Hearings on Major Revision of Expansive Massachusetts Data Privacy Law today on Beacon Hill

by Sarah Cortes

Public comment was received today on Beacon Hill on a major draft revision to Massachusetts’ Data Privacy Law, Senate Bill 173. House Chairman Theodore Speliotis, pictured left, Senate Chairman Michael Morrissey, below, and a half dozen elected state officials presided this morning over a hearing on dozens of privacy, identity theft and credit card laws and related amendments, including SB 173.

About a dozen representatives of industry organizations plus one IT security professional testified at today’s hearing, unanimously supporting the bill, which revises MGL 93H, Massachusetts’ Data Privacy Law. The amendment makes four revisions:
The most major of the changes defers to existing federal law where applicable. HIPAA and Sarbanes-Oxley cover most enterprises. This takes a considerable burden off firms handling data records and reduces complexity.

Another major revision is the reversal of provisions that would dictate specific technical tools or methods like encryption. The revised law would steer clear of any such specific requirements.
Small firms will find relief in the third change, which requires separate standards for them.
The fourth change allows firms to take action against employees violating the security policy.

“As a major technology state, we need to get this right,” observed Anne Doherty JohnsonExecutive Director, New England Council TechAmerica, which represents about 1,500 member firms. “The current regulations exceeded the intent of the legislature and are very problematic for the reasons outlined. TechAmerica believes this legislation will correct those and is a huge step in the right direction.” Doherty, who testified today as she has in hearings on the bill over the last several months, echoed the opening statement by Chairman Morrissey. Morrissey, pictured left, stated that the hearing marked a crossroads between the approach up to the present, where the legislature expanded the scope and jurisdiction of the law beyond the borders of Massachusetts and beyond its original intent, and a possible future approach by incoming undersecretary of the Office of Consumer Affairs and Business Regulation, Barbara Anthony. (see related story.)

Bradley A. MacDougall, Associate Vice President of Government Affairs for Associated Industries of Massachusetts (AIM), also testified. AIM is the state’s largest nonprofit, nonpartisan association of Massachusetts’ employers with more than 6,500 members who employ nearly one out of every five workers in Massachusetts. MacDougall captured the essence of sentiment expressed during three hours of testimony by approximately a dozen industry representatives:
“Data protection is a top priority for Associated Industries of Massachusetts (AIM) and our members who will continue to pursue the development of reasonable data privacy regulations in Massachusetts. The delay, in the general effective date of May 1, 2009 to January 1, 2010, does not resolve the substantive issues within the current rules that impose high costs and prescribe specific technology solutions. Massachusetts cannot afford additional unreasonable regulations on employers working to protect jobs and prevent layoffs while competing in a global economy. Senate Bill 173 would provide a necessary solution in the absence of regulatory rule changes. The legislation would ensure that clear guidelines for the development of identify theft regulations be utilized to provide consistency for those entities already regulated under Federal law and further provide businesses with greater flexibility to strategically invest their limited operational and IT resources.”

MacDougall,AIM and a broad coalition of industry groups representing Technology, banking, retailers and mutual funds, among others, have been instrumental players in deconstructing and analyzing proposed legislation, explaining it to the public, raising awareness of the proposed law, and advising the legislature and Administration on issues of concern, since the TJ Maxx data breach set in motion the chain of events resulting in today’s hearing.

copyright 2009 Sarah Cortes

Testimony of Sarah Cortes before Massachusetts Senate on Massachusetts Data Privacy and Security Laws

Testimony of InmanTechnologyIT of Massachusetts
Sarah Cortes, PMP, CISA, President
Before Chairman Michael W. Morrissey, Chairman Theodore C. Speliotis and Members of the Joint Committee on Consumer Protection and Professional Licensure in Support of S. 173, and Act Ensuring the Privacy of Certain Data

