Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security Newswire

Exclusive Interview: Massachusetts New Privacy Regulation and What to Do

June 22, 2009

The Commonwealth of Massachusetts enacted a regulation last September protecting state citizens’ personal information. Originally scheduled for Jan. 1, 2009, the law will now take effect for all Massachusetts residents coming into effect Jan. 1, 2010. It protects personal information from unauthorized access and possible exploitation.

Security Magazine interviewed Robert Messemer, Chief Security Officer (CSO) for The Nielsen Company on this issue.

1.         What’s the difference in terms of the MA law as compared to other legal and regulatory approaches?

The Massachusetts regulation is one of the first regulations we’ve seen that actually dictates the means by which companies should protect personal information, in this instance, the personal information of Massachusetts residents. It specifies exact standards for a corporate information security program and the exact minimum technical requirements for an information security policy.

Here is a list of requirements for the information security program, as well as the minimum technical requirements for the protection of electronic records.

Information Security Program Requirements:

•           Designating one or more employees to maintain the comprehensive information security program.

•           Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information.

•           Evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks.

•           Developing security policies for employees that take into account whether and how employees should be allowed to keep, access, and transport records containing personal information off of Nielsen’s premises.

•           Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records.

•           Establishing reasonable restrictions on physical access to records containing personal information.

•           Perform regular monitoring to ensure that the comprehensive information security program is operating as intended.

•           Review the scope of the security measures at least annually or whenever there is a material change in business practices.

Minimum Technical Requirements for Protection of Electronic Records:

•           Secure user authentication protocols including controlling the assignment of user IDs and other unique identifier technologies (i.e. Tokens, Biometrics, etc). Controlling passwords to ensure they are kept in a location and/or format which will not compromise the security of the data they protect. Restricting access to active users and blocking access after multiple unsuccessful attempts to gain access.

•           Secure access control measures that restrict access to records and files containing personal information, to only those who need such information to perform their job duties; and which assign unique identifications plus passwords, that are not vendor-supplied default passwords, to each person with computer access to the records and files.

•           To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly.

•           Reasonable monitoring of systems, for unauthorized use or access to personal information.

•           Encryption of all personal information stored on laptops or other portable devices.

•           For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, designed to maintain the integrity of the personal information.

•           Up-to-date versions of system security agent software, which must include malware protection and up-to-date patches and virus definitions, set to receive the most current security updates on a regular basis.

•           Education and training of employees on the proper use of computer security system and the importance of personal information security.

2.         Must companies that are not headquartered in MA but have employees or clients there also comply?

Yes, the regulation governs the personal information of all Massachusetts residents, irrespective of where a given company is headquartered or has a presence.

3.         Are other states considering the MA action?

Our review of the regulatory and legislative landscape in North America has identified draft legislation in Michigan that may mirror many of the provisions in the Commonwealth of Massachusetts regulations. Personally, I believe that we can anticipate additional federal and state legislation in the near future as greater public awareness of this issue grows in our communities. As security professionals, it is incumbent upon us to understand critically important changes in the regulatory environment and be able to convey those changes effectively to senior executives as well as the attendant risks, if any, arising from these changes.

4.         Will companies be reviewing that data is kept in file centering on their employees and clients? And what about former employees’ information?

Companies that access or store personal information, including the information of clients, employees and former employees will need to take certain prescribed steps towards compliance. For example, companies will be required to establish written policies and procedures for how personal information is stored and transported, if those policies do not already exist. Additionally, companies will be required to use robust access and audit controls as well as minimize the number of people who enjoy access to information.

5.         Cooperation and convergence seem to be the strategies here among various enterprise functions. What’s your take?

From a Chief Security Officer’s perspective, I believe that there is a greater opportunity for security professionals to engage other key stakeholders within their organization in order to identify and optimize risk. Please note that I didn’t say that security’s role is to simply “eliminate” risk. Certain levels of risk are inherent in every business. If a Chief Security Officer simply engages senior executives in an approach to merely “eliminate risk,” then I believe he or she will have a relatively short and unfulfilling career. As security professionals, we should strive to more fully understand the business and our senior executive’s appetite for risk and align our risk mitigation strategies in order to optimize - not eliminate risk.   

6.         Should enterprises look to better physically protecting storage of hard copy files? More access controls, biometrics, etc.?

Absolutely. Enterprise security tools such as firewalls, server and workstation or endpoint malware and anti-virus protection that are maintained on a current basis to effectively address new and emerging malware threats will be required. Access controls are an important component of any effective security strategy – but are now given greater importance in light of the new regulations.

7.         How should your colleagues view evaluating outsourcing providers?

Security professionals evaluating a prospective outsourcing provider should consider the benefits associated with utilizing the services of a certified personal records provider, especially for targeted opportunities such as a certified credit card processing vendor, who will provide your organization with only the data required by your organization and minimizing the risk for an unauthorized disclosures. But also keep in mind that part of the analysis is also a careful review of how that service provider secures the information that it handles and manages on behalf of your organization.

8.         In addition to encryption, isn’t there also the need for clear policies and are reinforced often as an educational effort?

Yes, effective security policies concomitant with an effective security communications program are an absolute must under the new regulations. While most companies probably already have a security awareness program, it is important as a best practice to ensure that the security awareness program is well understood and that it supports the strategic goals of the organization.

Additionally, companies should give consideration to effectively purging itself of old data that it no longer requires. Of course, appropriate care should be exercised to shred documents and make electronic media completely unreadable.

9.         Overall in the field of security management, what do you see as the trends in terms of measurement and metrics?

As a security professional, I believe we are seeing more convergence in this arena and ultimately we will see the fusion of security metrics with more advanced concepts in risk identification and analysis.

I believe an effective security metrics scorecard will help drive a fact-based decision on the proposed allocation of scarce capital investment resources. In today’s economy it is more important than ever.

Another trend we see in the marketplace owing to the new economy is a corporation’s reliance on fewer vendors in order to achieve its strategic security goals. This form of convergence also brings its own potential risks if a security professional ignores effective supply chain risk management.

Background on Robert Messemer:

He is the Chief Security Officer (CSO) for The Nielsen Company. He was appointed to this position in October 2007. In his capacity as the CSO, Robert has worldwide responsibility for all security operations across all Nielsen businesses.

In September, 2007, Robert retired as a Special Agent of the United States Federal Bureau of Investigation, having served twenty four years with the FBI where he managed several complex investigations and provided insights to the private sector on complex white collar crimes, crisis management, and advanced cyber security issues. He is a graduate of Loyola Marymount University in Los Angeles, California with a Bachelor of Business Administration.

About The Nielsen Company

The Nielsen Company is a global information and media company with leading market positions in marketing information (ACNielsen), media information (Nielsen Media Research), online intelligence (NetRatings and BuzzMetrics), trade shows and business publications (Billboard, The Hollywood Reporter, Adweek). The privately held company is active in approximately 100 countries, with headquarters in Haarlem, the Netherlands, and New York, USA. For more information, please visit, www.nielsen.com.

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • smartphone-app-development-freepik.jpg

    Why mobile app developers need to prioritize user data privacy and security — and what they can do to ensure it

    See More
  • global-enews

    Do Cultural Differences Account for Global Gap in Online Regulation?

    See More
  • privacy freepik

    How to navigate the new Colorado Privacy Act (CPA)

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing