subject: What paves the road to our security? By Mikhail Utin, Dan Utin [print this page] What paves the road to our security? By Mikhail Utin, Dan Utin
Concerns over the protection of personal information and 201 CMR 17.00 Regulation
Our personal information is continuously transmitted across the World Wide Web, numerous companies, private organizations and various government entities. Securing our personal information is akin to securing our life. Accordingly, losing personal information may result in severe consequences.
According to various internet sources, on a daily basis, the Massachusetts Attorney General's office receives two to three calls concerning the loss of personal information. While this may seem to be an insignificant number, taking into consideration various other factors such as unreported cases, the risk of loss of personal information could be as high as 10 15 % per year. It means that within the next few years, every MA citizen faces a significant risk of becoming a victim of cybercrime.
Does the government recognize such risks to its citizens? Yes, it does. There are numerous international (e.g., ISO 27000 series), federal (e.g., HIPAA, SOX, GLBA), private (e.g., PCI) and local state regulations aimed at avoiding this risk. The most significant effort has been done by the Commonwealth of Massachusetts' promulgation of Regulation 201 CMR 17.00 (the Regulation), which remains fairly unknown to ordinary citizens. The Regulation has been signed by the governor in 2008, and had three compliance deadlines. March 1, 2010 was the final such deadline. After this date, almost all businesses have to be compliant with the Regulation. As we estimate, 99% of the Commonwealth's 600,000+ business community should make affirmative steps to achieve compliance.
This Regulation is the most significant step in the protection of personal information taken by a government entity. This is the first time in the US, the world, and the human history that the government requires that security be imposed on an entire business community. The Regulation requires the protection of any and all amount of personal information, regardless of where the information is kept or processed by a business or an organization. Therefore, we named it "grass-level security" to reflect that fact. Should we now feel more secure, because businesses are now regulated by the government on that matter, and are all simultaneously improving the protection of our information? The answer is, unfortunately, No. The reality is that the majority of the Commonwealth small businesses are either unaware of the Regulation, or are silently ignoring it.
Unenforceable Regulation and how make it working
We identified such unawareness well before the March 1, 2010 deadline. In September 2009, the Office of Consumer Affaires and Business Regulation (OCABR) held a public hearing where we presented our point of view. We took the stage to explain our experience (and sent our memorandum thereafter) that the majority of businesses, including medical care companies, are unaware of the Regulation, or do not consider that as anything serious warranting an affirmative action on their behalf. This seemed to be a surprise to the OCABR management. However, the following months revealed that OCABR management did almost nothing to inform the Commonwealth business community about the mandatory compliance deadline of March1, 2010. There were at least two chances to inform businesses statewide. For instance, every January, each registered Massachusetts business receives a post card with certain identification codes of the business reminding to file an annual report on the government web site. Any 201 CMR 17.00 related information on this card would mean official notification, and would be considered and treated as a serious matter. However, the government site where annual reports are filed gave no notice to inform businesses about the mandatory compliance. Moreover, the government could request the compliance status of businesses on this annual report site, and in such a case the Regulation compliance status would be known, more or less accurately across the state. It remains unclear how the government will to control the compliance process before and after the deadline, if at all.
We may assume that the government position was/is that it is everybody's responsibility to learn of the mandatory compliance with the Regulation via any available means such as gossips, rumors and private initiatives. However, we expected that the compliance status will be audited after the deadline to enforce the regulation. Otherwise, what was the goal of passing the Regulation if there is no intension to enforce? According to MGL Part 1, Title XV, Chapter 93A, the government can assess a civil penalty of not more than $5,000 if there is a failure to comply. The possibility to be fined for failure to comply with the Regulation could be posted on either a post card as or on the annual report web site as discussed above. It would explain to businesses that the government is serious about enforcing the Regulation.
Immediately after March 1, 2010, we checked if the Commonwealth government is planning an audit of 201CMR 17.00 compliance, thus enforcing it. We have found a similarly grim situation again. Unnamed government officials expressed an opinion that audits will only be as a follow up only to known cases of data loss, thus ignoring the exact meaning of the compliance as a preventive measure. They claimed lack of resources, explaining the government inability to control the situation. However, this explanation does not seem to conform with reality. There is the fine up to $5,000 for deliberate avoiding of the compliance. Such a fact can be easy checked at the door step of any business by asking whether the business can present Comprehensive Information Security Program (CISP) to the auditor. Having this written document is the #1 requirement of the regulation. It would be enough if just a few auditors visited, one by one, the towns of the Commonwealth and asked various businesses to show a CISP. Needless to say that 90% of businesses do not have CISP yet. Such a simple audit would speed up the compliance process by orders of magnitude thus making us more secure.
