Your SlideShare is downloading. ×
Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sarah Cortes MA data breach law Testimony Sept 22 2009

420

Published on

Sarah Cortes testimony before the Massachusetts Office of Consumer Affairs regarding MA data breach regulations

Sarah Cortes testimony before the Massachusetts Office of Consumer Affairs regarding MA data breach regulations

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
420
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM Statement of Sarah Cortes, PMP, CISA, President, InmanTechnologyIT of Massachusetts, Before the Office of Consumer Affairs and Business Regulation regarding the Amended Regulations of 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth September 22, 2009 My name is Sarah Cortes and I am a technology professional in Massachusetts specializing in information and network security, privacy and compliance. I am a member of AIM, and among other services, I advise clients regarding the protection of personal information for residents of the Commonwealth, as well as laws and regulations of federal and other state jurisdictions and internationally. I write about security, privacy, compliance, surveillance, and technology for TechTarget Media. Further, I sit on the National Institute of Standards (NIST) SmartGrid Privacy and Data Security Advisory Group, advising federal and state government on information security and privacy issues relating to the Federal SmartGrid energy implementation. I am not here representing any organization, but only myself. I wish to thank Undersecretary Barbara Anthony and the Office of Consumer Affairs and Business Regulation for revising and extending the general regulation effective date to March 1, 2010. As a security professional, I support the current revisions. I remain concerned about the debate around technical vagueness vs. specificity from those seeking technical guidance from this privacy law. I urge OCABR to continue to take steps to review rules and regulations in comparison with federal and other states laws, policies and regulations, and to continue to revise them to ensure consistency and technical feasibility. SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009
  • 2. INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM Laws and regulations are only one piece of a successful approach to improving consumer privacy. I fell it is important to recognize where laws can actually contribute to improving data security. I appear today to especially support two revisions: • First, improved consistency with Federal law and regulations • Second, avoiding technology-specific requirements will quickly render regulations obsolete. Specifically, the Section 17.02 encryption definition revision to be technology-neutral. • While some seem to seek greater specificity and express valid concerns about vagueness and a need for technical guidance, as a technical professional my findings support expansion of technology-neutral language. Protecting personal information is a necessary activity and in the interest of the public, including consumers, businesses, and other organizations. The development of a reasonable public policy is vital for our economy. As a data security practitioner, I see my clients continually struggle with the complex nature of technology and operational implications. These clients include a range of Fortune 500 financial services, biotech and technology firms headquartered in Massachusetts, who operate in all 50 states as well as internationally, colleges and universities located in Massachusetts but with associated overseas institutions, and small and medium-sized firms operating in multiple states. In educating and advising my clients about Massachusetts Data Privacy laws, I find there continues to be widespread lack of awareness and understanding. SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009
  • 3. INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM With respect to my first point, aligning Massachusetts and federal regulations: • At a high level, the effect of HIPAA and state privacy laws on health care is instructive. While advancing laudable privacy concerns, the patchwork of 44 separate state laws as well as Federal laws like HIPAA have seriously detracted from patient care. This is because, from the point of view of a technology professional, this patchwork presents a significant barrier to technical implementation. The billions of ARRA dollars currently allocated to the technical implementation of Electronic Medical Records (EMR) attests to the real economic costs of well-meaning but poorly thought out laws and regulations which diverge from a national standard. The revisions to 201 CMR 17 improve on past versions to move away from this risk. • With respect to my second point, on encryption and technology-neutral language improvements: • Technical mandates such as encryption involve a “slippery slope” of specificity that can only detract from laws. The most specific encryption standard widely cited by technical professionals is NIST FIPS 140-2, a standard set forth in over 1000 pages. Many security professionals agree this provides the minimum possible clarity for practical implementation. Clearly, such a standard does not belong in a data breach or any other law, but anything short of this specificity cannot realistically be implemented or set adequate guidance. Those seeking technical guidance should not look to laws and regulations, but to standards like SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009
  • 4. INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM NIST’s FIPS 140-2. Anything less is technically meaningless to a great extent. Thus, the move towards “technology” neutral language is a positive development in the latest regulations. Finally, in educating and advising my clients about Massachusetts data privacy laws, I continue to find a widespread lack of awareness and understanding. In closing, Massachusetts will ultimately best protect its residents by analyzing similar state and federal laws, ensuring consistency where possible, and avoiding technical mandates. Thank you for the opportunity to provide comments and I would be happy to provide additional information. SARAH CORTES, PMP, CISA PRESIDENT 330-99-CYBER 31 INMAN STREET CAMBRIDGE, MA 02139 . _________________________________________________________________________________________ _ SARAH_CORTES@POST.HARVARD.EDU LINKEDIN: SARAHCORTES TWITTER @SARAHCORTES SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009
  • 5. INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM COMPLEX APPLICATION DEVELOPMENT/IMPLEMENTATION IT SECURITY/PRIVACY/ RISK/AUDIT MANAGEMENT DATA CENTER OPERATIONS MANAGEMENT DISASTER RECOVERY/HIGH AVAILABILITY PROGRAM/PROJECT MANAGEMENT SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009

×