SlideShare uma empresa Scribd logo

Sarah Cortes MA data breach law Testimony Sept 22 2009

Transferir como DOC, PDF
Sarah Cortes
Sarah Cortes

Sarah Cortes testimony before the Massachusetts Office of Consumer Affairs regarding MA data breach regulations

Tecnologia
1 de 5
INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM Statement of Sarah Cortes, PMP, CISA, President, InmanTechnologyIT of Massachusetts, Before the Office of Consumer Affairs and Business Regulation regarding the Amended Regulations of 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth September 22, 2009 My name is Sarah Cortes and I am a technology professional in Massachusetts specializing in information and network security, privacy and compliance. I am a member of AIM, and among other services, I advise clients regarding the protection of personal information for residents of the Commonwealth, as well as laws and regulations of federal and other state jurisdictions and internationally. I write about security, privacy, compliance, surveillance, and technology for TechTarget Media. Further, I sit on the National Institute of Standards (NIST) SmartGrid Privacy and Data Security Advisory Group, advising federal and state government on information security and privacy issues relating to the Federal SmartGrid energy implementation. I am not here representing any organization, but only myself. I wish to thank Undersecretary Barbara Anthony and the Office of Consumer Affairs and Business Regulation for revising and extending the general regulation effective date to March 1, 2010. As a security professional, I support the current revisions. I remain concerned about the debate around technical vagueness vs. specificity from those seeking technical guidance from this privacy law. I urge OCABR to continue to take steps to review rules and regulations in comparison with federal and other states laws, policies and regulations, and to continue to revise them to ensure consistency and technical feasibility. SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009
INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM Laws and regulations are only one piece of a successful approach to improving consumer privacy. I fell it is important to recognize where laws can actually contribute to improving data security. I appear today to especially support two revisions: • First, improved consistency with Federal law and regulations • Second, avoiding technology-specific requirements will quickly render regulations obsolete. Specifically, the Section 17.02 encryption definition revision to be technology-neutral. • While some seem to seek greater specificity and express valid concerns about vagueness and a need for technical guidance, as a technical professional my findings support expansion of technology-neutral language. Protecting personal information is a necessary activity and in the interest of the public, including consumers, businesses, and other organizations. The development of a reasonable public policy is vital for our economy. As a data security practitioner, I see my clients continually struggle with the complex nature of technology and operational implications. These clients include a range of Fortune 500 financial services, biotech and technology firms headquartered in Massachusetts, who operate in all 50 states as well as internationally, colleges and universities located in Massachusetts but with associated overseas institutions, and small and medium-sized firms operating in multiple states. In educating and advising my clients about Massachusetts Data Privacy laws, I find there continues to be widespread lack of awareness and understanding. SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009
INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM With respect to my first point, aligning Massachusetts and federal regulations: • At a high level, the effect of HIPAA and state privacy laws on health care is instructive. While advancing laudable privacy concerns, the patchwork of 44 separate state laws as well as Federal laws like HIPAA have seriously detracted from patient care. This is because, from the point of view of a technology professional, this patchwork presents a significant barrier to technical implementation. The billions of ARRA dollars currently allocated to the technical implementation of Electronic Medical Records (EMR) attests to the real economic costs of well-meaning but poorly thought out laws and regulations which diverge from a national standard. The revisions to 201 CMR 17 improve on past versions to move away from this risk. • With respect to my second point, on encryption and technology-neutral language improvements: • Technical mandates such as encryption involve a “slippery slope” of specificity that can only detract from laws. The most specific encryption standard widely cited by technical professionals is NIST FIPS 140-2, a standard set forth in over 1000 pages. Many security professionals agree this provides the minimum possible clarity for practical implementation. Clearly, such a standard does not belong in a data breach or any other law, but anything short of this specificity cannot realistically be implemented or set adequate guidance. Those seeking technical guidance should not look to laws and regulations, but to standards like SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009
INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM NIST’s FIPS 140-2. Anything less is technically meaningless to a great extent. Thus, the move towards “technology” neutral language is a positive development in the latest regulations. Finally, in educating and advising my clients about Massachusetts data privacy laws, I continue to find a widespread lack of awareness and understanding. In closing, Massachusetts will ultimately best protect its residents by analyzing similar state and federal laws, ensuring consistency where possible, and avoiding technical mandates. Thank you for the opportunity to provide comments and I would be happy to provide additional information. SARAH CORTES, PMP, CISA PRESIDENT 330-99-CYBER 31 INMAN STREET CAMBRIDGE, MA 02139 . _________________________________________________________________________________________ _ SARAH_CORTES@POST.HARVARD.EDU LINKEDIN: SARAHCORTES TWITTER @SARAHCORTES SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009
INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM COMPLEX APPLICATION DEVELOPMENT/IMPLEMENTATION IT SECURITY/PRIVACY/ RISK/AUDIT MANAGEMENT DATA CENTER OPERATIONS MANAGEMENT DISASTER RECOVERY/HIGH AVAILABILITY PROGRAM/PROJECT MANAGEMENT SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009