My name is Sarah Cortes and I am a technology professional in Massachusetts. Among other services, I follow and advise clients regarding the development of rules for the protection of personal information for residents of the Commonwealth, as well as laws and regulations with federal and other state jurisdictions and internationally. I also write extensively about security, privacy, surveillance, and technology. I wish to express my appreciation to the Administration for extending the general effective date of May 1, 2009 to January 1, 2010. As a security professional, I support S. 173, which would improve upon M.G.L. 93H. However, I remain concerned about wide-ranging rules which present significant enforcement challenges and could lead to widespread noncompliance, rendering a setback for overall compliance efforts. I urge the Administration to review rules and regulations in comparison with federal and other states laws, policies and regulations, and to revise them to ensure consistency and enforceability.

I support S. 173 because it:

• Remains consistent with Federal law and regulations.
• Avoids technology-specific requirements that will quickly render it obsolete
• Facilitates for organizations the enforcement of their data security policies on employees who willfully violate data protection rules, regulations and policies.
• Protecting personal information is a necessary activity and in the interest of the public, including consumers, businesses, and other organizations. The development of a reasonable public policy is vital for our economy.

As a data security practitioner, I see my clients continually struggle with the complex nature of technology and operational implications.These clients include:

• Fortune 500 financial services, biotech and technology firms headquartered in Massachusetts, who operate in all 50 states as well as internationally
• Colleges and universities located in Massachusetts but with associated overseas institutions
• Small web design and social media service delivery firms operating in multiple states
• Medium-sized training and certification delivery businesses based in Massachusetts but operating in multiple states
• Medium-sized non-profit organizations operating in multiple states
• Small non-profit organizations operating only in Massachusetts but with donors residing in many states

The jurisdiction and scope of the Massachusetts law, “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts,” presents issues as well. From a technical standpoint, the difficulty of continually sifting large databases that change minute-by-minute, lead to many possibilities, including:

• A database that contained no in-scope data and was not subject to regulations, could add a Massachusetts data record and fall in scope within minutes. Detecting the presence of Massachusetts residents in databases from minute-to-minute presents technical challenges and expenditure of resources.
• Due to failover and disaster recovery technology as well as cloud computing, third party firms engaged in a primary business of storing data for third party clients or providing computing services for such clients could find in-scope data of Massachusetts residents on their servers or storage devices due to a failover or split-second transfer of data. These firms not subject prior to data privacy laws could suddenly find themselves subject in this fashion.

Due to these and many other scenarios, I can testify that the Massachusetts data privacy laws and regulations, as written, essentially could extend far beyond Massachusetts to include many organizations who do little or no business with Massachusetts residents. This is because firms will need to invest time and resources to develop the ability to ensure to themselves and outside auditors and examining bodies that, from minute to minute, they remain exempt.

I advise clients in a number of technology areas, including:

• Complex Application Development/Implementation, like large projects with over 100 technical staff implementing, for example, trading systems
• IT Security/Privacy/ Risk/Audit management, performing risk assessments and managing large security implementation projects
• Data Center Operations Management, including vulnerability scanning but also day-to-day operations
• Disaster Recovery/High Availability, reviewing infrastructure and network architecture and advising on restructuring for resilience; and
• Technology Program/Project Management.

In educating and advising my clients about Massachusetts Data Privacy laws, about which there continues to be widespread lack of awareness and understanding, I find a general view emerging. This view holds that the regulations are so far-reaching, yet vague, that they are unenforceable and organizations need not fear enforcement. I do not endorse this view, and have written many papers and articles urging and explaining compliance, including an article that appears today on a national media outlet, TechTarget, www.ITKnowledgeExchange.TechTarget.com/IT-Compliance/ understanding-the-risk-of-penalties-for-violating-data-privacy-laws/, that warns against a dismissive view, and references numerous successful enforcement actions of state and federal data privacy laws.

Nevertheless, the fact remains today that enforcement of the many state and federal privacy laws remains costly and difficult at best, with limited success.

