The Commonwealth of Massachusetts enacted a regulation last September protecting state citizens’ personal information. Originally scheduled for Jan. 1, 2009, the law will now take effect for all Massachusetts residents coming into effect Jan. 1, 2010. It protects personal information from unauthorized access and possible exploitation.

Security Magazine interviewed Robert Messemer, Chief Security Officer (CSO) for The Nielsen Company on this issue.

1.         What’s the difference in terms of the MA law as compared to other legal and regulatory approaches?

The Massachusetts regulation is one of the first regulations we’ve seen that actually dictates the means by which companies should protect personal information, in this instance, the personal information of Massachusetts residents. It specifies exact standards for a corporate information security program and the exact minimum technical requirements for an information security policy.

Here is a list of requirements for the information security program, as well as the minimum technical requirements for the protection of electronic records.

Information Security Program Requirements:

•           Designating one or more employees to maintain the comprehensive information security program.

•           Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information.

•           Evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks.

•           Developing security policies for employees that take into account whether and how employees should be allowed to keep, access, and transport records containing personal information off of Nielsen’s premises.

•           Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records.

•           Establishing reasonable restrictions on physical access to records containing personal information.

•           Perform regular monitoring to ensure that the comprehensive information security program is operating as intended.

•           Review the scope of the security measures at least annually or whenever there is a material change in business practices.

Minimum Technical Requirements for Protection of Electronic Records:

•           Secure user authentication protocols including controlling the assignment of user IDs and other unique identifier technologies (i.e. Tokens, Biometrics, etc). Controlling passwords to ensure they are kept in a location and/or format which will not compromise the security of the data they protect. Restricting access to active users and blocking access after multiple unsuccessful attempts to gain access.

•           Secure access control measures that restrict access to records and files containing personal information, to only those who need such information to perform their job duties; and which assign unique identifications plus passwords, that are not vendor-supplied default passwords, to each person with computer access to the records and files.

•           To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly.

•           Reasonable monitoring of systems, for unauthorized use or access to personal information.

•           Encryption of all personal information stored on laptops or other portable devices.

•           For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, designed to maintain the integrity of the personal information.

•           Up-to-date versions of system security agent software, which must include malware protection and up-to-date patches and virus definitions, set to receive the most current security updates on a regular basis.

•           Education and training of employees on the proper use of computer security system and the importance of personal information security.

2.         Must companies that are not headquartered in MA but have employees or clients there also comply?

Yes, the regulation governs the personal information of all Massachusetts residents, irrespective of where a given company is headquartered or has a presence.

3.         Are other states considering the MA action?

Our review of the regulatory and legislative landscape in North America has identified draft legislation in Michigan that may mirror many of the provisions in the Commonwealth of Massachusetts regulations. Personally, I believe that we can anticipate additional federal and state legislation in the near future as greater public awareness of this issue grows in our communities. As security professionals, it is incumbent upon us to understand critically important changes in the regulatory environment and be able to convey those changes effectively to senior executives as well as the attendant risks, if any, arising from these changes.

4.         Will companies be reviewing that data is kept in file centering on their employees and clients? And what about former employees’ information?

Companies that access or store personal information, including the information of clients, employees and former employees will need to take certain prescribed steps towards compliance. For example, companies will be required to establish written policies and procedures for how personal information is stored and transported, if those policies do not already exist. Additionally, companies will be required to use robust access and audit controls as well as minimize the number of people who enjoy access to information.

5.         Cooperation and convergence seem to be the strategies here among various enterprise functions. What’s your take?

From a Chief Security Officer’s perspective, I believe that there is a greater opportunity for security professionals to engage other key stakeholders within their organization in order to identify and optimize risk. Please note that I didn’t say that security’s role is to simply “eliminate” risk. Certain levels of risk are inherent in every business. If a Chief Security Officer simply engages senior executives in an approach to merely “eliminate risk,” then I believe he or she will have a relatively short and unfulfilling career. As security professionals, we should strive to more fully understand the business and our senior executive’s appetite for risk and align our risk mitigation strategies in order to optimize - not eliminate risk.   

6.         Should enterprises look to better physically protecting storage of hard copy files? More access controls, biometrics, etc.?

Absolutely. Enterprise security tools such as firewalls, server and workstation or endpoint malware and anti-virus protection that are maintained on a current basis to effectively address new and emerging malware threats will be required. Access controls are an important component of any effective security strategy – but are now given greater importance in light of the new regulations.

7.         How should your colleagues view evaluating outsourcing providers?

Security professionals evaluating a prospective outsourcing provider should consider the benefits associated with utilizing the services of a certified personal records provider, especially for targeted opportunities such as a certified credit card processing vendor, who will provide your organization with only the data required by your organization and minimizing the risk for an unauthorized disclosures. But also keep in mind that part of the analysis is also a careful review of how that service provider secures the information that it handles and manages on behalf of your organization.

8.         In addition to encryption, isn’t there also the need for clear policies and are reinforced often as an educational effort?

Yes, effective security policies concomitant with an effective security communications program are an absolute must under the new regulations. While most companies probably already have a security awareness program, it is important as a best practice to ensure that the security awareness program is well understood and that it supports the strategic goals of the organization.

Additionally, companies should give consideration to effectively purging itself of old data that it no longer requires. Of course, appropriate care should be exercised to shred documents and make electronic media completely unreadable.

9.         Overall in the field of security management, what do you see as the trends in terms of measurement and metrics?

As a security professional, I believe we are seeing more convergence in this arena and ultimately we will see the fusion of security metrics with more advanced concepts in risk identification and analysis.

I believe an effective security metrics scorecard will help drive a fact-based decision on the proposed allocation of scarce capital investment resources. In today’s economy it is more important than ever.

Another trend we see in the marketplace owing to the new economy is a corporation’s reliance on fewer vendors in order to achieve its strategic security goals. This form of convergence also brings its own potential risks if a security professional ignores effective supply chain risk management.

Background on Robert Messemer:

He is the Chief Security Officer (CSO) for The Nielsen Company. He was appointed to this position in October 2007. In his capacity as the CSO, Robert has worldwide responsibility for all security operations across all Nielsen businesses.

In September, 2007, Robert retired as a Special Agent of the United States Federal Bureau of Investigation, having served twenty four years with the FBI where he managed several complex investigations and provided insights to the private sector on complex white collar crimes, crisis management, and advanced cyber security issues. He is a graduate of Loyola Marymount University in Los Angeles, California with a Bachelor of Business Administration.

About The Nielsen Company

The Nielsen Company is a global information and media company with leading market positions in marketing information (ACNielsen), media information (Nielsen Media Research), online intelligence (NetRatings and BuzzMetrics), trade shows and business publications (Billboard, The Hollywood Reporter, Adweek). The privately held company is active in approximately 100 countries, with headquarters in Haarlem, the Netherlands, and New York, USA. For more information, please visit, www.nielsen.com.