Hearings on Major Revision of Expansive Massachusetts Data Privacy Law today on Beacon Hill

by Sarah Cortes

Public comment was received today on Beacon Hill on a major draft revision to Massachusetts’ Data Privacy Law, Senate Bill 173. House Chairman Theodore Speliotis, pictured left, Senate Chairman Michael Morrissey, below, and a half dozen elected state officials presided this morning over a hearing on dozens of privacy, identity theft and credit card laws and related amendments, including SB 173.

About a dozen representatives of industry organizations plus one IT security professional testified at today’s hearing, unanimously supporting the bill, which revises MGL 93H, Massachusetts’ Data Privacy Law. The amendment makes four revisions:
The most major of the changes defers to existing federal law where applicable. HIPAA and Sarbanes-Oxley cover most enterprises. This takes a considerable burden off firms handling data records and reduces complexity.

Another major revision is the reversal of provisions that would dictate specific technical tools or methods like encryption. The revised law would steer clear of any such specific requirements.
Small firms will find relief in the third change, which requires separate standards for them.
The fourth change allows firms to take action against employees violating the security policy.

“As a major technology state, we need to get this right,” observed Anne Doherty JohnsonExecutive Director, New England Council TechAmerica, which represents about 1,500 member firms. “The current regulations exceeded the intent of the legislature and are very problematic for the reasons outlined. TechAmerica believes this legislation will correct those and is a huge step in the right direction.” Doherty, who testified today as she has in hearings on the bill over the last several months, echoed the opening statement by Chairman Morrissey. Morrissey, pictured left, stated that the hearing marked a crossroads between the approach up to the present, where the legislature expanded the scope and jurisdiction of the law beyond the borders of Massachusetts and beyond its original intent, and a possible future approach by incoming undersecretary of the Office of Consumer Affairs and Business Regulation, Barbara Anthony. (see related story.)

Bradley A. MacDougall, Associate Vice President of Government Affairs for Associated Industries of Massachusetts (AIM), also testified. AIM is the state’s largest nonprofit, nonpartisan association of Massachusetts’ employers with more than 6,500 members who employ nearly one out of every five workers in Massachusetts. MacDougall captured the essence of sentiment expressed during three hours of testimony by approximately a dozen industry representatives:
“Data protection is a top priority for Associated Industries of Massachusetts (AIM) and our members who will continue to pursue the development of reasonable data privacy regulations in Massachusetts. The delay, in the general effective date of May 1, 2009 to January 1, 2010, does not resolve the substantive issues within the current rules that impose high costs and prescribe specific technology solutions. Massachusetts cannot afford additional unreasonable regulations on employers working to protect jobs and prevent layoffs while competing in a global economy. Senate Bill 173 would provide a necessary solution in the absence of regulatory rule changes. The legislation would ensure that clear guidelines for the development of identify theft regulations be utilized to provide consistency for those entities already regulated under Federal law and further provide businesses with greater flexibility to strategically invest their limited operational and IT resources.”

MacDougall,AIM and a broad coalition of industry groups representing Technology, banking, retailers and mutual funds, among others, have been instrumental players in deconstructing and analyzing proposed legislation, explaining it to the public, raising awareness of the proposed law, and advising the legislature and Administration on issues of concern, since the TJ Maxx data breach set in motion the chain of events resulting in today’s hearing.

copyright 2009 Sarah Cortes

Testimony of Sarah Cortes before Massachusetts Senate on Massachusetts Data Privacy and Security Laws

Testimony of InmanTechnologyIT of Massachusetts
Sarah Cortes, PMP, CISA, President
Before Chairman Michael W. Morrissey, Chairman Theodore C. Speliotis and Members of the Joint Committee on Consumer Protection and Professional Licensure in Support of S. 173, and Act Ensuring the Privacy of Certain Data

