The Commonwealth of Massachusetts enacted a regulation protecting state citizens’ personal information. Coming into effect in 2010, it protects personal information from unauthorized access and possible exploitation.
The Zalud Report asked Robert Messemer, chief security officer at The Nielsen Company, for his views.
“The Massachusetts regulation is one of the first we’ve seen that actually dictates the means by which companies should protect personal information, in this instance, the personal information of Massachusetts residents. It specifies exact standards for a corporate information security program and the exact minimum technical requirements for an information security policy,” Messemer said. “The regulation governs the personal information of all Massachusetts residents, irrespective of where a given company is headquartered or has a presence.

Compliance Steps

“Companies that access or store personal information, including the information of clients, employees and former employees, will need to take certain prescribed steps towards compliance. For example, companies will be required to establish written policies and procedures for how personal information is stored and transported, if those policies do not already exist. Additionally, companies will be required to use robust access and audit controls as well as minimize the number of people who enjoy access to information.”
The tougher Massachusetts regulations may spread. According to Messemer, “Our review of the regulatory and legislative landscape in North America has identified draft legislation in Michigan that may mirror many of the provisions in the Commonwealth of Massachusetts regulations. Personally, I believe that we can anticipate additional federal and state legislation in the near future as greater public awareness of this issue grows in our communities,” he said. “As security professionals, it is incumbent upon us to understand critically important changes in the regulatory environment and be able to convey those changes effectively to senior executives as well as the attendant risks, if any, arising from these changes.”
Regulatory challenges can also encourage more internal cooperation.
“From a chief security officer’s perspective, I believe that there is a greater opportunity for security professionals to engage other key stakeholders within their organization in order to identify and optimize risk,” Messemer added. “Please note that I didn’t say that security’s role is to simply ‘eliminate’ risk. Certain levels of risk are inherent in every business. If a CSO simply engages senior executives in an approach to merely ‘eliminate risk,’ then I believe he or she will have a relatively short and unfulfilling career. As security professionals, we should strive to more fully understand the business and our senior executive’s appetite for risk and align our risk mitigation strategies in order to optimize - not eliminate risk.”

Tooling Up

“Enterprise security tools such as firewalls, server and workstation or endpoint malware and anti-virus protection that are maintained on a current basis to effectively address new and emerging malware threats will be required. Access controls are an important component of any effective security strategy – but are now given greater importance in light of the new regulations,” pointed out Messemer.
CSOs need to be part of an educational effort. “Effective security policies concomitant with an effective security communications program are an absolute must under the new regulations. While most companies probably already have a security awareness program, it is important as a best practice to ensure that the security awareness program is well understood and that it supports the strategic goals of the organization.
Additionally, companies should give consideration to effectively purging itself of old data that it no longer requires. Of course, appropriate care should be exercised to shred documents and make electronic media completely unreadable.”
There is an additional need to more carefully evaluate outsourcing.
Observed Messemer, “Security professionals evaluating a prospective outsourcing provider should consider the benefits associated with utilizing the services of a certified personal records provider, especially for targeted opportunities such as a certified credit card processing vendor, who will provide your organization with only the data required by your organization while minimizing the risk for any unauthorized disclosures. But also keep in mind that part of the analysis is also a careful review of how that service provider secures the information that it handles and manages on behalf of your organization.”

At a Minimum

Here is a list of minimum requirements for the information security program, according to Robert Messemer, chief security officer at The Nielsen Company. Go to the August Zalud Report at for more information, including minimum technical requirements for the protection of electronic records.
  • Designating one or more employees to maintain the comprehensive information security program.
  • Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information.
  • Evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks.
  • Developing security policies for employees that take into account whether and how employees should be allowed to keep, access, and transport records containing personal information off of Nielsen’s premises.
  • Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records.
  • Establishing reasonable restrictions on physical access to records containing personal information.
  • Perform regular monitoring to ensure that the comprehensive information security program is operating as intended.
  • Review the scope of the security measures at least annually or whenever there is a material change in business practices.