Post on 14-Jan-2015
description
INMAN TECHNOLOGYIT ______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
Testimony of InmanTechnologyIT of MassachusettsSarah Cortes, PMP, CISA, President
Before Chairman Michael W. Morrissey, Chairman Theodore C. Speliotis and Members of the Joint Committee on Consumer Protection and Professional
Licensure in Support of S. 173, and Act Ensuring the Privacy of Certain Data
My name is Sarah Cortes and I am a technology professional in Massachusetts. Among
other services, I follow and advise clients regarding the development of rules for the
protection of personal information for residents of the Commonwealth, as well as laws
and regulations with federal and other state jurisdictions and internationally. I also write
extensively about security, privacy, surveillance, and technology. I wish to express my
appreciation to the Administration for extending the general effective date of May 1,
2009 to January 1, 2010. As a security professional, I support S. 173, which would
improve upon M.G.L. 93H. However, I remain concerned about wide-ranging rules
which present significant enforcement challenges and could lead to widespread
noncompliance, rendering a setback for overall compliance efforts. I urge the
Administration to review rules and regulations in comparison with federal and other
states laws, policies and regulations, and to revise them to ensure consistency and
enforceability.
I support S. 173 because it:
Remains consistent with Federal law and regulations.
Avoids technology-specific requirements that will quickly render it obsolete
Facilitates for organizations the enforcement of their data security policies on
employees who willfully violate data protection rules, regulations and policies.
SARAH CORTES, PMP, CISAMAY 12, 2009
INMAN TECHNOLOGYIT ______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
Protecting personal information is a necessary activity and in the interest of the public,
including consumers, businesses, and other organizations. The development of a
reasonable public policy is vital for our economy. As a data security practitioner, I see
my clients continually struggle with the complex nature of technology and operational
implications.
These clients include:
Fortune 500 financial services, biotech and technology firms headquartered in
Massachusetts, who operate in all 50 states as well as internationally
Colleges and universities located in Massachusetts but with associated overseas
institutions
Small web design and social media service delivery firms operating in multiple
states
Medium-sized training and certification delivery businesses based in
Massachusetts but operating in multiple states
Medium-sized non-profit organizations operating in multiple states
Small non-profit organizations operating only in Massachusetts but with donors
residing in many states
The jurisdiction and scope of the Massachusetts law, “persons who own, license, store or
maintain personal information about a resident of the Commonwealth of Massachusetts,”
presents issues as well. From a technical standpoint, the difficulty of continually sifting large
databases that change minute-by-minute, lead to many possibilities, including:
SARAH CORTES, PMP, CISAMAY 12, 2009
INMAN TECHNOLOGYIT ______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
A database that contained no in-scope data and was not subject to regulations could
add a Massachusetts data record and fall in scope within minutes. Detecting the
presence of Massachusetts residents in databases from minute-to-minute presents
technical challenges and expenditure of resources
Due to failover and disaster recovery technology as well as cloud computing,
third party firms engaged in a primary business of storing data for third party
clients or providing computing services for such clients could find in-scope data
of Massachusetts residents on their servers or storage devices due to a failover or
split-second transfer of data. These firms not subject prior to data privacy laws
could suddenly find themselves subject in this fashion
Due to these and many other scenarios, I can testify that the Massachusetts data privacy
laws and regulations, as written, essentially could extend far beyond Massachusetts to
include many organizations who do little or no business with Massachusetts residents.
This is because firms will need to invest time and resources to develop the ability to
ensure to themselves and outside auditors and examining bodies that, from minute to
minute, they remain exempt.
I advise clients in a number of technology areas, including:
Complex Application Development/Implementation, like large projects with over
100 technical staff implementing, for example, trading systems
IT Security/Privacy/ Risk/Audit management, performing risk assessments and
managing large security implementation projects
SARAH CORTES, PMP, CISAMAY 12, 2009
INMAN TECHNOLOGYIT ______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
Data Center Operations Management, including vulnerability scanning but also
day-to-day operations
Disaster Recovery/High Availability, reviewing infrastructure and network
architecture and advising on restructuring for resilience; and
Technology Program/Project Management.
In educating and advising my clients about Massachusetts Data Privacy laws, about
which there continues to be widespread lack of awareness and understanding, I find a
general view emerging. This view holds that the regulations are so far-reaching, yet
vague, that they are unenforceable and organizations need not fear enforcement. I do not
endorse this view, and have written many papers and articles urging and explaining
compliance, including an article that appears today on a national media outlet,
TechTarget, www.ITKnowledgeExchange.TechTarget.com/IT-Compliance/
understanding-the-risk-of-penalties-for-violating-data-privacy-laws/, that warns against a
dismissive view, and references numerous successful enforcement actions of state and
federal data privacy laws.
Nevertheless, the fact remains today that enforcement of the many state and federal
privacy laws remains costly and difficult at best, with limited success.
In closing, Massachusetts will ultimately best protect its residents by analyzing similar
state and federal laws, ensuring consistency where possible, and “going beyond, where
no man has dared to go,” only as a conscious step with a clear enforcement plan.
SARAH CORTES, PMP, CISAMAY 12, 2009
INMAN TECHNOLOGYIT ______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
Thank you for your time. I wish to state that on behalf of data security professionals in
this state, we stand ready to assist in adopting rules that are effective in achieving the
Legislature’s goals. Thank you for the opportunity to provide comments and I would be
happy to provide additional information.
SARAH CORTES, PMP, CISAPRESIDENT
617-784-611331 INMAN STREET CAMBRIDGE, MA 02139 . __________________________________________________________________________________________
SARAH_CORTES@INMANTECHNOLOGYIT.COM
LINKEDIN: WWW.LINKEDIN.COM/IN/SARAHCORTES TWITTER: HTTP://TWITTER.COM/SECURITYSOURCES SARAH’S SECURITYWATCH BLOG SARAH’S TECHTARGET BLOG
COMPLEX APPLICATION DEVELOPMENT/IMPLEMENTATION
IT SECURITY/PRIVACY/ RISK/AUDIT MANAGEMENT
DATA CENTER OPERATIONS MANAGEMENT
DISASTER RECOVERY/HIGH AVAILABILITY
PROGRAM/PROJECT MANAGEMENT
SARAH CORTES, PMP, CISAMAY 12, 2009