Some Thoughts On The Massachusetts Data Security Law

• First, if your business is large enough to warrant already having a full time networking professional on staff, then this law is no big deal for you. Not an employee who doubles as your IT guy but a full time, trained and/or well experienced professional. Likely you already have at least one server in place and workstations are configured to store everything there and it's well protected. At worst, hopefully, it will require a bit of reconfiguration, some new procedures and possibly adding a bit more hardware but in the overall scheme of things it shouldn't be too bad.
• However, if your business does not have that full time professional, this could get very, VERY expensive relative to your earnings. Be aware that the potential fines if you're caught not being in compliance are huge.
• There is a LOT to discuss here and I could spend days boring you to tears in discussions of technical implications and options and why it could get so expensive but lets start this way.
• If you haven't read the law (Click Here) to open a copy and go ahead and read it before we get into further discussion.
• Now I'm sure you noticed there is a fair amount of ambiguity in the wording of the law so the temptation is undoubtedly to be a bit liberal with your interpretation of it. However when have you known government to be liberal in applying anything to business? Remember fines can be a revenue stream too. To be fair they did scale back the 3rd party portion of the law in response to small business concerns but also remember that government considers small business to be anyone who employs about 100-500 people. Obviously zero thought is really given to lesser entities never mind the one man band. Chances are you're considered a "Micro-Business".
• Many will look at this law and say fine, we'll implement some more stringent passwords, make sure our anti-virus and malware are up to date, encrypt laptops and be done with it. Well, if you think that makes you compliant then go for it and good luck. I'd make sure my relationship with my lawyer was up to date as well because i think you might well need him if the state takes a look.
• Plenty of people in the IT field are wringing their hands in anticipation of a huge windfall and there will be plenty of people who will make a ton of money off this but honestly, I'm not sure I want to touch any of the work that comes from this, the liability issues here are also huge. I really don't want to be a harbinger of doom but if you start down this road you better be prepared to go all the way. Why? Because the potential irretrievable loss of your data or the cost associated with retrieving it may be enough to put you out of business.
• Data retrieval can be tricky and tough enough when a drive fails, which they all do, but retrieving and unlocking encrypted data adds a complexity of several orders of magnitude. Darn near as difficult if a ticked off employee locks the data up as he exits the building for the last time. Bet on retrieval costs in the 4 figure range to start and going into 5 figures easily and that's for a single drive and it may take weeks not hours or days. Depending on how you do things it might be easy or it might be a killer.
• See the way I read this law is that every computer connected to the internet or a phone line better be pass worded, protected, encrypted and configured correctly. Why? Because every "Connected" machine has potentially sensitive data or at the very least has potential access to that sensitive data either directly or through your network and so every "Connected" machine offers a potential tunnel to every other machine on your network for a hacker to infiltrate and somewhere in all that IS sensitive data. Believe me the Malware programmers and hackers are getting better constantly.
• So the first question if you're considering compliance is if your current hardware is up to the task? You see encryption, active anti-malware suites with active anti-spyware and active anti virus all carry fairly heavy overhead and impact system performance dramatically. Here's an example. A system came in with a complaint about very poor performance. Incredibly slow on the internet, incredibly slow to open applications, just slow slow slow. A quick look at specs revealed a dual core processor, a couple of gigs of memory, a good SATA hard drive so at a glance it seemed adequate for the average user. Booting took about 8 or 9 minutes to complete and the answers were staring me in the face. The customer used the machine as most normal home users do. A Kodak home digital camera was in use, and they were playing POGO games on the net. In addition some minor word processing and financial work was also evident. To keep themselves safe on the Internet they had installed the Full Norton 360 Protection Suite. Checks revealed that "some" malware had gotten by Norton as expected, minor stuff but still malware. Only about 5% of the drive was being utilized and it wasn't badly fragmented so that wasn't impacting performance too much. So I removed the malware, cleaned off junk files from the drive, optimized drive, registry, startup sequence and load and it gained about 3-5% in performance speed, again all expected. Removing Norton , which does a good job of protection but with too much overhead for the average PC, resulted in performance that was only about 20% off where it should have been. Removing Kodak software, which is some of the industry's worst, brought us pretty much back up to snuff.
• Depending on your individual configuration, for compliance on a fairly vanilla machine I'd figure at minimum a good dual core processor with a good front side bus speed, 4 Gigs of memory at a minimum, a good fast sata hard drive not more than half full and properly optimized to leave the machine running well enough for people to actually work instead of sitting there waiting for the PC to play catch up. You have how many PC's?
