorse this view, and have written many papers and articles urging and explaining compliance, including an article that appears today on a national media outlet, TechTarget, understanding-the-risk-of-penalties-for-violating-data-privacy-laws/, that warns against a dismissive view, and references numerous successful enforcement actions of state and federal data privacy laws.

Nevertheless, the fact remains today that enforcement of the many state and federal privacy laws remains costly and difficult at best, with limited success.

In closing, Massachusetts will ultimately best protect its residents by analyzing similar state and federal laws, ensuring consistency where possible, and “going beyond, where no man has dared to go,” only as a conscious step with a clear enforcement plan.
Thank you for your time. I wish to state that on behalf of data security professionals in this state, we stand ready to assist in adopting rules that are effective in achieving the Legislature’s goals. Thank you for the opportunity to provide comments and I would be happy to provide additional information.

Sarah Cortes, PMP, CISA

Reblog this post [with Zemanta]

1 comment:

dress suits said...

what the problem you are technology professional I think you have right to give your suggestion.