Recomendados

MIS ppt 1
MIS ppt 1MIS ppt 1
MIS ppt 1Pankaj Nandurkar
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsResearch on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsYogeshIJTSRD
 
FTC Balances Privacy, Connectivity Needs
FTC Balances Privacy, Connectivity NeedsFTC Balances Privacy, Connectivity Needs
FTC Balances Privacy, Connectivity NeedsPatton Boggs LLP
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
L3 presentation14
L3 presentation14L3 presentation14
L3 presentation14SHARP TRADERS & COMMODITIES GROUP
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technologyEzraGray1
 
The criticality-of-security-in-the-internet-of-things joa-eng_1115
The criticality-of-security-in-the-internet-of-things joa-eng_1115The criticality-of-security-in-the-internet-of-things joa-eng_1115
The criticality-of-security-in-the-internet-of-things joa-eng_1115Devaraj Sl
 
Getting the social side of pervasive computing right
Getting the social side of pervasive computing rightGetting the social side of pervasive computing right
Getting the social side of pervasive computing rightblogzilla
 

Recomendados

MIS ppt 1
MIS ppt 1MIS ppt 1
MIS ppt 1Pankaj Nandurkar
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsResearch on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsYogeshIJTSRD
 
FTC Balances Privacy, Connectivity Needs
FTC Balances Privacy, Connectivity NeedsFTC Balances Privacy, Connectivity Needs
FTC Balances Privacy, Connectivity NeedsPatton Boggs LLP
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
L3 presentation14
L3 presentation14L3 presentation14
L3 presentation14SHARP TRADERS & COMMODITIES GROUP
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technologyEzraGray1
 
The criticality-of-security-in-the-internet-of-things joa-eng_1115
The criticality-of-security-in-the-internet-of-things joa-eng_1115The criticality-of-security-in-the-internet-of-things joa-eng_1115
The criticality-of-security-in-the-internet-of-things joa-eng_1115Devaraj Sl
 
Getting the social side of pervasive computing right
Getting the social side of pervasive computing rightGetting the social side of pervasive computing right
Getting the social side of pervasive computing rightblogzilla
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019ENC
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...Cédric Laurant
 
Technology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationTechnology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationat MicroFocus Italy ❖✔
 
170105 d link-complaint_and_exhibits
170105 d link-complaint_and_exhibits170105 d link-complaint_and_exhibits
170105 d link-complaint_and_exhibitsAndrey Apuhtin
 
Privacy and E-Commerce
Privacy and E-CommercePrivacy and E-Commerce
Privacy and E-CommerceAleksandr Yampolskiy
 
50120130406020
5012013040602050120130406020
50120130406020IAEME Publication
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Challenges facing data protection in kenya
Challenges facing data protection in kenyaChallenges facing data protection in kenya
Challenges facing data protection in kenyafillkay
 
Smart grid
Smart gridSmart grid
Smart gridAparna “Ash” Himmatramka
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)Dr Dev Kambhampati
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesEchoworx
 
