Blog

Archive for August, 2009

Massachusetts Data Protection Law Amended – Has it really changed anything?

Monday, August 24th, 2009

As you might have heard already, Massachusetts amended their data protection law again.  In addition to extending the deadline once more, they’ve added language to factor in the size of the company and the resources available to it.  From reports, it appears that the small business community lobbied hard to have the language modified to make compliance with the statute easier.   Specifically language was added to require a company to implement a comprehensive information security program that contains safeguards that are appropriate “to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.”

Some companies will invariably look at the words “size, scope and type” to infer that they can get away with limiting how comprehensive their security program is.   But the truth is that technology is rapidly making it quite easy to implement controls and encryption to protect data, and to ensure regular monitoring of access attempts.   And the technology is becoming more and more affordable, so that even the smallest company can afford to implement it.   Products like Zecurion’s already incorporate ease of implementation and administration as well as a low price point.  So by the time the implementation deadline of March 1, 2010 rolls around, companies will have a hard time justifying to the state that they were incapable of implementing rigorous controls over Massachusetts residents’ data regardless of their size.

Posted in Data Storage Security | No Comments »

At least this time they didn’t rely on promises….

Monday, August 10th, 2009

In my last blog post, I mentioned that the Johnson County payroll department confirmed with the recipients of a mistakenly emailed social security number file that they had not copied the data for personal use, and how scary that was from a security perspective.  So today, we’ll talk about the folks at the Colorado Corrections Department, who apparently emailed the financial records of over 1,000 staff members to other employees by accident.   In this case, as in the last one, the file contained social security numbers and other information that could have been used for identity theft.

However, at least in this case, they took some reactive steps to limit the damage instead of just relying on the promises of the people on the recipient list.  They were able to delete a majority of the messages off the server before they were opened, and they were able to identify which employees had opened the email and that in at least 2 cases, the email had been forwarded to a personal computer.   That shows that at the very least, they are taking the potential impact of the release of this data seriously.  But how much nicer would it have been for them (from a PR perspective) and for the employees whose data was emailed, if they had had a solution like Zgate in place to prevent the file from ever having been emailed in the first place?

Posted in Security Breaches & Data Loss Incidents | No Comments »