Hearings on Major Revision of Expansive Massachusetts Data Privacy Law today on Beacon Hill

by Sarah Cortes

Public comment was received today on Beacon Hill on a major draft revision to Massachusetts’ Data Privacy Law, Senate Bill 173. House Chairman Theodore Speliotis, pictured left, Senate Chairman Michael Morrissey, below, and a half dozen elected state officials presided this morning over a hearing on dozens of privacy, identity theft and credit card laws and related amendments, including SB 173.

About a dozen representatives of industry organizations plus one IT security professional testified at today’s hearing, unanimously supporting the bill, which revises MGL 93H, Massachusetts’ Data Privacy Law. The amendment makes four revisions:
The most major of the changes defers to existing federal law where applicable. HIPAA and Sarbanes-Oxley cover most enterprises. This takes a considerable burden off firms handling data records and reduces complexity.

Another major revision is the reversal of provisions that would dictate specific technical tools or methods like encryption. The revised law would steer clear of any such specific requirements.
Small firms will find relief in the third change, which requires separate standards for them.
The fourth change allows firms to take action against employees violating the security policy.

“As a major technology state, we need to get this right,” observed Anne Doherty JohnsonExecutive Director, New England Council TechAmerica, which represents about 1,500 member firms. “The current regulations exceeded the intent of the legislature and are very problematic for the reasons outlined. TechAmerica believes this legislation will correct those and is a huge step in the right direction.” Doherty, who testified today as she has in hearings on the bill over the last several months, echoed the opening statement by Chairman Morrissey. Morrissey, pictured left, stated that the hearing marked a crossroads between the approach up to the present, where the legislature expanded the scope and jurisdiction of the law beyond the borders of Massachusetts and beyond its original intent, and a possible future approach by incoming undersecretary of the Office of Consumer Affairs and Business Regulation, Barbara Anthony. (see related story.)

Bradley A. MacDougall, Associate Vice President of Government Affairs for Associated Industries of Massachusetts (AIM), also testified. AIM is the state’s largest nonprofit, nonpartisan association of Massachusetts’ employers with more than 6,500 members who employ nearly one out of every five workers in Massachusetts. MacDougall captured the essence of sentiment expressed during three hours of testimony by approximately a dozen industry representatives:
“Data protection is a top priority for Associated Industries of Massachusetts (AIM) and our members who will continue to pursue the development of reasonable data privacy regulations in Massachusetts. The delay, in the general effective date of May 1, 2009 to January 1, 2010, does not resolve the substantive issues within the current rules that impose high costs and prescribe specific technology solutions. Massachusetts cannot afford additional unreasonable regulations on employers working to protect jobs and prevent layoffs while competing in a global economy. Senate Bill 173 would provide a necessary solution in the absence of regulatory rule changes. The legislation would ensure that clear guidelines for the development of identify theft regulations be utilized to provide consistency for those entities already regulated under Federal law and further provide businesses with greater flexibility to strategically invest their limited operational and IT resources.”

MacDougall,AIM and a broad coalition of industry groups representing Technology, banking, retailers and mutual funds, among others, have been instrumental players in deconstructing and analyzing proposed legislation, explaining it to the public, raising awareness of the proposed law, and advising the legislature and Administration on issues of concern, since the TJ Maxx data breach set in motion the chain of events resulting in today’s hearing.

copyright 2009 Sarah Cortes

Testimony of Sarah Cortes before Massachusetts Senate on Massachusetts Data Privacy and Security Laws

Testimony of InmanTechnologyIT of Massachusetts
Sarah Cortes, PMP, CISA, President
Before Chairman Michael W. Morrissey, Chairman Theodore C. Speliotis and Members of the Joint Committee on Consumer Protection and Professional Licensure in Support of S. 173, and Act Ensuring the Privacy of Certain Data

My name is Sarah Cortes and I am a technology professional in Massachusetts. Among other services, I follow and advise clients regarding the development of rules for the protection of personal information for residents of the Commonwealth, as well as laws and regulations with federal and other state jurisdictions and internationally. I also write extensively about security, privacy, surveillance, and technology. I wish to express my appreciation to the Administration for extending the general effective date of May 1, 2009 to January 1, 2010. As a security professional, I support S. 173, which would improve upon M.G.L. 93H. However, I remain concerned about wide-ranging rules which present significant enforcement challenges and could lead to widespread noncompliance, rendering a setback for overall compliance efforts. I urge the Administration to review rules and regulations in comparison with federal and other states laws, policies and regulations, and to revise them to ensure consistency and enforceability.

