Mass. Law: No Longer Strongest In Country?

Last week, the Massachusetts Office of Consumer Affairs and Business Regulation decided to issue a revised version of 201 CMR 17.00, the regulation that outlines and enforces compliance to M.G.L. 93H.  Not only did the OCABR delay the effective date for a third time, but saying the changes in the language have “softened” the aggressive nature of the law would be an understatement.

While this is good news for the smaller enterprises, such as a business that only stores personal information of its six employees or small businesses that don’t have thousands upon thousands of dollars to spend on some of the physical and technical safeguards prescribed by the old version of the regulation, information security experts (such as the ones who wrote scathing indictments of the changes here and here) argue that this regulation has been softened to the point that is rendered worthless.  One of the authors wrote that retail firm TJX would have been compliant with this regulation when they experienced the data breach that inspired it.

Highlights from the changes:

• Perhaps the most significant change is the removal of the personal information inventory piece.  This may have been the most cumbersome and unrealistic part of the regulations, but also may have been the most important.  It is difficult to protect information if you don’t know where it is.  Other states already do require the personal information inventory in their data protection laws.
• Words like “reasonable” and “technically feasible” permeate the new version of the document, while they were used very sparingly in the old version.  Information safeguards, including encryption password strength, and the installation of virus definitions, security patches, and firewall protection, previously had specific standards to be in compliance with the law.  The new standards use the “reasonable” and “technically feasible” terminology.  As it may ease small businesses’ financial burden, these words are certainly vague and open to interpretation.
• The Frequently Asked Questions that accompany the document on the Massachusetts OCABR website further illuminate the problems with the use of these terms.  The FAQs state that email messages with personal information do not need to be encrypted if the process is not “technically feasible,” for example.  A noncompliant business can readily answer to authorities simply by saying “I did not find this safeguard to be technically feasible.”  
• The language of the regulation removes accountability for those who “store or maintain” personal information.  This would suggest that if a company keeps its records at a hosted storage facility or with a service bureau, the vendor is no longer responsible for this information.  Other provisions regarding vendor management are similarly weakened or taken out completely—a contract including compliance is required but enforcement of a vendor’s compliance is no longer documented.
• Compliance as an ongoing process is also put into question with the changes.  There is no longer language regarding assessing risk associated with information, processes, or applications and putting in appropriate safeguards.  Language requiring monitoring the effectiveness is also removed. 
• Similarly, thorough investigation of any network intrusions were previously mandated by the regulation.  They are no longer explicitly required unless unless they result in a data breach.  A business no longer has to report or document any unauthorized physical access to computer systems.  Restricting access to systems, such as server rooms, is also completely eradicated from the document.
• Language regarding employee access to personal information is substantially less stringent.  Language regarding limiting access to those with a “need to know” is eradicated and the word “immediately” has been removed from the part requiring companies to revoke physical and electronic access to records when an employee leaves the organization.

There are six months left before the revised compliance deadline.  With the revised provisions in the regulations, compliance is much more achievable.  However, compliance with these weakened regulations might not be enough to keep information safe anymore.

GraVoc Associates, Inc, located in Peabody, MA, is celebrating fifteen years in the practices of information security, information systems, and technology and professional consulting.  For more information on GraVoc’s compliance services aligned with the Massachusetts Data Protection Law, please contact GraVoc at 978-538-9055 or visit the GraVoc website at http://www.gravoc.com.  More information on this law has been covered in the GraVoc News Blog, so by clicking “Massachusetts Data Protection Law” below is also a useful source of information.

Data Breach Lessons Learned: Part 2

Continued from Friday’s post, here is more information regarding how the indictment of hacker Albert Gonzalez in connection with the biggest credit card number heist in history is significant to your business and protecting its information assets:

• As difficult as it is to announce a data breach, companies not only have the responsibility to their customers to alert authorities of a data breach, but they will also be helping the efforts of law enforcement to catch criminals like Gonzalez by announcing in a prompt manner.  Companies already implicated in highly-publicized breaches have lost immeasurable, irreparable damage to their reputations.  However, as this story develops, there has been news that Heartland may have known more about the scope of the breach than what they reported.  This may be a serious problem for the company.
• While Gonzalez is the malicious intruder in this case, the corporate victims also take a piece of the blame, whether rightfully so or not.  Securing a network is like locking your doors when you leave your house—except it takes a lot more time, effort, and money.
• With so much attention being paid lately to social engineering techniques such as phishing and the threat posed by malicious “insiders” in rough economic times, this massive data breach was executed using somewhat-traditional network hacking.  Hackers have not abandoned this tactic.
• As cumbersome as laws like the GLBA, HIPAA, PCI, and the Massachusetts Data Protection Law are, they may very well be necessary to keep individuals safe from identity fraud.