In closing, Massachusetts will ultimately best protect its residents by analyzing similar state and federal laws, ensuring consistency where possible, and “going beyond, where no man has dared to go,” only as a conscious step with a clear enforcement plan.

Thank you for your time. I wish to state that on behalf of data security professionals in this state, we stand ready to assist in adopting rules that are effective in achieving the Legislature’s goals. Thank you for the opportunity to provide comments and I would be happy to provide additional information.

Sarah Cortes, PMP, CISA
President

Bob Brennan, Iron Mountain CEO, at Harvard Business School

by Sarah Cortes

This morning at Harvard Business School. Bob Brennan, President and CEO of Boston-based Iron Mountain, delivered a vision for the future and reflected on the notable mid-recession growth and profitability of this perennial giant in the world of Records Management, Data Storage and Disaster Recovery.

Casual observers marvel at how the company not only survives but has recently exploded galactically into the S&P 500. It seems counterintuitive for a company that seemingly shares the same challenge we see each week on the popular TV show, The Office, namely, a core business built around a mundane, semi-obsolete medium, paper, (and similarly semi-obsolete medium, magnetic tape), in a hip digital age.

At the breakfast gathering in HBS's sparkling and sun-drenched Spangler Center, sponsored by the HBS Association of Boston, Iron Mountain materials summarized the firm's fortunes: "In 1998 Iron Mountain was a $400m physical box and tape storage company with operations entirely within the United States. Today, they have $3b revenues, operate in 38 countries on five continents, and have completed more than 250 acquisitions."

Make that 300 acquisitions, according to numbers Brennan quoted this morning. Things have been picking up in 2009, it seems.

His vision for the future and ambition is similarly galactic: "Adding technology services that increasingly will bring us into competition with IBM, EMC and Microsoft." We asked Brennan to throw a spear to pinpoint his definition of "technology services." Iron Mountain's growth has largely been fueled by its Document Management Services (DMS) division, which pretty much means image storage. A huge area with room for growth, but storing images of printed paper is a different goldfish pond than the growing online, real-time digital data backup and storage business. For their largest client sector, financial services, which Brennan today revealed accounts for 20% of Iron Mountain's business, data storage and backup means transaction records in database form. It also means, if not real-time backup, for example, via EMC's SRDF technology, then at least daily database synchronization in a batch backup, transmission and storage cycle.

"IBM." said Brennan, meaning, clients seeking that service should address themselves to Big Blue. "We have no clue about online data storage." Good to be clear about core vision. With an enormous slide projected behind him as he speaks, of a goldfish in a small bowl and another goldfish leaping into a larger bowl, set before a vast ocean, Brennan made the point that Iron Mountain's unarguable success in this economic holocaust, is due to leaping into bigger ponds like DMC, but not drowning in the ocean of online and realtime data backup and recovery. Iron Mountain sees its present and future in "inactive data" rather than online, real-time transaction-based data, according to Brennan. "Let us eliminate your noise," he says, summing up the approach.

Brennan also seeks to make Iron Mountain the leading provider of digital computing, now known as cloudshare. "In the old days, we called it timeshare," jokes Brennan. He compared his firm's market share in this arena to that of salesforce.com, another recent juggernaut.

His biography outlines a path to the executive suite reminiscent of Craig McCaw, who cobbled together the stupendous McCaw cellular empire in the 1990s. According to the company website, Brennan joined Iron Mountain through the acquisition of Connected Corporation, where he served as Chief Executive Officer. Before Connected, he was a general manager for network and service management with the highly successful and flamboyant Cisco Systems, Inc., a global leader and the "junkyard dog" of the networking and communications equipment business. He was CEO of American Internet prior to its acquisition by Cisco.

"We are not a software company and we're not a real estate company, and we're not a transportation company, although we maintains a fleet of 5,000 trucks making 75,000 stops," summarized Brennan.