Lessons learned from HIPAA
HITECH Act in American Recovery and Reinvestment Act (ARRA), 2009 with the deadline of February 17, 2010 clearly identifies what has been lost in the Regulation, concerning enforcing it. Quote: "Sec. 13410(c) Distribution of certain Monetary Penalties Collected, - (1) any civil monetary penalty or monetary settlement collected with respect to an offence punishable under this subchapter shall be transmitted to the Office for Civil Rights of the Department of Health and Human Services (DHHS) to be used for purpose of enforcing the provisions of this subtitle .." Similar provision in the Regulation would create the legal ground for what we are suggesting above, and would really make the regulation enforceable.
HIPAA, since its deadline for Security Rule of April 21, 2005, was in very similar situation as the Regulation is now - enacted, but not enforceable. Excepting large medical services providers, all others quietly ignored HIPAA with its very serious security requirements. This situation will change very soon considering that penalties for all violations significantly increased up to $1,500,000 in a year. And that all penalties will be collected by DHHS.
This situation of having an unenforced regulation is akin to an unenforced speed limit regulation on the state highways. The situation is similar to posting a speed limit of 65 mph on the state highways, but ordering only a handful of policemen around the state to watch on the traffic and issuing a fine only after a car accident involving speeding. If enforcement comes only after an accident, the roads of Massachusetts would quickly resemble Formula One racing condition on every state highway!
It fails, but is there a plot?
Finally, we can answer the question posed in the title the road to our security is paved by "Good Intentions", as usually. The government spent taxpayer's money to develop the Regulation, to get it through the House, working on various matters like three versions, deadlines, hearings, etc. All listed activities need money, which are spent without any follow-up to enforce the Regulation, and without even knowing the status of the compliance across the state. The security of our personal information is not improving as it has been planned. And nobody knows when and how it will be improved. We see yet another regulation is coming to protect us, but now on the federal level. S.1490, currently in Congress, is very similar to the Commonwealth 201 CMR 17.00. However, there are 10 heavyweight private organizations against S.1490, including the US Chamber of Commerce, and the only one is for the passage of the regulation American Civil Liberties Union. There is a possibility that this "Group of 10 MA local" branch activity brought such a promising personal information protection regulation to its current status with the engraved "RIP" on its tomb.
There are three well known federal regulations covering protection of personal information HIPAA, SOX and GLBA. Why then do we see so much pressure to disable new Massachusetts initiative and future federal law? The answer is that 99% of businesses and organizations are expected to comply with 201 CMR 17.00. And there is an opinion that such compliance will seriously affect businesses. While the majority of the US businesses do not understand the information security management, and the most of the experience is about having anti-virus software and a firewall protection, the effect of new regulation(s) is definitely overestimated. If government does not control the regulation compliance process, as we have now in MA, then it will be chaos around the US when nobody will know what to do. If the federal government provides guidance, develops typical compliance process schema and sample security programs easy to use and available on the web, then the process will be under control and gradually moving towards the goal make our lives more secure. Of course, one of the cornerstones of the compliance process should be self-assessment with mandatory reporting to the government and continues audit.
Conclusion: If we can do it, you can do it as well
To prove that such compliance process can be designed and implemented, we set up 201 CMR 17.00 compliance process for Massachusetts businesses and organizations. After straight forward self-assessment, our portal software www.rubos.com creates a security program individually crafted according to the business profile. The software addresses all the compliance requirements, including the consistency with other states and federal regulations.
We believe that under certain political pressure and general inability to identify the compliance process and control measures, the Massachusetts government lost a unique opportunity to be the first state in the union to providing its citizens with high level of protection of personal information. However, by amending the Regulation, as we see in HITECH, and creating auditing task force, the situation can be change and the security of personal information in the Commonwealth significantly improved as was the original goal of 201 CMR 17.00 Regulation.