Telcos and ISPs Prepare For New Data Breach Disclosure Rules
Telcos and ISPs Prepare For New Data Breach Disclosure RulesTelcos and ISPs Prepare For New Data Breach Disclosure Rules
Telcos and ISPs Prepare For New Data Breach Disclosure RulesJohn Davis
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
20181214 Digital Technology and Development in the Lao PDR by Prof. Keonakhon...
20181214 Digital Technology and Development in the Lao PDR by Prof. Keonakhon...20181214 Digital Technology and Development in the Lao PDR by Prof. Keonakhon...
20181214 Digital Technology and Development in the Lao PDR by Prof. Keonakhon...iotcloudserve_tein
 
BAFT-IFSA Social Media and Banking Global Webinar - June 2013
BAFT-IFSA Social Media and Banking Global Webinar - June 2013 BAFT-IFSA Social Media and Banking Global Webinar - June 2013
BAFT-IFSA Social Media and Banking Global Webinar - June 2013 Berwin Leighton Paisner
 
Analysis the attack and E-commerce security
Analysis the attack and E-commerce securityAnalysis the attack and E-commerce security
Analysis the attack and E-commerce securityArmy Institute Of Business Administration,Savar
 
E Marketing Ethical and Legal Issues
E Marketing Ethical and Legal IssuesE Marketing Ethical and Legal Issues
E Marketing Ethical and Legal Issueskarthik indrajit
 
Ccs16
Ccs16Ccs16
Ccs16Andrey Apuhtin
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Financial Poise
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
Anonos FTC Comment Letter Big Data: A Tool for Inclusion or Exclusion
Anonos FTC Comment Letter Big Data: A Tool for Inclusion or ExclusionAnonos FTC Comment Letter Big Data: A Tool for Inclusion or Exclusion
Anonos FTC Comment Letter Big Data: A Tool for Inclusion or ExclusionTed Myerson
 

Mais conteúdo relacionado

Mais procurados

Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019ENC
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...Cédric Laurant
 
Technology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationTechnology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationat MicroFocus Italy ❖✔
 
170105 d link-complaint_and_exhibits
170105 d link-complaint_and_exhibits170105 d link-complaint_and_exhibits
170105 d link-complaint_and_exhibitsAndrey Apuhtin
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Challenges facing data protection in kenya
Challenges facing data protection in kenyaChallenges facing data protection in kenya
Challenges facing data protection in kenyafillkay
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)Dr Dev Kambhampati
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesEchoworx
 
Telcos and ISPs Prepare For New Data Breach Disclosure Rules
Telcos and ISPs Prepare For New Data Breach Disclosure RulesTelcos and ISPs Prepare For New Data Breach Disclosure Rules
Telcos and ISPs Prepare For New Data Breach Disclosure RulesJohn Davis
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
20181214 Digital Technology and Development in the Lao PDR by Prof. Keonakhon...
20181214 Digital Technology and Development in the Lao PDR by Prof. Keonakhon...20181214 Digital Technology and Development in the Lao PDR by Prof. Keonakhon...
20181214 Digital Technology and Development in the Lao PDR by Prof. Keonakhon...iotcloudserve_tein
 
BAFT-IFSA Social Media and Banking Global Webinar - June 2013
BAFT-IFSA Social Media and Banking Global Webinar - June 2013 BAFT-IFSA Social Media and Banking Global Webinar - June 2013
BAFT-IFSA Social Media and Banking Global Webinar - June 2013 Berwin Leighton Paisner
 
E Marketing Ethical and Legal Issues
E Marketing Ethical and Legal IssuesE Marketing Ethical and Legal Issues
E Marketing Ethical and Legal Issueskarthik indrajit
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Financial Poise
 

Mais procurados (20)

Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
 
Technology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationTechnology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformation
 
170105 d link-complaint_and_exhibits
170105 d link-complaint_and_exhibits170105 d link-complaint_and_exhibits
170105 d link-complaint_and_exhibits
 
Privacy and E-Commerce
Privacy and E-CommercePrivacy and E-Commerce
Privacy and E-Commerce
 