GraVoc Associates, Inc, located in Peabody, MA, serves customers in Greater Boston, New England, and beyond in the practices of information systems, information security, and professional and technological services.  The GraVoc News Blog is updated frequently to provide free information and tips to help your company’s bottom line.  For more information regarding GraVoc’s services and how they can help your company’s efficiency and security, please visit http://www.gravoc.com.

Mass. Data Protection Law Delayed, Softened

Earlier this week, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) made the decision to delay the effective date of the Massachusetts Data Protection Law (also known as MGL 93H or 201 CMR 17.00) for the fourth time.  Businesses are expected to be in compliance with this law, which is designed to protect Massachusetts residents from identity theft, by March 1, 2010.

The original effective date of this law was January 1, 2009.  It was delayed until May 1, 2009 late last year, and in February it was moved back to January 1, 2010. 

The provisions and standards of data protection have also been amended.  While the law is still perhaps the most aggressive in the country, compliance is much more attainable with the revised provisions.  The amended law can be read in PDF format here.

This announcement can be interpreted many ways.  A pessimist may look at it in a way that the effective date may never come and that Massachusetts is writing this law for a public relations purpose.  Optimists may view the four separate delays and significant amendments to the regulation as a gesture by the state saying that they are listening and they understand the needs and limitations of small businesses.  It could possibly be indicative that the state and the OCABR are serious about enforcing compliance, so they are making changes so that compliance is actually a possibility for businesses.

This news will be covered in more depth on the GraVoc News Blog towards the end of next week.

GraVoc Associates, Inc., based in Peabody, MA, is celebrating fifteen years in Greater Boston.  GraVoc works with a variety of different clients in several sectors, providing services in the practices of information security, technology and professional services, and information systems.  GraVoc’s information security team has several years’ experience serving the highly-regulated financial services industry, and is committed to helping clients from any industry comply with the Massachusetts Data Protection Law.  For more information about GraVoc and its M.G.L. 93H compliance services, please visit GraVoc.com.

Lessons Learned in Data Breach Indictment

The indictment of Albert Gonzalez and two other co-conspirators in connection with data breaches resulting in 130 million credit card numbers stolen is massive news.  This is the largest breach of credit card numbers ever recorded, and the fact that someone was caught speaks volumes about the efforts of law enforcement officials.  However, this indictment doesn’t change the fact that the numbers were still compromised and the corporate victims—the businesses that had data stolen off of their networks—have suffered irreparable damage both in terms of regulatory compliance and corporate reputation.  There are many lessons to be learned about this incident.  The GraVoc News Blog will outline this information in a two-part series.

• Albert Gonzalez is already currently in prison for his involvement of a previous high-profile data breach involving TJX, Dave & Buster’s, BJ’s, and other companies.  In his career as a hacker, he very well may have stolen 200 million credit card numbers!  Each of these operations, while certainly sophisticated, were reasonably small.  This news shows how readily available credit card numbers can be if a network is violated.
• This attack was well-planned and well-researched.  The scope of this group’s “research and development” included driving with a computer to evaluate the security (or lack thereof) of potential victims’ networks using a variety of tools, many of which may also be used by companies like GraVoc to help companies identify vulnerabilities in a network’s perimeter.  Potential victims were also qualified by researching the means of payment processing.
• The attack was carried out with a SQL injection and installation of malware, exploiting network vulnerabilities that were previously identified and documented.  These attacks typically exploit “poorly-coded” applications, and when these vulnerabilities are initially found, they are documented and resolved in an updated version of the application.  In other words, many of these vulnerabilities are the result of a company’s lack of diligence regarding updating software versions.
• Experts agree that despite the diligent preparation for this attack, an SQL injection is not a difficult exploit to execute.  While Albert Gonzalez may be behind bars, he is hardly the only hacker in the world who can exploit the same vulnerabilities in this manner.

GraVoc Associates, Inc. of Peabody, MA, is dedicated to ensuring its clients in Greater Boston, New England, and beyond are aware of the ever-changing environment of information security.  The GraVoc News Blog will continue documenting four other “lessons learned” early next week.  For more information regarding GraVoc’s services in information security, information systems, and technological and professional services, please visit http://www.gravoc.com.