My name is Sarah Cortes and I am a technology professional in Massachusetts. Among other services, I follow and advise clients regarding the development of rules for the protection of personal information for residents of the Commonwealth, as well as laws and regulations with federal and other state jurisdictions and internationally. I also write extensively about security, privacy, surveillance, and technology. I wish to express my appreciation to the Administration for extending the general effective date of May 1, 2009 to January 1, 2010. As a security professional, I support S. 173, which would improve upon M.G.L. 93H. However, I remain concerned about wide-ranging rules which present significant enforcement challenges and could lead to widespread noncompliance, rendering a setback for overall compliance efforts. I urge the Administration to review rules and regulations in comparison with federal and other states laws, policies and regulations, and to revise them to ensure consistency and enforceability.

I support S. 173 because it:

• Remains consistent with Federal law and regulations.
• Avoids technology-specific requirements that will quickly render it obsolete
• Facilitates for organizations the enforcement of their data security policies on employees who willfully violate data protection rules, regulations and policies.
• Protecting personal information is a necessary activity and in the interest of the public, including consumers, businesses, and other organizations. The development of a reasonable public policy is vital for our economy.

As a data security practitioner, I see my clients continually struggle with the complex nature of technology and operational implications.These clients include:

• Fortune 500 financial services, biotech and technology firms headquartered in Massachusetts, who operate in all 50 states as well as internationally
• Colleges and universities located in Massachusetts but with associated overseas institutions
• Small web design and social media service delivery firms operating in multiple states
• Medium-sized training and certification delivery businesses based in Massachusetts but operating in multiple states
• Medium-sized non-profit organizations operating in multiple states
• Small non-profit organizations operating only in Massachusetts but with donors residing in many states

The jurisdiction and scope of the Massachusetts law, “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts,” presents issues as well. From a technical standpoint, the difficulty of continually sifting large databases that change minute-by-minute, lead to many possibilities, including:

• A database that contained no in-scope data and was not subject to regulations, could add a Massachusetts data record and fall in scope within minutes. Detecting the presence of Massachusetts residents in databases from minute-to-minute presents technical challenges and expenditure of resources.
• Due to failover and disaster recovery technology as well as cloud computing, third party firms engaged in a primary business of storing data for third party clients or providing computing services for such clients could find in-scope data of Massachusetts residents on their servers or storage devices due to a failover or split-second transfer of data. These firms not subject prior to data privacy laws could suddenly find themselves subject in this fashion.

Due to these and many other scenarios, I can testify that the Massachusetts data privacy laws and regulations, as written, essentially could extend far beyond Massachusetts to include many organizations who do little or no business with Massachusetts residents. This is because firms will need to invest time and resources to develop the ability to ensure to themselves and outside auditors and examining bodies that, from minute to minute, they remain exempt.

I advise clients in a number of technology areas, including:

• Complex Application Development/Implementation, like large projects with over 100 technical staff implementing, for example, trading systems
• IT Security/Privacy/ Risk/Audit management, performing risk assessments and managing large security implementation projects
• Data Center Operations Management, including vulnerability scanning but also day-to-day operations
• Disaster Recovery/High Availability, reviewing infrastructure and network architecture and advising on restructuring for resilience; and
• Technology Program/Project Management.

In educating and advising my clients about Massachusetts Data Privacy laws, about which there continues to be widespread lack of awareness and understanding, I find a general view emerging. This view holds that the regulations are so far-reaching, yet vague, that they are unenforceable and organizations need not fear enforcement. I do not endorse this view, and have written many papers and articles urging and explaining compliance, including an article that appears today on a national media outlet, TechTarget, www.ITKnowledgeExchange.TechTarget.com/IT-Compliance/ understanding-the-risk-of-penalties-for-violating-data-privacy-laws/, that warns against a dismissive view, and references numerous successful enforcement actions of state and federal data privacy laws.

Nevertheless, the fact remains today that enforcement of the many state and federal privacy laws remains costly and difficult at best, with limited success.

