Massachusetts Data Privacy Regulations – Are You Protected?

David Ting
Feb 03, 2012

A recent Gartner Blog Network post and Wall Street Journal article both focus on new, stricter data regulations being passed in several states, including Massachusetts. The final set of the Massachusetts regulations focus on restricting employee access to data, monitoring malicious activity on the network, and strong authentication protocols. The new regulations will go into effect beginning January 1, 2009.

While it sounds like common sense legislation, and represents a good step forward in helping mitigate data breaches, the new regulations will have a wide ranging impact and will affect every business in Massachusetts that comes into contact with consumer information - including financial services organizations, healthcare organizations, and even educational institutions.

A closer examination of the regulations shows that they're very similar to the Payment Card Industry (PCI) Data Security Standards (DSS). That's good news for many companies that handle financial information and have achieved PCI Compliance, or those that are working towards compliance. In fact, a recent survey of IT decision makers commissioned by Imprivata examining identity management trends in PCI compliance, shows that a majority of companies are either currently compliant with PCI standards, or plan to be in the next 18 months.

The departure from PCI comes from the types of information that need to be secured - the new regulations go beyond financial information and cover any personal information a business might collect, including bank account information, social security numbers, etc... This impacts a large number of businesses that might not have fallen under the PCI umbrella.

If your business falls under that category and you haven't gotten started on your way to compliance with these new regulations, a good place to start is to make sure you have access policies in place to control how users access information. Implementing strong authentication wouldn't be a bad idea either as it ensures that access to records are controlled and you can verify and report on the identity of the user accessing the data.

From an IT stand point, this means that, not only do all users in your business have distinct passwords and logins but each user has the authorized rights to access the information. Consistent with the principles of role-based access and least privileged access, you also want to make sure the level of access granted to users is consistent with their job function and restricted in scope. Above all, IT systems need to have authentication, authorization, and traceability to demonstrate user accountability for whatever information they're accessing.

Most importantly, businesses need to ensure that when employees leave or job functions change, there is a quick way to deactivate access to information. This is a critical step in preventing a data breach, ensuring that former employees can't access sensitive information and applications once they're no longer part of the company, and ensuring that unauthorized personnel can't access the same information using access credentials provided by their former colleague. How often have we heard of data breaches traced back to expired accounts belonging to innocent former employees that no longer have access to the system? Keeping your IT and applications accounts in sync with active employee is just good IT housekeeping.

These new regulations put the onus on the business to make sure they're taking proactive steps to protect sensitive customer information. While the new regulations haven't outlined the potential penalties for violation yet, the threat of a fine shouldn't be the trigger for an action when it comes to protecting customer information. Nor should businesses wait until they have a breach before getting serious about security - these are common sense steps that all businesses should take to ensure that they're protecting their critical assets and data.

Is your business impacted by the new regulations? If so, where are you starting your journey to protect your business and your customers?

-David