Iron Mountain faces challenges as it continues to reinvent itself and move into cloudshare and other digital arenas. Brennan distinguishes himself from his counterpart on The Office, Michael Scott, the notorious (anti-)manager, by squarely facing the transformation required of Iron Mountain's 21,000 employees around the globe. Brennan clearly takes pride that his firm has managers who have worked themselves up from the warehouse to running multimillion dollar business lines, but acknowledges it is largely a blue collar workforce. With this in mind, he brought together the 200 company leaders from around the world a few weeks ago and focused on the company's strategy. At this gathering, Brennan articulated his management philosophy: "Lead with kindness - we have to pull, not push, people. And develop people." This philosophy is creating discomfort for some of his managers, and "it's creating a lot of discomfort for me, too," joked Brennan. "I've been getting a lot of feedback since I put this out there a few weeks ago."

copyright 2009 Sarah Cortes

Disclosure: The author was SVP and head of Disaster Recovery at Putnam Investments on 9/11 when parent company Marsh & McLennan's data center collapsed on the 96th floor of the North Tower of the World Trade Center and failed over to Putnam's facilities while hundreds of colleagues died. Iron Mountain played a critical role in Marsh & McLennan's remarkable recovery, driving thousands of magnetic tapes across the country while airlines were grounded. Her technology consulting practice includes, among other areas, advising companies how to negotiate their Iron Mountain contracts and pricing. You can read her other Tech columns at IT Knowledge Exchange

Cellphone Surveillance Techniques and TV's 24

by Sarah Cortes

Thanks to the TV show 24, cellphone triangulation is now a household term. When you want to find the bad guy, or save your friend, you just triangulate. Like, on your laptop. It seems. According to the show.

So cool.

The flip side, that's not so cool, is that it provides yet another way to invade privacy and control innocent people and even, in the wrong hands, make their lives miserable. For example, police have found human traffickers use this technology around the world, including here in Boston, to to keep women forced into sexual trafficking from escaping their sad and all-too-common plight, while claiming that "they are not prisoners, they are free to come and go."

Of course, back in the unrealistically black-and-white world of 24, everyone knows who the good and bad guys are. And everyone knows that when you want to triangulate on 24, you call not for Jack Bauer, the ostensible hero. Nope, when it comes to the hard-core tech stuff you call for - Chloe, the straight-talking, rocking techno chick. You go, girl!

In real life, locating people using their cellphones involves multiple technical options. Cellphone "triangulation" is just one of several available techniques. LBS, or Location-Based Systems, fall under one of three categories:
•Network -based (of which triangulation is one approach)
•Handset-based (GPS)
•Hybrid

Network -based Cellphone "triangulation" is a technique that falls under the "network-based" category. It is considered the most accurate of all methods. But you might want to think twice if you're Jack Bauer and you need a helicopter to drop you an escape ladder into a precise location - because triangulation is also one of the most challenging techniques. Like landing a drop shot from the back of the squash court, it requires hours of practice and has a lower percentage of success. But when it works, it's sweet.

In general, network-based LBS utilizes a service provider's network infrastructure to identify handset location. The advantages is that it can be implemented non-intrusively, without affecting the handset. The disadvantage is that you have to ask the carrier to provide you the data based on a signal in relation to its towers.

Handset-based On the other hand, handset-based LBS requires installation of client software (GPS) on the handset. The advantage is that you don't need to ask carriers for tower information. But you still need to be able to read GPS, or request reading from GoogleMaps or an application that does.

Here's how handset-based LBS works:
•First, it calculates:
1) Location by cell identification
2) Signal strengths of the home and neighboring cells; or
3) latitude and longitude, if the handset is equipped with a GPS module
• The calculation is then sent from the handset to a location server like GoogleMaps.