In closing, Massachusetts will ultimately best protect its residents by analyzing similar state and federal laws, ensuring consistency where possible, and “going beyond, where no man has dared to go,” only as a conscious step with a clear enforcement plan.

Thank you for your time. I wish to state that on behalf of data security professionals in this state, we stand ready to assist in adopting rules that are effective in achieving the Legislature’s goals. Thank you for the opportunity to provide comments and I would be happy to provide additional information.

Sarah Cortes, PMP, CISA
President

Harvard Business School Series: Branding and Search Engine Optimizers (SEOs)

by Sarah Cortes

Branding in 2008- Cheat Sheet

It turns out that understanding and controlling Search Engine algorithms is where the future of marketing is headed, and is influencing branding by incorporating aspects that can affect SEO.

Tonight Harvard Business School hosted a CEO Roundtable called "Creating Best-Selling Brands That Drive Long-Term Growth. 5 CEOs Share their Marketing Insights on creating long-term brand equity." It provided "30 Minute Breakout Session w/ each CEO after Panel Discussion." It was described as a "Leadership Track Event," and said, "Enjoy a one-of-a-kind evening with 5 CEOs as they share their insight, vision and strategies to build sustainable, leading brands that drive business growth and increase shareholder value. In today’s ever-changing competitive landscape, it takes dynamic leaders to innovate, inspire, and motivate their teams to focus on innovative marketing and business strategies and drive revenue, build brand equity, enhance loyalty and drive growth to a new plateau of success." The CEO Panel Included:

Torrence Boone, CEO, Enfatico, a cool ad agency, we learned, whose first client was Dell
Scott Griffith, CEO of Zipcar, a pretty cool company
Ralph Crowley, CEO of Polar and Adirondack Beverages. Cool drinks.
Diane Hessan, CEO of Communispace, which, we learned, provides cool online customer focus groups
Charles J. Kravetz, CEO of NECN-TV, which we all know as "the news." Pretty cool.

Invited were members of the HBS Association of Boston, of whom 172 registered and 150 showed up. Pretty impressive turnout, but small enough to be intimate, in a fascinating way. Like viewing a squash match with its small and intimate gallery.

We did not learn much about how these awesome brands were created. Rather, we learned about what’s on the CEO’s mind at present, which, as it turns out, is mainly customers and customer experience.

A question about search engine optimization sidetracked everyone for quite a while. It seems CEOs are discovering search engines provide free advertising, in a sense. But they are focused on purchasing “key words.” SEO is so much more. Torrance Boone pointed out that SEO doesn’t end with your firm popping up at the top of Google’s list. It begins there, because where your customer lands when he clicks on your Google link can make all the difference.

Forgot what “branding” and SEO are considered, exactly, these days? Here’s a cheat sheet:

The following definitions of "branding" and “SEO” were found:
"From a shallow point of view, brand is what's given by a company to its merchandise so the manufacturer can be identified by consumers. Yet, after an increasing evolution on the production systems that allows almost any manufacturer to make high quality and satisfactory products, brands became a way of distinguishing simple commodities and their manufacturers by status, emotional characteristics and subjective qualities. A well-built brand gives the company or product personality, and evokes emotional and subliminal characteristics that are not necessarily found in the company or product themselves." - Yardeena Sherry, How To Understand Branding.

Wikipedia tells us the following:
A brand is a collection of symbols, experiences and associations connected with a product, a service, a person or any other artifact or entity. Brands have become increasingly important components of culture and the economy, now being described as "cultural accessories and personal philosophies" - Birkin, Michael (1994). "Assessing Brand Value," in Brand Power.

Search engine optimization (SEO) -As an Internet marketing strategy, SEO considers how search engines work and what people search for. Optimizing a website primarily involves editing its content and HTML coding to both increase its relevance to specific keywords and to remove barriers to the indexing activities of search engines.

Yet another way that the world keeps changing under your feet.

copyright 2009 Sarah Cortes

You can read Sarah's other tech columns at IT Knowledge Exchange