Here is your IBM i security tip for April, 2009 from SkyView
Partners, Inc., World Class IBM i & i5/OS Security Experts.
Why should you care what happens in Massachusetts unless you live there?
Good question.
The answer is because what happens in states such as California and
now Massachusetts tends to spread to other states. The breach notification
law started in California has spread to almost all of the States and
similar ones are being debated across Europe and Asia. If the Massachusetts
privacy laws spread like the California law, you'll want to be prepared.
Let's take a closer look.
What's Happening in Massachusetts?
There's a new law - officially known as 201 CMR17.00 - Standards for
the Protection of Personal Information of Residents of the Commonwealth.
The law establishes standards for organizations that store or maintain
personal information about a resident of the Commonwealth (or State)
of Massachusetts. The purpose of the law is to (i) ensure the security
and confidentiality of this personal information in a "manner consistent
with industry standards, (ii) protect against anticipated threats or
hazards to the security or integrity of the information, and (iii) protect
against unauthorized access to or use of the information in a manner
that creates a substantial risk of identity theft or fraud against such
residents." Massachusetts defines personal information as a Massachusetts
resident's first name and last name or first initial and last name in
combination with any one or more of the following: (a) Social Security
number; (b) driver's license number or state-issued identification card
number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification
number or password, that would permit access to a resident's financial
account; It does not include any information that can be lawfully obtained
from publicly available information, or from generally available federal,
state or local government records.
Right away you can see that this law - like the original California
breach notification law - affects non-Massachusetts-based organizations..
You only need the record of one Massachusetts resident in your database
to be affected by this law. So what if you are affected? Or what happens
if similar laws start to spread to other states or countries? Let's
talk about why you should care about this law and what you'll need to
do if you're affected.
Why you Should Care
While not as specific as the Payment Card Industry's Data Security Standards,
unlike most data privacy laws - even the long-standing EU Data Protection
Directive - this law dictates the use of specific protection mechanisms
and other actions that should be taken to protect the private data.
For example, it requires that access to private data be restricted to
only "those who need such information to perform their job duties".
In addition, it requires that the protection be addressed in a comprehensive
manner. It demonstrates this by requiring education and training of
employees on the "proper use of the computer security system and
the importance of personal information security" as well as the
appointment of "one or more employees to maintain the comprehensive
information security program". Most laws just state the fact that
data must be protected. They don't dictate how the data is to be protected.
The Cost of Non-Compliance
Beyond being the "right thing to do" to protect this data,
another motivating factor for compliance with this law are the penalties.
This law is associated with the Massachusetts breach notification law
(Massachusetts General Law 93H) which allows for civil penalties to
be levied.
Compliance Deadline
Fortunately, you have a few months if you must comply with the Massachusetts
law. The original date for compliance had been January 2009, then it
was moved to May 2009 and is now set for January 1, 2010.
Want to know more ...
I've performed an analysis of the Massachusetts Data Protection Law and
included compliance tips as well as tips for using the SkyView products
to ease the pain of compliance. For more information ...
Click here for a copy of Carol Woodbury's complete analysis on
Understanding
Massachusetts Law 201 CMR 17.00
SkyView Partners Can Help
-
With Risk Assessor you see your systems security settings compared
to security best practices. The output lets customers understand
vulnerabilities and determine adjustments to security policy.
- With Policy Minder you can monitor compliance with security policy
and quickly return your security configuration to comply with the
established security policy.
About the author
Carol Woodbury spent 16 years with IBM in Rochester, MN. She served
for more than 10 years as the AS/400 Security Architect and Chief
Engineering Manager of Security Technology for IBM's Enterprise Server
Group. During this time Carol provided security architecture and design
consultations with IBM Business Partners and large AS/400 customers.
She is known worldwide as an author and speaker on security technology,
specializing in IBM i & i5/OS security issues. Carol authored
the popular book, IBM
i & i5/OS Security & Compliance: A Practical Guide, has
written numerous articles on security and is a technical editor for
the IBM Systems Magazine. Carol is also security author for Experts
Journal, contributing author on security for System iNEWS and MC Press
Online and the security expert for search400.
|
