Secure Computer Systems (Computer Science) – Article of the Name of the Concerned Professor
September 20, 2009
Secure Computer Systems (Computer Science) – Article
Data security and privacy have emerged as primary concerns in the contemporary era of digitized economies and corporate operations. This issue has grabbed the attention of governments around the world. In the last decade, even in the US, the government has imposed many security and privacy related regulations on the corporations. As per an article published in Mondaq Business Briefing on September 2, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) came out with specific amendments to the Standards to Protect Information of Residents of the Commonwealth, 2001 CMR 17.00. The press release from OCABR made it amply clear that the new amendments are to be applicable to all the big and small businesses that possess or have licensed personal information of any resident of Massachusetts (Mondaq Business Briefing, 2009). The primary purpose of these amendments is to upgrade the existing data security standards, while taking into cognizance the emerging risks to data, to bring them in consonance with the Federal Trade Commission’s Safeguard Rule (Mondaq Business Briefing, 2009). This risk-based approach to data security takes into consideration the overall size and potential of a business, resources accessible to a business, the nature and the magnitude of data collected by or in the possession of a business and an appraisal of the requisite security needs to implement a worthy information security program (Mondaq Business Review, 2009). As per the OCABR, the compliance to security standards to any business is not to be standardized, but is to be accessed on the basis of the data risks inherent in a business (Mondaq Business Review, 2009).
The hallmark of these statutory regulations is that they do acknowledge that the choice or application of any data security and privacy program cannot be standardized for each business (Kairab, 2004). Hence, the lawmakers are aware of the glaring reality that every business is unique so far as its needs for consumer information and data is concerned and thus the businesses should be left free to decide as to what kind of data security program and guidelines they need to put in place. Even if the governments do not interfere into the arena of data security, the consumers today are more then concerned about the sanctity of their personal data.
Thus, the purpose of any statutory arrangements should be more in the nature of the guidelines and awareness drives, whose purpose should be to sensitize the individuals and businesses as to the possible threats to data and the consequences and repercussions of any instance of data theft or loss (Matsura, 2001). The thrust of any government activism ought to be on the corporate and consumer education and not regulation. Aware corporations will certainly take the appropriate steps to retain competitiveness, while well-informed consumers will naturally gravitate towards businesses that they can trust with their personal information and data. A state policing of the corporate compliance to data security is not only pragmatically impossible, but also oblivious of the essential principles governing free markets.
Total Words: 525
Kairab, Sudhanshu (2004). A Practical Guide to Security Assessments. New
York: Auerbach Publications.
"Privacy and Security Alert: Analysis of Amendments to Massachusetts Data
Security Regulations". Mondaq Business Briefing. Mondaq Ltd. 2009.
Retrieved Sept. 20, 2009, from HighBeam Research: http://www
Matsura (2001). Security, Rights, and Liabilities in E-Commerce. Toronto:
Artech House Publishers.
Privacy And Security Alert: Analysis Of Amendments To Massachusetts Data Security Regulations.
Mondaq Business Briefing
September 2, 2009
As we reported in our August 17, 2009 Client Alert, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) released amendments to the Standards to Protect Personal Information of Residents of the Commonwealth, 201 CMR 17.00 (the Standards). In addition to extending the compliance deadline from January 1, 2010 to March 1, 2010, the amendment makes some key changes that bear taking note of and that we will examine here. The OCABR has scheduled a hearing for interested parties to provide oral or written testimony regarding 201 CMR 17.00 on September 22, 2009 at 10:00 a.m. in Room No. 5-6 on the second floor of the Transportation Building at 10 Park Plaza, Boston. Written comments will also be accepted until the close of business on September 25, 2009 at the offices of the OCABR, 10 Park Plaza, Suite 5170, Boston, Massachusetts, 02116, and should be sent to the attention of Jason Egan, Deputy General Counsel, or e-mailed to Jason.Egan@state.ma.us.
