Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
InmanTechnologyIT Mass Senate Testimony
1. INMAN TECHNOLOGYIT
______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
Testimony of InmanTechnologyIT of Massachusetts
Sarah Cortes, PMP, CISA, President
Before Chairman Michael W. Morrissey, Chairman Theodore C. Speliotis and
Members of the Joint Committee on Consumer Protection and Professional Licensure
in Support of S. 173, and Act Ensuring the Privacy of Certain Data
My name is Sarah Cortes and I am a technology professional in Massachusetts. Among
other services, I follow and advise clients regarding the development of rules for the
protection of personal information for residents of the Commonwealth, as well as laws and
regulations with federal and other state jurisdictions and internationally. I also write
extensively about security, privacy, surveillance, and technology. I wish to express my
appreciation to the Administration for extending the general effective date of May 1, 2009
to January 1, 2010. As a security professional, I support S. 173, which would improve upon
M.G.L. 93H. However, I remain concerned about wide-ranging rules which present
significant enforcement challenges and could lead to widespread noncompliance, rendering
a setback for overall compliance efforts. I urge the Administration to review rules and
regulations in comparison with federal and other states laws, policies and regulations, and
to revise them to ensure consistency and enforceability.
I support S. 173 because it:
• Remains consistent with Federal law and regulations.
• Avoids technology-specific requirements that will quickly render it obsolete
• Facilitates for organizations the enforcement of their data security policies on
employees who willfully violate data protection rules, regulations and policies.
SARAH CORTES, PMP, CISA
MAY 12, 2009
2. INMAN TECHNOLOGYIT
______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
Protecting personal information is a necessary activity and in the interest of the public,
including consumers, businesses, and other organizations. The development of a reasonable
public policy is vital for our economy. As a data security practitioner, I see my clients
continually struggle with the complex nature of technology and operational implications.
These clients include:
• Fortune 500 financial services, biotech and technology firms headquartered in
Massachusetts, who operate in all 50 states as well as internationally
• Colleges and universities located in Massachusetts but with associated overseas
institutions
• Small web design and social media service delivery firms operating in multiple
states
• Medium-sized training and certification delivery businesses based in Massachusetts
but operating in multiple states
• Medium-sized non-profit organizations operating in multiple states
• Small non-profit organizations operating only in Massachusetts but with donors
residing in many states
The jurisdiction and scope of the Massachusetts law, “persons who own, license, store or
maintain personal information about a resident of the Commonwealth of Massachusetts,”
presents issues as well. From a technical standpoint, the difficulty of continually sifting large
databases that change minute-by-minute, lead to many possibilities, including:
SARAH CORTES, PMP, CISA
MAY 12, 2009
3. INMAN TECHNOLOGYIT
______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
• A database that contained no in-scope data and was not subject to regulations could add
a Massachusetts data record and fall in scope within minutes. Detecting the presence of
Massachusetts residents in databases from minute-to-minute presents technical
challenges and expenditure of resources
• Due to failover and disaster recovery technology as well as cloud computing, third
party firms engaged in a primary business of storing data for third party clients or
providing computing services for such clients could find in-scope data of
Massachusetts residents on their servers or storage devices due to a failover or split-
second transfer of data. These firms not subject prior to data privacy laws could
suddenly find themselves subject in this fashion
Due to these and many other scenarios, I can testify that the Massachusetts data privacy
laws and regulations, as written, essentially could extend far beyond Massachusetts to
include many organizations who do little or no business with Massachusetts residents. This
is because firms will need to invest time and resources to develop the ability to ensure to
themselves and outside auditors and examining bodies that, from minute to minute, they
remain exempt.
I advise clients in a number of technology areas, including:
• Complex Application Development/Implementation, like large projects with over
100 technical staff implementing, for example, trading systems
• IT Security/Privacy/ Risk/Audit management, performing risk assessments and
managing large security implementation projects
SARAH CORTES, PMP, CISA
MAY 12, 2009
4. INMAN TECHNOLOGYIT
______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
• Data Center Operations Management, including vulnerability scanning but also
day-to-day operations
• Disaster Recovery/High Availability, reviewing infrastructure and network
architecture and advising on restructuring for resilience; and
• Technology Program/Project Management.
In educating and advising my clients about Massachusetts Data Privacy laws, about which
there continues to be widespread lack of awareness and understanding, I find a general
view emerging. This view holds that the regulations are so far-reaching, yet vague, that
they are unenforceable and organizations need not fear enforcement. I do not endorse this
view, and have written many papers and articles urging and explaining compliance,
including an article that appears today on a national media outlet, TechTarget,
www.ITKnowledgeExchange.TechTarget.com/IT-Compliance/ understanding-the-risk-of-
penalties-for-violating-data-privacy-laws/, that warns against a dismissive view, and
references numerous successful enforcement actions of state and federal data privacy laws.
Nevertheless, the fact remains today that enforcement of the many state and federal privacy
laws remains costly and difficult at best, with limited success.
In closing, Massachusetts will ultimately best protect its residents by analyzing similar
state and federal laws, ensuring consistency where possible, and “going beyond, where no
man has dared to go,” only as a conscious step with a clear enforcement plan.
SARAH CORTES, PMP, CISA
MAY 12, 2009
5. INMAN TECHNOLOGYIT
______________________________________________________
WWW.INMANTECHNOLOGYIT.COM
Thank you for your time. I wish to state that on behalf of data security professionals in this
state, we stand ready to assist in adopting rules that are effective in achieving the
Legislature’s goals. Thank you for the opportunity to provide comments and I would be
happy to provide additional information.
SARAH CORTES, PMP, CISA
PRESIDENT
617-784-6113
31 INMAN STREET CAMBRIDGE, MA 02139
.
__________________________________________________________________________________________
SARAH_CORTES@INMANTECHNOLOGYIT.COM
LINKEDIN: WWW.LINKEDIN.COM/IN/SARAHCORTES
TWITTER: HTTP://TWITTER.COM/SECURITYSOURCES
SARAH’S SECURITYWATCH BLOG
SARAH’S TECHTARGET BLOG
COMPLEX APPLICATION DEVELOPMENT/IMPLEMENTATION
IT SECURITY/PRIVACY/ RISK/AUDIT MANAGEMENT
DATA CENTER OPERATIONS MANAGEMENT
DISASTER RECOVERY/HIGH AVAILABILITY
PROGRAM/PROJECT MANAGEMENT
SARAH CORTES, PMP, CISA
MAY 12, 2009