This week I want to take a look at encryption laws. Only a few short years ago no law or regulation really had explicit encryption requirements. HIPAA, passed in 1996 with effective compliance deadline requirements in 2003 (Privacy Rule) and 2005 (Security Rule) included withint the Security Rule that encryption was “addressable” based upon the results of risk assessment.
However, encryption became a more hotly debated topic with the more recent Massachusetts and Nevada laws that explicitly require organizations to encrypt personally identifiable information (PII). Now the question of whether or not the Massachusetts law will indeed be enforced upon the current compliance date of January 1, 2010 is once more in the news…
First let’s look at a history of Massachusetts law 201 CMR 17.00
- The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) was authorized to issue this data security law under the state data breach notification law (H.B. 4144), which was enacted in August 2007.
- In September 2008, the OCABR issued 201 CMR 17.00, which was originally set to take effect January 1, 2009.
- In November 2008, the OCABR issued emergency amendments that extended the effective date of the regulations until May 1, 2009.
- In February 2009, the OCABR again extended the effective date so that the rules would not take effect until January 1, 2010 for encryption for most portable devices. They also updated the parts of the law related to business obligations for oversight of third party service provider data security by removing the requirement for written compliance certification by vendors.
So will the law stick? Or, will the state Legislature may once more amend the law?
In January Massachusetts Senator Michael W. Morrissey introduced SB 173, to amend the data breach notice law authorization for the OCABR to issue data security rules. “An Act ensuring the privacy of certain data.” The title is misleading; the bill would do more to put data at risk than to protect it; so maybe the title is accurate in that it only helps to protect just “certain” types of PII data.
If passed as written, this proposed law would:
- Prevent OCABR from mandating the use of specific types of security technology, including encryption
- Require the OCABR take consider the size, scope, and type of businesses covered by the regulations, as well as the resources available to the covered entity and the “need for security and confidentiality of both consumer and employee information”
- Mandate the OCABR to issue separate data security regulations for small businesses that take into account their “unique situation and resources”
- Require that OCABR data security regulations deem a business that is required to be in compliance with federal data security laws, rules, or guidance on the safeguarding of personal information to be in compliance with the state regulations.
Morrissey and his supporters don’t seem to realize that a small organization can handle large amounts of PII, and have experienced more breaches of PII, than many/most other types of organizations. Most of those breaches could have been prevented with safeguards such as encryption.
Over the past few years I’ve performed 150+ information security and privacy program reviews for a large, multi-national organization. A very large number of their business partners to whom they outsource some type of customer and/or employee PII handling/processing were small, often very small companies. They were literally placing the security of literally hundreds of millions of people’s PII into the hands of organizations, some of which had only 5 people (all related), 7 people, and many more organizations with less than 20 people. The security and privacy vulnerabilites I found within those organizations were significant.
It is not wise to create information security and privacy laws based simply upon the size of the organization. Size does not indicate the possible enormity of a PII breach when a tiny company can be processing hundreds of millions of PII records.
Legally holding all organizations that handle PII to a base level standard of information security and privacy protections is necessary. Requiring a minimum standard of encryption for PII on mobile computers and data storage devices, along with when sending PII through public networks, should be a common sense move to address the common risks to PII in these situations.
People don’t want their PII to breached by a company of two employees any more than they want it to be breached by a company of 2,000, 20,000 or 200,000 employees.
The Morrissey bill was sent March 11 to the Assembly Joint Committee on Consumer Protection and Professional Licensure, which is also chaired by Morrissey, but has not seen any action since. Hopefully a good sign, but I’m now hearing stirrings from various DC groups that something will be happening soon.
If organizations would invest as much time and money safeguarding data as they do paying lobbyists to oppose legal safeguard requirements, PII would be much safer, and we’d see fewer breaches!
Tags: awareness and training, breach law, breach response, enryption, HIPAA, Information Security, IT compliance, IT training, Morrissey, personally identifiable information, PII, policies and procedures, privacy training, security training