By: Michael J. Corby, M Corby & Associates

Overview:
The Commonwealth of Massachusetts has joined the many other states in enacting a law that protects its citizens from improper release of private data. The law and subsequent explanatory regulation identifies the data that must be kept private, establishes standards of due care, and prescribes penalties for failing to act properly.

The statute is Chapter 93 H of Massachusetts General Laws, enacted by the state legislature and signed into law on August 4, 2007. Its provisions were initially scheduled to go into effect January 1, 2009, but that date has now been pushed to January 1, 2010. The sponsoring agency is the Office of Consumer Affairs and Business Regulation (OCABR)

Commonwealth of Massachusetts Regulation (201 CMR 17.00) has been implemented to guide the response and enforcement of the law. This regulation establishes the scope of the law and prescribes twenty specific areas that organizations must address to be considered in compliance. Twelve of the areas deal with privacy in general, and eight deal specifically with electronic data privacy.
Scope of the Statute:
The Privacy Law is designed to protect Massachusetts residents from inappropriate disclosure or use of their private information. The private information is defined as the First Name (or initial) and Last Name in conjunction with any or all of the following:
• Social security number,
• Drivers license number,
• State issued identification number,
• Financial institution account number,
• Credit or Debit card number with access code.
It applies to any organization or person that owns, licenses, stores or maintains the above personal information pertaining to a Massachusetts resident. (Notably absent from this list of target organizations is the Government.) Data that is already in the public domain is not covered by this statute.

Inappropriate activity includes either unauthorized disclosure to a person not permitted to view the information or unauthorized use by a person permitted to view the information but not use it in the context in which they have used it.
Key Elements of the Regulation:
201 MGR 17.00 specifies that the organization who manages the data must, at a minimum:
• Designate an individual as a Data Security Coordinator who will administer their data privacy policies;
• Create a written information security policy (“WISP”) that defines the organization’s specific policies and procedures governing the protection of the private data elements;
• Train and/or provide refresher training for all employees who come in contact with private data;
• Monitor compliance with the WISP at least annually or more frequently as business needs dictate.
• Conduct a privacy risk assessment that takes into consideration the extent of protection that must be implemented to assure private data is not misused. That risk assessment should look at transaction or data volume, frequency, financial value, handling environment and threat potential.
• Data managed by Third Party Providers (“TPP”) is not immune from this statute and the controlling organization must verify that each TPP is performing all duties in compliance with this regulation.
• Breaches of privacy must be recognized and reported to the individual(s) whose data privacy has been compromised, Massachusetts Attorney General’s office and the Office of Consumer Affairs and Business Regulation in a timely manner. The exception to this is if the report would compromise an existing criminal investigation.
• If a data privacy breach occurs, the organization must demonstrate and effective plan to prevent future occurrences and mitigate similar vulnerabilities.

Author: Charles Cresson Wood, Independent Information Security Consultant
One of the big risks in the financial world, that caused our current banking crisis, was the level of exposure taken on through derivatives. For example, AIG admitted that they did not include certain scenarios in their models about the risks associated with the selling financial instruments such as these. They knew these risks existed, but they didn’t closely examine them, and as a result they didn’t factor them into their decision-making. The bloodbath we are all suffering is the result.

The same problem is found in the information security and business contingency planning fields. In the information security field, we worry about intruder break-ins, the latest zero-day attack, and some new phishing attack used to perpetuate identity theft. Our examination of risk is superficial, and it does not consider what would happen if we don’t have electricity to run a data center for an extended time. Likewise, in the contingency planning area, we worry about workplace violence, a fire in the headquarters building, and a chemical spill that keeps people away from the manufacturing plant. Again, we still fail to come to terms with the systemic risk that underpins everything that we do: the extent to which our economy is dangerously dependent on abundant and low cost energy.

While there are certainly other systemic risks, one of the most serious and unexamined risks that is not getting the attention it deserves is the fact that we are running out of petroleum. The International Energy Agency, a part of the United Nations, wrote a report in October 2008, which indicates that world oil production is now declining at the rate of 9.1% per year. This can’t help but have a profoundly negative impact on business and government. But where are our scenario analyses? Where are our transition plans to alternative energy? Where are our contingency plans, enabling us to deal with rapid increases in the price of petroleum-based fuels, rationing, and intermittent shortages?

It’s time we honestly dealt with the fundamental systemic risk on which the industrialized nations of the world have been built: the fact that we are running out of fossil fuels. People need to know that we do have viable solutions that can be used to deal with this risk, such as 12 different commercially available alternative fuels. It remains to be seen whether we will adopt these technologies before massive structural damage is done to our economy because we insist on remaining in denial about the systemic risk that we face. It is time to brace ourselves for the Bernard Madoff Ponzi scheme equivalent of a meltdown in the energy area.