• If you have more than about 8-10 PC's it may well be time to consider bringing in a server. Let it handle the load, configure workstations and server to store all data, secure all data and feed it as necessary to the workstations. You'll want a good hardware based firewall like Sonicwall, raid 5 perhaps so data can be rebuilt when a drive crashes or a good drive imaging solution at least. Do you want it based on Linux or Windows? Initial cost on Linux is cheaper but good Linux Administrators cost more that Windows administrators to manage it all. Just less of them around, especially in this neck of the woods. Either way with the hardware ,software, setup and configuration costs I'd figure $25,000-$30,0000 at a minimum to start.
• Shop around, you'll get lowballs but the trick there is once in the door they can set it up in a manner that'll need a LOT of additional work and bringing in someone else will be even more expensive. They'll sell you the support contract later, when it becomes obvious you HAVE to have one, at a much higher figure than the original estimates who didn't lowball you. It all comes out in the wash and that's just the way the game is played.
• As for that support contract, you will want and need it. Someone to come in monthly at least and verify that paperwork is in order and up to date, verify that backups and updates are all good, all up to date and make sure that all machines are running optimally. Why?
• Because if you don't disaster recovery when it comes, and it will, will be a nightmare of epic proportions and likely cost. How long can you live without your data? How much cost can you shoulder to get it back before you have to lay someone off or worse close up shop if you're a really small business? Like I said encryption adds several orders of magnitude.
• If you're a one person, one computer business you can likely get someone to come by and check up on things once a month for $100-200. If you're 8-10 machines strong you might be able to cut a deal but I'd more likely suspect cost as figured per machine will go up. As you start to network things complexity also goes up and so does cost in general. That's why that server starts to make sense. Managing it all in one place brings the overhead and work of managing it all down a couple of notches so support costs can come down some. Yes the initial cost is higher but over a longer haul you're more secure and costs even out. You'll still need a contract and it still needs to be monthly at least but it likely won't take the guy a day and a half to two days as opposed to single day or less. Lest we forget all this came about because data was stolen off TJ Maxx SERVERS that they thought were fairly secure, if things are going wrong (backups not working, updates to anti-whatnot not happening, or needing renewal, systems showing signs of imminent failure, etc), you need someone who can spot it before it becomes an issue. Someone intimately familiar with your systems and knowledgeable and up to date in technology is far more likely to catch it before you have a clue something is wrong.
• As for the third party part of the law. Doubtless the idea there was credit & debit card clearing companies but those shouldn't be an issue these days anyway, most are pretty secure. But if a lawyer should ship case data files off to another lawyer in California on sayyyyyy a child support case then by law he has to ask that lawyer to verify he's in compliance with Massachusetts data protection laws. And if that single person law office say go pound sand, welllllllllllll there's an issue. Doubtless there are plenty of other instances when a business has to send someone else's confidential data to another business somewhere else. Contractors providing bonna fides of sub contractors to developers for instance. And if they tell him to go pound sand does the development not happen? Does the work evaporate? Does that college in Northfield Not happen?
• As I said, I'm not sure I want any part of the work that will come from this, liability issues are huge. I'm reasonably sure at the very least I won't get involved with any half measures. Case by case basis, we'll see what happens. I wrote this as much to clarify my own thoughts and to perhaps provide you another perspective on the issue.
• Doubtless this is the tip of the iceberg. Does anyone think California won't jump aboard this train? The power of the Internet is in bringing people together. It has made a global economy a reality. Now I don't get how but I can tell you product I order direct shipped from China will often get to me quicker and cheaper than product ordered from New Jersey on the same day these days , not to mention being less expensive. The mesh is starting to happen and the day when a soldier can unravel and tack up a wall sized piece of thin film to a mud hut in the hills of Afghanistan, hook it to his cell phone and spend some 3D quality time with his family in North Dakota ain 't far off.
• At the same time the apparent case of school administrators monitoring kids in there own homes by watching webcams does underscore that one can indeed be too connected. Does anyone believe today that big brother can't peek into our lives in places they have no business being? Does anyone believe that abuses of those abilities don't happen. Maybe we're getting to the point when disconnecting and therefore not worrying about employees surfing the net instead of working and not worrying about this law isn't completely a bad idea either.
• Last Point, the question is will compliance with this law protect people and the answer is yes and no. Your systems on average will undoubtedly be more secure and less suseptible to viruses and malware but encription for everyone is overkill and if hackers can get into DOD servers do we really think these measures will keep them out? You have to be on their radar for them to want to get into your systems and most of you aren;t big enough to bother with. These guys are after Millions, they're well financed, very well paid, very good at what they do and very well connected. These are not the hacker kids of the movies, these are pros. You may get hit by one of the suites of malware that operate from bots and attempts to scare money out of you but thats likely all at this point. Look around, how many businesses in the area can provide the volume of current financial data that maakes it worthwhile to them to go after? Financial instutions sure but beyond that? Baystate Health, Yankee Candle, maybe a few others but not many really. There's just too many good targets out there. And Joes Used Books next to Brown University is a better target than Joes Used Books on Federal St in Greenfield even on the single person business level.

.