Sarah Cortes MA data breach law Testimony Sept 22 2009
7
INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM Statement of Sarah Cortes, PMP, CISA, President, InmanTechnologyIT of Massachusetts, Before the Office of Consumer Affairs and Business Regulation regarding the Amended Regulations of 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth September 22, 2009 My name is Sarah Cortes and I am a technology professional in Massachusetts specializing in information and network security, privacy and compliance. I am a member of AIM, and among other services, I advise clients regarding the protection of personal information for residents of the Commonwealth, as well as laws and regulations of federal and other state jurisdictions and internationally. I write about security, privacy, compliance, surveillance, and technology for TechTarget Media. Further, I sit on the National Institute of Standards (NIST) SmartGrid Privacy and Data Security Advisory Group, advising federal and state government on information security and privacy issues relating to the Federal SmartGrid energy implementation. I am not here representing any organization, but only myself. SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009
-
Upload
sarah-cortes -
Category
Technology
-
view
419 -
download
2
description
Sarah Cortes testimony before the Massachusetts Office of Consumer Affairs regarding MA data breach regulations
Transcript of Sarah Cortes MA data breach law Testimony Sept 22 2009
INMAN TECHNOLOGYIT ______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
Statement of Sarah Cortes, PMP, CISA, President, InmanTechnologyIT of Massachusetts, Before the Office of Consumer Affairs and Business Regulation regarding the Amended Regulations of 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth
September 22, 2009
My name is Sarah Cortes and I am a technology professional in Massachusetts
specializing in information and network security, privacy and compliance. I am a
member of AIM, and among other services, I advise clients regarding the protection of
personal information for residents of the Commonwealth, as well as laws and regulations
of federal and other state jurisdictions and internationally. I write about security, privacy,
compliance, surveillance, and technology for TechTarget Media. Further, I sit on the
National Institute of Standards (NIST) SmartGrid Privacy and Data Security Advisory
Group, advising federal and state government on information security and privacy issues
relating to the Federal SmartGrid energy implementation. I am not here representing any
organization, but only myself.
I wish to thank Undersecretary Barbara Anthony and the Office of Consumer Affairs and
Business Regulation for revising and extending the general regulation effective date to
March 1, 2010. As a security professional, I support the current revisions.
I remain concerned about the debate around technical vagueness vs. specificity from
those seeking technical guidance from this privacy law. I urge OCABR to continue to
take steps to review rules and regulations in comparison with federal and other states
laws, policies and regulations, and to continue to revise them to ensure consistency and
technical feasibility.
SARAH CORTES, PMP, CISASEPTEMBER 22, 2009
INMAN TECHNOLOGYIT ______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
Laws and regulations are only one piece of a successful approach to improving consumer
privacy. I fell it is important to recognize where laws can actually contribute to
improving data security.
I appear today to especially support two revisions:
First, improved consistency with Federal law and regulations
Second, avoiding technology-specific requirements will quickly render
regulations obsolete. Specifically, the Section 17.02 encryption definition revision
to be technology-neutral.
While some seem to seek greater specificity and express valid concerns about vagueness
and a need for technical guidance, as a technical professional my findings support
expansion of technology-neutral language. Protecting personal information is a necessary
activity and in the interest of the public, including consumers, businesses, and other
organizations. The development of a reasonable public policy is vital for our economy.
As a data security practitioner, I see my clients continually struggle with the complex
nature of technology and operational implications. These clients include a range of
Fortune 500 financial services, biotech and technology firms headquartered in
Massachusetts, who operate in all 50 states as well as internationally, colleges and
universities located in Massachusetts but with associated overseas institutions, and small
and medium-sized firms operating in multiple states. In educating and advising my
clients about Massachusetts Data Privacy laws, I find there continues to be widespread
lack of awareness and understanding.
SARAH CORTES, PMP, CISASEPTEMBER 22, 2009
INMAN TECHNOLOGYIT ______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
With respect to my first point, aligning Massachusetts and federal regulations:
At a high level, the effect of HIPAA and state privacy laws on health care is
instructive. While advancing laudable privacy concerns, the patchwork of 44
separate state laws as well as Federal laws like HIPAA have seriously detracted
from patient care. This is because, from the point of view of a technology
professional, this patchwork presents a significant barrier to technical
implementation. The billions of ARRA dollars currently allocated to the technical
implementation of Electronic Medical Records (EMR) attests to the real economic
costs of well-meaning but poorly thought out laws and regulations which diverge
from a national standard. The revisions to 201 CMR 17 improve on past versions
to move away from this risk.
With respect to my second point, on encryption and technology-neutral language
improvements:
Technical mandates such as encryption involve a “slippery slope” of specificity
that can only detract from laws. The most specific encryption standard widely
cited by technical professionals is NIST FIPS 140-2, a standard set forth in over
1000 pages. Many security professionals agree this provides the minimum
possible clarity for practical implementation. Clearly, such a standard does not
belong in a data breach or any other law, but anything short of this specificity
cannot realistically be implemented or set adequate guidance. Those seeking
technical guidance should not look to laws and regulations, but to standards like
SARAH CORTES, PMP, CISASEPTEMBER 22, 2009
INMAN TECHNOLOGYIT ______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
NIST’s FIPS 140-2. Anything less is technically meaningless to a great extent.
Thus, the move towards “technology” neutral language is a positive development in
the latest regulations.
Finally, in educating and advising my clients about Massachusetts data privacy laws, I
continue to find a widespread lack of awareness and understanding.
In closing, Massachusetts will ultimately best protect its residents by analyzing similar
state and federal laws, ensuring consistency where possible, and avoiding technical
mandates. Thank you for the opportunity to provide comments and I would be happy to
provide additional information.
SARAH CORTES, PMP, CISAPRESIDENT
330-99-CYBER31 INMAN STREET CAMBRIDGE, MA 02139 . __________________________________________________________________________________________
LINKEDIN: SARAHCORTES TWITTER @SARAHCORTES
COMPLEX APPLICATION DEVELOPMENT/IMPLEMENTATION
IT SECURITY/PRIVACY/ RISK/AUDIT MANAGEMENT
SARAH CORTES, PMP, CISASEPTEMBER 22, 2009
INMAN TECHNOLOGYIT ______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
DATA CENTER OPERATIONS MANAGEMENT
DISASTER RECOVERY/HIGH AVAILABILITY
PROGRAM/PROJECT MANAGEMENT
SARAH CORTES, PMP, CISASEPTEMBER 22, 2009
