SearchSecurity.com published an article by me yesterday (Interpreting 'risk' in the Massachusetts data protection law) concerning the risk-based elements of Massachusetts' data security regulation (201 CMR 17.00, et. al). The gist of the article is that any company that chooses anything less than "strict compliance" with the specific written information security policy ("WISP") and control requirements of the regulation must be able to legally support their decision based on the regulation's risk elements. What this amounts to is developing a legal opinion interpreting and applying those risk-based factors to the organization's particular circumstances.
Massachusetts' Office of Consumer Affairs & Business Regulation (OCABR) recently released a revised version of its "Standards for the Protection of Personal Information of Residents of the Commonwealth" (the "Regulation"). This August 2009 version modifies the February 2009 version of the Regulation. The press release for the new revision is here, and the FAQs released by OCABR appear updated to address some of the changes in the regulations.For ease of reference, ISC has taken the time to create a REDLINED VERSION showing the revisions in the new Regulation. The redlines indicate changes between the February 2009 version and the August 2009 version of the Regulation. Also included below is a summary of some of the more significant changes.
In the last post, I talked about the role of encryption in fashioning a "reasonable" security plan for sensitive personal information and other protected data routinely collected, stored, and used by an enterprise. But lawmakers and regulators are getting more specific about using encryption and managing data that is risky from an ID-theft perspective. Here are some leading examples of this trend.