On March 1st, 2010, the state of Massachusetts raised the bar for companies and their IT organizations by implementing tough legislation that requires new protections for customer data. Any organization that has customers located in Massachusetts will have to abide by 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, aka, the Mass Data Protection Law. This regulation applies to all organizations "who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts."
This is a game changer in the security industry, as encryption will quickly become a requirement for all organizations that want to do business in the 3rd most densely populated state. Organizations that do not comply may, in the event of a data breach, be exposed to claims by the Massachusetts Attorney General, businesses and individuals under Massachusetts' consumer protection statute. Aside from class action law suites and audit costs, non-compliant organizations can also be charged up to $50,000 per incident for improper record disposal, with a maximum fine of $5,000 per violation of compliance standards. In the event of an attack, this could cost a company millions of dollars. When TJX was compromised in 2007, it cost them $250 million dollars in just the first 12 months following the data breach. The Massachusetts state law, if it was in effect at the time of that breach, could have more than doubled this total.
Identify theft is a scary thing... It must feel good to be a Massachusetts resident and know that your state is looking out for your personal identity and holding organizations accountable. Expect other states to follow. Throughout history, Massachusetts has paved the legal road for many social issues, and shortly thereafter other states followed by enacting their own protections. We can be sure that regulations like this are not going away (for example, there’s Nevada's re-vamped encryption law SB 227, and these regulations will continue to drive organizations to implement security standards and encrypt all data residing on their devices.
Deploying encryption software can strike fear in the hearts of IT organizations throughout the country that are already short of resources. "Companies needing to move quickly to implement data encryption should follow best practices and evaluate managed services that take advantage of cloud computing,” says Mark Nafe of Checkpoint. Other "best practice" recommendations include:
- Select the right technology based on your objectives. Full Disk Encryption tends to be more of a "set it and forget it" product line, which can enable organizations to move fast and gain compliance with this regulation. Other technologies allow you to pick and choose what to encrypt.
- Plan the project and design the solution. Ensure you have the right people in place, and offset burden wherever possible by taking advantage of managed service providers with experience.
- Prepare and configure the software. Be sure to test the software's configuration on any and all corporate images you manage to minimize potential install failure rates.
- Remember everyone. Don't forget those users that do not frequently connect to the corporate network.
- Track your roll out. Practice proactive management based on reporting and business intelligence. Watch for potential issues and proactively remediate where needed. Ensure that you have a reporting solution in place that will allow you to prove compliance with this regulation quickly and efficiently.