Network-based LBS Challenges:
• Accuracy varies. Cell identification is the least accurate, triangulation, the most accurate
• Accuracy is closely dependent on concentration of base station cells, with urban environments achieving highest accuracy
• Requires working closely with service provider because it entails the installation of hardware and software within the operator's infrastructure.
•A legislative framework, such as E911 is required to compel service providers to cooperate and to safeguard privacy

Handset-based LBS Challenges:
These center around the necessity of installing software on the handset, which:
• Requires the active cooperation of subscriber
• Requires software that can handle the different handset operating systems
• Typically, only smart phones, such as Symbian or Windows Mobile are capable
• Proposed work-around: manufacturer installs embedded hw/sw on handset

These issues are coming up more frequently these days with the advent of a plethora of Privacy Laws. Understanding them can help avoid trouble for your organization and in your personal life. And., like Jack and Chloe, it makes you --so cool.

copyright 2009 Sarah Cortes

You can read Sarah's other tech columns at IT Knowledge Exchange

Harvard's Berkman Center for Internet & Technology

by Sarah Cortes

A major crossroads for technology trends, trendsetting individuals and thought regarding freedom, responsibility, and the law, Berkman is a unique and valuable place. Today's gathering reviewed Berkman's report to the 50 US states' Attorneys General entitled "Enhancing Child Safety and Online Technologies." John Palfrey, professor and librarian at Harvard Law, Berkman founder and general all-around respected person on these topics, presented, along with other task forced members.

Children's internet safety has become a high profile IT Risk Management and Security area these days. The report resulted from a consent decree entred into by MySpace.com and judicial entities as a result of series of horrific incidents relating to children's internet use. Some questions that arise are how the report addresses: 1) sexual predation by and of minors, 2) sexual solicitation by and of minors, 3) exposure to harmful content by and of minors, including violent and pornographic content.

It's interesting how language can be used to obscure what's going on. The report clarifies:
1) sexual predation by adult men of minor girls
2) sexual solicitaiton by adult man of minor girls
3) exposure to harmful content by adult men of minor girls, including content reflecting vacts iolent and degrading to women and girls, by adult men.

Even the word "predators" kind of depersonalizes things and makes them more comfortable. The uncomfortable reflection in this report is that the men engaging in these acts and practices are, for the most part, otherwise regular guys like our dads, brothers, husbands, and co-workers. How harmful and abusive behaviour against women and girls has become part of mainstream American culture is beyond the scope of this report, but there it is for all to read.

Viewed in much the same way as we view our daily squash match against a hapless opponent, sexual pressure and coercion are part of the daily sport, according to this report, of countless man and boys around the world. Although not attacking the roots of the problem, which seem to be entitled beliefs and attitudes among boys and men, social networking sites are neverthess beginnig to act, taking a detection and documentation approach, using age verification and Sentinal among tools and strategies to identify and screen out these predatory men and boys.

A technical advisory board comprised of representatives of 29 technology companies reviewd products and offerings of 40 submissions in response to the Berkman task force's RFP. It was, quite sensibly and not surprisingly, decided not to recommend any single technology or approach to protect minors on the internet. Some feedback from the 50 states' Attorneys General is that the victim and predator profiles in Berkman's research are inconsistent with actual arrest records of internet predators. Berkman has sought access to the arrest records, but so far none has been provided. Another objection was that Berkman's data must be outdated. In fact, John Palfrey elucidated, the data is consistent with the most recent data set, that from September 2008.

Berkman Center has once again performed a service with its excellent research on this important topic. A next step might be to step back and consider solutions that go to the root of the problem as numerous organizations who work with violent, exploitative, abusive men and boys have recommended. Ironically, a lot of money and effort is being spent on technical solutions which allow us to keep re-detecting the same problem, which is simply grouwing over time. Like preventive health care, money would be well spent on prevention of abusive, predatory behaviour by men and boys, and all abusers, not just money spent on detection and documentation of their crimes after girls lives have been ruined.

copyright 2009 Sarah Cortes

You can read Sarah's other tech columns at IT Knowledge Exchange