50120130406020
5012013040602050120130406020
50120130406020
 
Data Breaches
Data BreachesData Breaches
Data Breaches
 
Challenges facing data protection in kenya
Challenges facing data protection in kenyaChallenges facing data protection in kenya
Challenges facing data protection in kenya
 
Smart grid
Smart gridSmart grid
Smart grid
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial Services
 
Telcos and ISPs Prepare For New Data Breach Disclosure Rules
Telcos and ISPs Prepare For New Data Breach Disclosure RulesTelcos and ISPs Prepare For New Data Breach Disclosure Rules
Telcos and ISPs Prepare For New Data Breach Disclosure Rules
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
 
20181214 Digital Technology and Development in the Lao PDR by Prof. Keonakhon...
20181214 Digital Technology and Development in the Lao PDR by Prof. Keonakhon...20181214 Digital Technology and Development in the Lao PDR by Prof. Keonakhon...
20181214 Digital Technology and Development in the Lao PDR by Prof. Keonakhon...
 
BAFT-IFSA Social Media and Banking Global Webinar - June 2013
BAFT-IFSA Social Media and Banking Global Webinar - June 2013 BAFT-IFSA Social Media and Banking Global Webinar - June 2013
BAFT-IFSA Social Media and Banking Global Webinar - June 2013
 
Analysis the attack and E-commerce security
Analysis the attack and E-commerce securityAnalysis the attack and E-commerce security
Analysis the attack and E-commerce security
 
E Marketing Ethical and Legal Issues
E Marketing Ethical and Legal IssuesE Marketing Ethical and Legal Issues
E Marketing Ethical and Legal Issues
 
Ccs16
Ccs16Ccs16
Ccs16
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)
 

Semelhante a Sarah Cortes MA data breach law Testimony Sept 22 2009

Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
Anonos FTC Comment Letter Big Data: A Tool for Inclusion or Exclusion
Anonos FTC Comment Letter Big Data: A Tool for Inclusion or ExclusionAnonos FTC Comment Letter Big Data: A Tool for Inclusion or Exclusion
Anonos FTC Comment Letter Big Data: A Tool for Inclusion or ExclusionTed Myerson
 
25 sumit 2
25 sumit 225 sumit 2
25 sumit 2SRJIS
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Joe Orlando
 
United States Lawful Interception Market PPT: Demand, Trends and Business Opp...
United States Lawful Interception Market PPT: Demand, Trends and Business Opp...United States Lawful Interception Market PPT: Demand, Trends and Business Opp...
United States Lawful Interception Market PPT: Demand, Trends and Business Opp...IMARC Group
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersLivin Jose
 
Government Policy Needs in a Web 2.0 World
Government Policy Needs in a Web 2.0 WorldGovernment Policy Needs in a Web 2.0 World
Government Policy Needs in a Web 2.0 WorldFranciel
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Ted Myerson
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
E commerce negotiation at mc11 and s&d treatment
E commerce negotiation at mc11 and s&d treatmentE commerce negotiation at mc11 and s&d treatment
E commerce negotiation at mc11 and s&d treatmentM S Siddiqui
 
ico-future-tech-report-20221214.pdf
ico-future-tech-report-20221214.pdfico-future-tech-report-20221214.pdf
ico-future-tech-report-20221214.pdfyashapnt
 
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Ted Myerson
 
FTC Internet of Things Article
FTC Internet of Things ArticleFTC Internet of Things Article
FTC Internet of Things ArticleKimberly Verska
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity reportKevin Leffew
 
Cybersecurity: Protecting Local Government Digital Resources Report
Cybersecurity: Protecting Local Government Digital Resources ReportCybersecurity: Protecting Local Government Digital Resources Report
Cybersecurity: Protecting Local Government Digital Resources ReportSamantha Wagner
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxhttpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxadampcarr67227
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data PrivacyGigya
 
Privacy and security policies in supply chain
Privacy and security policies in supply chainPrivacy and security policies in supply chain
Privacy and security policies in supply chainVanya Vladeva
 

Semelhante a Sarah Cortes MA data breach law Testimony Sept 22 2009 (20)

Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for Businesses
 
Anonos FTC Comment Letter Big Data: A Tool for Inclusion or Exclusion
Anonos FTC Comment Letter Big Data: A Tool for Inclusion or ExclusionAnonos FTC Comment Letter Big Data: A Tool for Inclusion or Exclusion
Anonos FTC Comment Letter Big Data: A Tool for Inclusion or Exclusion
 
25 sumit 2
25 sumit 225 sumit 2
25 sumit 2
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3
 
United States Lawful Interception Market PPT: Demand, Trends and Business Opp...
United States Lawful Interception Market PPT: Demand, Trends and Business Opp...United States Lawful Interception Market PPT: Demand, Trends and Business Opp...
United States Lawful Interception Market PPT: Demand, Trends and Business Opp...
 
Compliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centersCompliance policies and procedures followed in data centers
Compliance policies and procedures followed in data centers
 
Government Policy Needs in a Web 2.0 World
Government Policy Needs in a Web 2.0 WorldGovernment Policy Needs in a Web 2.0 World
Government Policy Needs in a Web 2.0 World
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
E commerce negotiation at mc11 and s&d treatment
E commerce negotiation at mc11 and s&d treatmentE commerce negotiation at mc11 and s&d treatment
E commerce negotiation at mc11 and s&d treatment
 
ico-future-tech-report-20221214.pdf
ico-future-tech-report-20221214.pdfico-future-tech-report-20221214.pdf
ico-future-tech-report-20221214.pdf
 
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
 
FTC Internet of Things Article
FTC Internet of Things ArticleFTC Internet of Things Article
FTC Internet of Things Article
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity report
 
Cybersecurity: Protecting Local Government Digital Resources Report
Cybersecurity: Protecting Local Government Digital Resources ReportCybersecurity: Protecting Local Government Digital Resources Report
Cybersecurity: Protecting Local Government Digital Resources Report
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxhttpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data Privacy
 
Privacy and security policies in supply chain
Privacy and security policies in supply chainPrivacy and security policies in supply chain
Privacy and security policies in supply chain
 
The Internet of Things
The Internet of ThingsThe Internet of Things
The Internet of Things
 

Mais de Sarah Cortes

State Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity DeliveryState Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity DeliverySarah Cortes
 
PMP Class And Exam Prep
PMP Class And Exam PrepPMP Class And Exam Prep
PMP Class And Exam PrepSarah Cortes
 
Usability And Project Management
Usability And Project ManagementUsability And Project Management
Usability And Project ManagementSarah Cortes
 
Privacy And Surveillance
Privacy And SurveillancePrivacy And Surveillance
Privacy And SurveillanceSarah Cortes
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource PresentationSarah Cortes
 
COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy PresentationSarah Cortes
 

Mais de Sarah Cortes (7)

State Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity DeliveryState Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity Delivery
 
Social Media
Social MediaSocial Media
Social Media
 
PMP Class And Exam Prep
PMP Class And Exam PrepPMP Class And Exam Prep
PMP Class And Exam Prep
 
Usability And Project Management
Usability And Project ManagementUsability And Project Management
Usability And Project Management
 
Privacy And Surveillance
Privacy And SurveillancePrivacy And Surveillance
Privacy And Surveillance
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource Presentation
 
COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy Presentation
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Último (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Sarah Cortes MA data breach law Testimony Sept 22 2009