Although the press release from OCABR clearly focused on a beneficial effect to small business, the amendments and extension apply to all businesses that "own or license" personal information of a resident of Massachusetts. Along with its press release, OCABR has also issued a list of FAQs. We have provided a complete text of the FAQs for your convenience here. The agency makes clear that one of the purposes of the amendment was to take a risk-based approach to the Standards, consistent with the Federal Trade Commission’s Safeguards Rule. This is familiar territory to those who have been implementing compliance programs under Gramm-Leach-Bliley, Regulation S-P of the Securities and Exchange Commission, any of the Interagency Guidance issued by the bank regulatory agencies, HIPAA, or the Red Flag Rules. The "risk-based approach" in the Standards, as amended, addresses:
adding consideration of the size and scope of the business, amount of resources, nature and quantity of data collected or stored, and the need for security when creating an information security program.
removing a number of specific provisions for the written information security program, all of which will now be "guidance" only.
specifying that all (not just encryption) computer system security requirements should be included in the written information security program "to the extent technically feasible".
adding and amending some definitions, including making the definition of encryption "technology-neutral."
According to the OCABR, compliance with the Standards will be judged according to these risk-based factors. There is still no one-size-fits-all written information security plan (WISP) or risk assessment.
Definitions The definition of "personal information" has remained the same (first name or initial and last name combined with sensitive data like a Social Security number or financial account number). New definitions for "own or license" and for "service provider" have been added, and both are quite broad and should be reviewed.
Service Providers There has been a significant change with respect to service providers. The current iteration of the Standards contains "due diligence" type language, requiring that businesses use "all reasonable measures" to "ensure" that service providers are "capable" of providing security consistent with the Standards. The amendments delete the "due diligence" requirement, but have added back in a requirement from earlier versions to impose contractual obligations to maintain appropriate security measures on service providers with access to or that use "personal information." However, if the contract is entered into prior to March 1, 2010, it will be deemed to be in compliance with this obligation until March 1, 2012, even if no such language exists in the contract. Therefore, businesses are given two-and-a-half years notice to amend all service provider contracts that include services which allow access to or use of "personal information." These requirements are consistent with third-party vendor requirements under federal law.
Computer System Requirements The amendments do not define "technically feasible," but the FAQs address this concept and define it by stating, "if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used." The OCABR further elaborates this in the FAQs by indicating that while it is very clear that there is encryption technology for laptops, they recognize that "at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, Blackberries, net books, iPhones and similar devices." The OCABR further warns that if encryption for portable devices is not available, then "personal information" should not be placed on such devices. The FAQs elaborate on a point that is not readily apparent from the amended Standards, but they have addressed in public outreach seminars: backup tapes that include "personal information" must be encrypted on a prospective basis.
Written Information Security Programs The amendments have removed some requirements for information security programs. It will no longer be necessary to include in the written program limitations on the amount of "personal information" collected or the length it is retained. Even if not in a written program, these concepts should be considered an important guidance, and certainly remain issues that arise when the FTC reviews the reasonableness of a data security policy. Likewise, it will also no longer be a requirement under the Standards to identify in the written program where "personal information" is retained. As the OCABR correctly notes, however, it would be difficult to implement a risk-based data security program without first understanding where the personal information is located. The new FAQs also clarify the following important issues, including the following:
Portable devices that contain personal information of Massachusetts residents must be encrypted where it is reasonable and technically feasible to do so. Since little technology exists to reasonably encrypt portable devices other than laptops, businesses should consider restricting sending to and storage of personal information on devices such as Blackberries, PDAs, or USB/thumb drives.
An account is a financial account, and thus must be protected under the WISP, if unauthorized access could result in an increase of financial burden or a misappropriation of monies, credit, or other assets.
An insurance policy number is a financial account number if it grants access to a person’s finances, or results in an increase of financial burden or a misappropriation of monies, credit or other assets.
Compliance with HIPAA does not eliminate a company’s obligation to comply with the Regulations if the company owns or licenses personal information of a Massachusetts resident.
While the effective date of the Regulations has been postponed to March 1, 2010, there is a considerable amount of work that companies, including many located outside Massachusetts, will need to do to comply.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.