Analyzing the Risk-Based Factors of Massachusett's Data Security Law
SearchSecurity.com published an article by me yesterday (a copy can be found here the original is here) concerning the risk-based elements of Massachusetts' data security regulation (201 CMR 17.00, et. al). The gist of the article is that any company that chooses anything less than "strict compliance" with the specific written information security policy ("WISP") and control requirements of the regulation must be able to legally support their decision based on the regulation's risk elements. What this amounts to is developing a legal opinion interpreting and applying those risk-based factors to the organization's particular circumstances.
While a legal exercise is necessary for determining compliance with any and all statutes that mandate security or privacy requirements, the Massachusetts regulation's hybrid approach (e.g. specific controls mandated with a general risk-based hedge) potentially complicates the analysis. Without a legal analysis to interpret and apply the risk-based factors and resolve ambiguities in the regulation, or a legal understanding of how regulators, judges and plaintiff's counsel may interpret the regulation, companies run a serious liability risk. Moreover, companies may get into trouble if they fail to document their rationale -- if/when a breach occurs or regulators come knocking the organization must be able to explain their risk-related decisions and how they complied with the law. The task is further complicated because risk is a moving target for organizations. As the company gets bigger or retains more personal information, or when new attacks or technologies arise, the company must reevaluate its risk, and the WISP and controls it has in place to address that risk.
To minimize legal risk, compliance efforts should all be performed under attorney-client privilege to shield certain compliance communications from class action lawyers, regulators and courts. In short, companies need to treat compliance with the Massachusetts regulation (and other security laws) as a legal exercise as much as a security exercise. The main question in this specific context is: "if something goes wrong, do we have a reasonably defensible legal position concerning our WISP and security controls in light of the law?"
http://www.infolawgroup.com/admin/trackback/167581
I have, for some time, been struggling with the fact that so many other types of professionals have "thrown their hat in the ring" to provide compliance services with respect to the new Massachusetts regulations (and other privacy regulations as well). Initially and intermittently I have thought, "isn't legal compliance the practice of law?" On the other hand, non-lawyers are constantly providing compliance functions. This frames the issue a bit differently and helps, to some extent, articulate why it may be possible and even ethical for non-lawyers to provide these compliance services; but why it is not advisable and perhaps even a bit reckless for organizations to do so.
Thank you for the insight and analysis.
Steve, since it derives from a regulatory obligation it is a matter of legal compliance, and legal services are being rendered by any person that says "in my opinion you are compliant with the law." That is not to say that non-legal security professionals don't play a role (and a huge one at that). This is the classic example of overlap between the legal and security professionals. Yet we do see many security firms and consultants going forward without a legal analysis (e.g. my out-of-the-box solution will make you compliant). Beyond rules about the unauthorized practice of law, the failure to have worked things through the legal prism can increase liability risk for organizations (especially with laws like the Mass law). Bottomline, when something goes wrong companies are going to be in front of a bunch of lawyers (not security pros) trying to prove they did it right.