Data Security Regulations Require Action

January 5, 2010 by ADMIN

Share |

By Kenneth Leeser, President, Kaliber Data Security and Compliance

The oft-delayed Massachusetts Data Privacy regulations (201 C.M.R. 17.00) finally go into effect on March 1, 2010.

While most states (44 by last count) have enacted Data Breach Notification statutes, the new Massachusetts law goes much further by mandating that businesses be proactive in their efforts to protect Massachusetts residents’ personal information.

This “first in the nation” initiative is already prodding the federal government to take up the issue in order to stave off a patchwork of individual state regulations.

The Massachusetts regulation requires organizations to implement written programs for the protection of personal information which include employee training requirements.

This is a strong acknowledgment that proper data security programs not only involve hardening the perimeter with firewalls, disk encryption, and Intrusion Prevention Systems, they must also include the implementation of appropriate employee policy and procedures, training and enforcement.

What do the Regulations Cover?

Implementation and development of a written information security program (WISP) and establishment of a security system covering businesses’ computers and physical files which contain the personal information of Massachusetts’ residents are at the heart of the standards.

The standards specify mandatory minimum requirements for every program. Each program shall:

Designate one or more employees to maintain the program;
Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the records containing personal information and—evaluating and improving—the effectiveness of the current safeguards for limiting such risks;
Develop security policies for employees as to whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises;
Impose disciplinary measures for violation of the program;
Prevent terminated employees from accessing records containing personal information by immediately terminating their access to such records;
Take reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information;
Limit the amount of personal information collected to that reasonably necessary to accomplish a legitimate purpose for which it is collected
Place reasonable restrictions upon physical access to records containing personal information;
Monitor regularly to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks;
Review the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security of records containing personal information;

How can Organizations Improve Employee Awareness, Monitoring and Enforcement?

Kaliber Data Security along with its partners TraceSecurity, eLearning Corner and Perimeter eSecurity has established a unique three-pronged employee awareness and enforcement program.

The first component is an employee portal to which IT security policies can be uploaded and compliance can be monitored.

Employees are automatically made aware of policy changes and are required to validate their acceptance on an annual basis.

The second aspect of the program is a comprehensive on-line training course which is also served through the portal.

The course which runs about 30 minutes covers all of the major components of modern security compliance and a quiz is administered to verify users’ successful completion of the course.

Finally, utilizing Perimeter’s eMail Content Filtering program, firms can establish security standards and prohibit emails which contain personal information from being sent in an unencrypted fashion.

Closing the Employee Security Gap

According to a recent article in the Boston Globe over 800 data breach incidents occurred in Massachusetts in 2009 and over 40% of those were the result of improperly trained or lax employees.

It is foolish for businesses to continue to invest in the technical hardware and software which ostensibly protect their systems while leaving a huge gap in untrained, uneducated and unmonitored employees.

While zero data leakage is most likely unattainable, the prodding provided by the new Massachusetts regulation (and similar, pending Federal legislation) combined with solutions like the ones offered by Kaliber will at least make businesses and employees more cognizant of the risks and penalties associated with the unauthorized disclosure of personal information and have the effect of reducing the number and magnitude of data loss incidents.

* * *

Stay Informed With ISR News Alerts:

* * *

Ken Leeser is President of Kaliber Data Security and Compliance Consultants LLC. Ken founded Kaliber to meet the needs of businesses looking for real world solutions to improve their data security programs, comply with statutory and industry regulations and enhance their corporate reputations.

Kaliber focuses on data encryption, policy development and the education and training of employees in the proper protection of sensitive information through the use of online tools and programs. For further information please visit http://kaliberdatasecurity.com or contact Ken directly: ken.leeser@kaliberdatasecurity.com - http://twitter.com/KALDataSecurity

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.