Enterprises Need to Pay More Attention to Data Privacy

Many enterprises are still under the delusion that they can do more or less what they want with individuals' personal information. The European Union, many states (including California with its data breach law), and now Massachusetts are attempting to disabuse them of that notion. But this situation is not only about how to achieve compliance with disparate laws; it should also be a wakeup call informing enterprises that they now have to manage information for more than what they consider to be their primary business processes.

The impending Massachusetts data privacy law will serve as an illustration of what we expect will be a continuing trend. We shall also examine briefly how vendors are offering a variety of products and services to help organizations comply with the law, but then go on to examine this trend's broader implications.

New Massachusetts Law Protects of Personal Information
The goal of the new data privacy law of the Commonwealth of Massachusetts is to protect the personal information of all Massachusetts residents. The law goes under the very-difficult-to-remember name of 201 CMR 17.00. Personal information is defined as an individual's first name (or initial) and last name plus one or more of the following: Social Security Number (SSN), driver's license (or state-issued ID), financial account number or credit/debit card number (with or without pin or password) that would permit access to a Massachusetts resident's financial account.
 
Massachusetts requires that those entities subject to the law support a written information security program (WISP). The WISP, which does not exclude any organization, must be appropriate for the size, scope, and type of business conducted by the entity. The WISP must address the administrative, technical, and physical safeguards for the personal information protection of both consumer and employee information.
 
The WISP is applicable to all forms of media, including paper, as well as electronic records, in addition to the devices that contain them, including portable devices, such as laptops. A designated responsible employee must be assigned to conduct and produce an evaluation of reasonably foreseeable internal and external risks to the personal information being managed. In addition, employee training and monitoring of employee compliance must be carried out.
 
Enterprises must perform regular monitoring to ensure the WISP is operating in a manner that can be reasonably assumed to prevent unauthorized access to or use of personal information. Finally, they must document actions taken in response to security breaches.
 
Now Massachusetts' data privacy law includes a number of special technical requirements for electronically stored information (ESI). These include secure authentication protocols, such as control of user IDs and other identifiers, password security, and restriction of access to personal information to active users and active user accounts. Additional requirements include secure access control measures that limit access to personal information records and files to just a need-to-know basis. All personal information sent across public networks must be encrypted in transit. All personal information stored on laptops and other portable devices must be encrypted in place. Massachusetts does not specify the type of encryption that must be used. Monitoring must take place in order to provide alerts to any occurrence of the unauthorized use of or access to personal information.

Altogether the law lays out a lot of requirements. But what if your organization does not have a physical presence in Massachusetts (such as an online Web store that takes orders using credit cards from Massachusetts residents)? Are you subject to the law? The answer is yes. Massachusetts is not likely to check to see if you implement a WISP, but if you expose the personal information of Massachusetts residents and that causes a problem, such as identify theft, your organization may very well be held accountable. States have more power across their state boundaries than you might otherwise think, so what is happening in Massachusetts applies to you, too.

How Can You Comply with the Law?
Let's say that your organization wants to comply with the new law. NuTech Integrated Systems held a compliance luncheon recently in Boston where representatives of the Commonwealth of Massachusetts discussed the law.  NuTech and its partners talked about how each could help enterprises achieve compliance. In order to get a sense of what it might take in the way of outside products and services, let's look at NuTech and its partners very briefly.
 
NuTech is a systems integrator of messaging and network security solutions and so ties everything together with partner solutions appropriate for a particular client engagement. Each of the five NuTech partners in attendance provides specific pieces that overall add up to meeting the total compliance requirement:

The important thing to remember is that whether a company complies with the law totally with internal resources or engages with third-party product and service providers to assist in the process, there are a number of technology issues within IT that need to be addressed. The first issue is to provide basic and advanced security, such as access control, that applies to all information and not just personal information and applies to the Web as well as to standard internal information systems. The second is to be able to discover where personal information resides in the enterprise. The third issue is to be able to put controls on personal information specifically whether or not it is databases or files. NuTech takes a "best of breed" type of approach. Now larger vendors may have some of the pieces, but the pieces are not integrated into an overall package that says this is what you need to do to provide personal information data protection. That means that a "best of breed" approach is the approach that companies will have to take, although they may not choose the same companies that NuTech partners with.Mesabi Musings
Though some may dismiss this as a utopian dream, it might be nice to have one overarching U.S. federal statute that deals with personal information instead of numerous individual state laws. That may or may not transpire, but considering how the Internet allows companies to conduct business with little regard to state boundaries, enterprises must consider the implications about what is happening

And the broad conclusion is that enterprises must understand what data they have, where that data is and how it is being used. They must also be able to manage that data from a confidentiality and data retention perspective and prove they are doing so effectively. The drive to protect personal information of individuals is not the only underlying force.  eDiscovery and compliance requirements are also drivers. Note that this is well beyond what is required for traditional business processes that lead to the fulfillment of organizational objectives, such as revenue generation.

This whole movement toward securing personal information requires formal data governance on the part of enterprises. Data governance, which at one time was a nice thing to have, is moving toward a business critical capability. Although new requirements, such as Massachusetts' 201 CMR 17.00, may be perceived as just one more burden on top of all the other requirements that IT has to meet, enterprises can and should turn a negative into a positive by finding additional ways to extract value out of client information efforts, such as improving overall data quality.