I support S. 173 because it:

• Remains consistent with Federal law and regulations.
• Avoids technology-specific requirements that will quickly render it obsolete
• Facilitates for organizations the enforcement of their data security policies on employees who willfully violate data protection rules, regulations and policies.
• Protecting personal information is a necessary activity and in the interest of the public, including consumers, businesses, and other organizations. The development of a reasonable public policy is vital for our economy.

As a data security practitioner, I see my clients continually struggle with the complex nature of technology and operational implications.These clients include:

• Fortune 500 financial services, biotech and technology firms headquartered in Massachusetts, who operate in all 50 states as well as internationally
• Colleges and universities located in Massachusetts but with associated overseas institutions
• Small web design and social media service delivery firms operating in multiple states
• Medium-sized training and certification delivery businesses based in Massachusetts but operating in multiple states
• Medium-sized non-profit organizations operating in multiple states
• Small non-profit organizations operating only in Massachusetts but with donors residing in many states

The jurisdiction and scope of the Massachusetts law, “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts,” presents issues as well. From a technical standpoint, the difficulty of continually sifting large databases that change minute-by-minute, lead to many possibilities, including:

• A database that contained no in-scope data and was not subject to regulations, could add a Massachusetts data record and fall in scope within minutes. Detecting the presence of Massachusetts residents in databases from minute-to-minute presents technical challenges and expenditure of resources.
• Due to failover and disaster recovery technology as well as cloud computing, third party firms engaged in a primary business of storing data for third party clients or providing computing services for such clients could find in-scope data of Massachusetts residents on their servers or storage devices due to a failover or split-second transfer of data. These firms not subject prior to data privacy laws could suddenly find themselves subject in this fashion.

Due to these and many other scenarios, I can testify that the Massachusetts data privacy laws and regulations, as written, essentially could extend far beyond Massachusetts to include many organizations who do little or no business with Massachusetts residents. This is because firms will need to invest time and resources to develop the ability to ensure to themselves and outside auditors and examining bodies that, from minute to minute, they remain exempt.

I advise clients in a number of technology areas, including:

• Complex Application Development/Implementation, like large projects with over 100 technical staff implementing, for example, trading systems
• IT Security/Privacy/ Risk/Audit management, performing risk assessments and managing large security implementation projects
• Data Center Operations Management, including vulnerability scanning but also day-to-day operations
• Disaster Recovery/High Availability, reviewing infrastructure and network architecture and advising on restructuring for resilience; and
• Technology Program/Project Management.

In educating and advising my clients about Massachusetts Data Privacy laws, about which there continues to be widespread lack of awareness and understanding, I find a general view emerging. This view holds that the regulations are so far-reaching, yet vague, that they are unenforceable and organizations need not fear enforcement. I do not endorse this view, and have written many papers and articles urging and explaining compliance, including an article that appears today on a national media outlet, TechTarget, www.ITKnowledgeExchange.TechTarget.com/IT-Compliance/ understanding-the-risk-of-penalties-for-violating-data-privacy-laws/, that warns against a dismissive view, and references numerous successful enforcement actions of state and federal data privacy laws.

Nevertheless, the fact remains today that enforcement of the many state and federal privacy laws remains costly and difficult at best, with limited success.

In closing, Massachusetts will ultimately best protect its residents by analyzing similar state and federal laws, ensuring consistency where possible, and “going beyond, where no man has dared to go,” only as a conscious step with a clear enforcement plan.

Thank you for your time. I wish to state that on behalf of data security professionals in this state, we stand ready to assist in adopting rules that are effective in achieving the Legislature’s goals. Thank you for the opportunity to provide comments and I would be happy to provide additional information.

Sarah Cortes, PMP, CISA
President