GraVoc Adds Stefanie Marsh to IS Practice

GraVoc Associates Inc. is proud to announce the hiring of Stefanie Marsh as a Senior Associate in their Information Systems practice.  Stefanie will add her experience and strong work ethic to GraVoc’s information systems practice. 

The hiring of Stefanie is to respond to the needs of a rapidly-growing customer base in ERP systems implementation.  Last year, GraVoc was recognized as the second-largest Microsoft Business Solutions reseller in New England in terms of sales, up from fifteenth the year before.

Stefanie, a resident of Dover, NH, has fifteen years of experience in consulting and in operations experience in a diverse environment of manufacturing and distribution companies.  Her previous work has spanned the medical manufacturing, high-technology, and retail fields.  With Stefanie’s experience comes a high level of understanding of these business processes as well as the difficulties and challenges encountered by firms in the market for enterprise resource planning (ERP) solutions.

A graduate of the University of Rhode Island and a mother of two, Stefanie enjoys spending time with her family, visiting Disney World, and outdoor recreation.  She also devotes much of her free time to community service, as she is active in the JDRF Seacoast Committee to benefit juvenile diabetes research.

GraVoc Associates, Inc. extends a sincere welcome to Stefanie.  As they celebrate fifteen years of business in the practices of information systems, information security, and technology and professional services, GraVoc has added three full-time staff members in the last year.  GraVoc has maintained Microsoft’s Gold Certified Partner status for several years through their efforts in a challenging re-certification process and through their competence and ability to outfit enterprises in Greater Boston, New England, and beyond with appropriate and robust ERP, CRM, and other solutions.  For more information about GraVoc’s offerings, including software products developed by GraVoc’s programmers, please visit GraVoc.com. 

Vacation Over?

As the summer begins to wind down and many executives and employees return from their well-deserved vacations, just over the horizon lies a great deal of challenges in the fields of information security.  Perhaps two of the largest information security-related challenges facing almost every business in New England include the specter of a pandemic event taking full grasp of the entire world and the January 1st effective date of the Massachusetts Data Protection Law.

As far as the H1N1 (swine flu) virus goes, the effects of many people becoming ill, the potential of the flu becoming more potent, and public fear surrounding the outbreak will undoubtedly have a noticeable impact on virtually every business.  This goes well beyond encouraging your employees to wash their hands for twenty seconds and putting hand sanitizer in places of business interaction.  Executives will have to ask themselves:  “What do I have to do if 40% of my staff—and 40% of everyone else’s staff—is out sick?”  With employees sick or taking care of families if schools are closed for social distancing purposes, this is a distinct possibility.  It presents a wide range of challenges regarding your ability to continue business operations.

The Massachusetts Data Protection Law, going into effect on January 1st, presents an equally-daunting challenge.  This law requires an aggressive standard of logical and physical controls to protect every piece of personal identifiable information pertaining to a Massachusetts resident in an enterprise.  The enterprise doesn’t have to be in Massachusetts to be subject to this regulation if it has a Massachusetts resident’s name with a social security number, government-issued ID number, financial account number, or credit/debit card number.

Both of these issues are bound to give businesses across all sectors a fair share of headaches.  As evidenced by past posts on the GraVoc News Blog, GraVoc Associates has devoted time and effort to stay on top of both of these impending challenges.  For many years, GraVoc has helped clients design pandemic event plans and has helped these plans remain effective through testing.  The GraVoc information security practice is built on the foundations of achieving compliance with strict regulations and keeping clients’ information safe from both outsiders and malicious insiders.

GraVoc Associates, Inc, celebrating 15 years on the North Shore outside of Boston, is committed to helping clients in their three practices of information systems, information security, and professional and technological services.  The information security practice historically has worked extensively in the highly-regulated financial industry.  For more information on the products and services provided by GraVoc, please visit GraVoc.com.

Flip Flop Friends Complete Walk

GraVoc Vice President Cathy Gravel and her “Flip Flop Friends” teammates successfully completed the Breast Cancer 3-Day event last weekend.  This event included approximately sixty miles of walking throughout the greater Boston area over three days, and its proceeds went to benefit Susan G. Komen for the Cure.

Thousands of walkers braved unfavorable conditions, including rain on Friday and heat on Saturday as they trekked from as far west as Framingham and as far north as Woburn before finishing at the University of Massachusetts-Boston.  In addition to the physical challenge of the walk, each participant raised over $2300 for breast cancer research.

Cathy, as well as teammates Gina Braz-Rocha, Karen Braz, Terri Garofano, and Jean Hallinan, were extremely grateful to all their supporters, and the GraVoc organization is proud of the team’s accomplishments.