Last week, the Massachusetts Office of Consumer Affairs and Business Regulation decided to issue a revised version of 201 CMR 17.00, the regulation that outlines and enforces compliance to M.G.L. 93H. Not only did the OCABR delay the effective date for a third time, but saying the changes in the language have “softened” the aggressive nature of the law would be an understatement.
While this is good news for the smaller enterprises, such as a business that only stores personal information of its six employees or small businesses that don’t have thousands upon thousands of dollars to spend on some of the physical and technical safeguards prescribed by the old version of the regulation, information security experts (such as the ones who wrote scathing indictments of the changes here and here) argue that this regulation has been softened to the point that is rendered worthless. One of the authors wrote that retail firm TJX would have been compliant with this regulation when they experienced the data breach that inspired it.
Highlights from the changes:
- Perhaps the most significant change is the removal of the personal information inventory piece. This may have been the most cumbersome and unrealistic part of the regulations, but also may have been the most important. It is difficult to protect information if you don’t know where it is. Other states already do require the personal information inventory in their data protection laws.
- Words like “reasonable” and “technically feasible” permeate the new version of the document, while they were used very sparingly in the old version. Information safeguards, including encryption password strength, and the installation of virus definitions, security patches, and firewall protection, previously had specific standards to be in compliance with the law. The new standards use the “reasonable” and “technically feasible” terminology. As it may ease small businesses’ financial burden, these words are certainly vague and open to interpretation.
- The Frequently Asked Questions that accompany the document on the Massachusetts OCABR website further illuminate the problems with the use of these terms. The FAQs state that email messages with personal information do not need to be encrypted if the process is not “technically feasible,” for example. A noncompliant business can readily answer to authorities simply by saying “I did not find this safeguard to be technically feasible.”
- The language of the regulation removes accountability for those who “store or maintain” personal information. This would suggest that if a company keeps its records at a hosted storage facility or with a service bureau, the vendor is no longer responsible for this information. Other provisions regarding vendor management are similarly weakened or taken out completely—a contract including compliance is required but enforcement of a vendor’s compliance is no longer documented.
- Compliance as an ongoing process is also put into question with the changes. There is no longer language regarding assessing risk associated with information, processes, or applications and putting in appropriate safeguards. Language requiring monitoring the effectiveness is also removed.
- Similarly, thorough investigation of any network intrusions were previously mandated by the regulation. They are no longer explicitly required unless unless they result in a data breach. A business no longer has to report or document any unauthorized physical access to computer systems. Restricting access to systems, such as server rooms, is also completely eradicated from the document.
- Language regarding employee access to personal information is substantially less stringent. Language regarding limiting access to those with a “need to know” is eradicated and the word “immediately” has been removed from the part requiring companies to revoke physical and electronic access to records when an employee leaves the organization.
There are six months left before the revised compliance deadline. With the revised provisions in the regulations, compliance is much more achievable. However, compliance with these weakened regulations might not be enough to keep information safe anymore.
GraVoc Associates, Inc, located in Peabody, MA, is celebrating fifteen years in the practices of information security, information systems, and technology and professional consulting. For more information on GraVoc’s compliance services aligned with the Massachusetts Data Protection Law, please contact GraVoc at 978-538-9055 or visit the GraVoc website at https://www.gravoc.com. More information on this law has been covered in the GraVoc News Blog, so by clicking “Massachusetts Data Protection Law” below is also a useful source of information.