  • 1. INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM Statement of Sarah Cortes, PMP, CISA, President, InmanTechnologyIT of Massachusetts, Before the Office of Consumer Affairs and Business Regulation regarding the Amended Regulations of 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth September 22, 2009 My name is Sarah Cortes and I am a technology professional in Massachusetts specializing in information and network security, privacy and compliance. I am a member of AIM, and among other services, I advise clients regarding the protection of personal information for residents of the Commonwealth, as well as laws and regulations of federal and other state jurisdictions and internationally. I write about security, privacy, compliance, surveillance, and technology for TechTarget Media. Further, I sit on the National Institute of Standards (NIST) SmartGrid Privacy and Data Security Advisory Group, advising federal and state government on information security and privacy issues relating to the Federal SmartGrid energy implementation. I am not here representing any organization, but only myself. I wish to thank Undersecretary Barbara Anthony and the Office of Consumer Affairs and Business Regulation for revising and extending the general regulation effective date to March 1, 2010. As a security professional, I support the current revisions. I remain concerned about the debate around technical vagueness vs. specificity from those seeking technical guidance from this privacy law. I urge OCABR to continue to take steps to review rules and regulations in comparison with federal and other states laws, policies and regulations, and to continue to revise them to ensure consistency and technical feasibility. SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009
  • 2. INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM Laws and regulations are only one piece of a successful approach to improving consumer privacy. I fell it is important to recognize where laws can actually contribute to improving data security. I appear today to especially support two revisions: • First, improved consistency with Federal law and regulations • Second, avoiding technology-specific requirements will quickly render regulations obsolete. Specifically, the Section 17.02 encryption definition revision to be technology-neutral. • While some seem to seek greater specificity and express valid concerns about vagueness and a need for technical guidance, as a technical professional my findings support expansion of technology-neutral language. Protecting personal information is a necessary activity and in the interest of the public, including consumers, businesses, and other organizations. The development of a reasonable public policy is vital for our economy. As a data security practitioner, I see my clients continually struggle with the complex nature of technology and operational implications. These clients include a range of Fortune 500 financial services, biotech and technology firms headquartered in Massachusetts, who operate in all 50 states as well as internationally, colleges and universities located in Massachusetts but with associated overseas institutions, and small and medium-sized firms operating in multiple states. In educating and advising my clients about Massachusetts Data Privacy laws, I find there continues to be widespread lack of awareness and understanding. SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009
  • 3. INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM With respect to my first point, aligning Massachusetts and federal regulations: • At a high level, the effect of HIPAA and state privacy laws on health care is instructive. While advancing laudable privacy concerns, the patchwork of 44 separate state laws as well as Federal laws like HIPAA have seriously detracted from patient care. This is because, from the point of view of a technology professional, this patchwork presents a significant barrier to technical implementation. The billions of ARRA dollars currently allocated to the technical implementation of Electronic Medical Records (EMR) attests to the real economic costs of well-meaning but poorly thought out laws and regulations which diverge from a national standard. The revisions to 201 CMR 17 improve on past versions to move away from this risk. • With respect to my second point, on encryption and technology-neutral language improvements: • Technical mandates such as encryption involve a “slippery slope” of specificity that can only detract from laws. The most specific encryption standard widely cited by technical professionals is NIST FIPS 140-2, a standard set forth in over 1000 pages. Many security professionals agree this provides the minimum possible clarity for practical implementation. Clearly, such a standard does not belong in a data breach or any other law, but anything short of this specificity cannot realistically be implemented or set adequate guidance. Those seeking technical guidance should not look to laws and regulations, but to standards like SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009
  • 4. INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM NIST’s FIPS 140-2. Anything less is technically meaningless to a great extent. Thus, the move towards “technology” neutral language is a positive development in the latest regulations. Finally, in educating and advising my clients about Massachusetts data privacy laws, I continue to find a widespread lack of awareness and understanding. In closing, Massachusetts will ultimately best protect its residents by analyzing similar state and federal laws, ensuring consistency where possible, and avoiding technical mandates. Thank you for the opportunity to provide comments and I would be happy to provide additional information. SARAH CORTES, PMP, CISA PRESIDENT 330-99-CYBER 31 INMAN STREET CAMBRIDGE, MA 02139 . _________________________________________________________________________________________ _ SARAH_CORTES@POST.HARVARD.EDU LINKEDIN: SARAHCORTES TWITTER @SARAHCORTES SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009
  • 5. INMAN TECHNOLOGYIT ______________________________________________________ WWW.INMANTECHNOLOGYIT.COM COMPLEX APPLICATION DEVELOPMENT/IMPLEMENTATION IT SECURITY/PRIVACY/ RISK/AUDIT MANAGEMENT DATA CENTER OPERATIONS MANAGEMENT DISASTER RECOVERY/HIGH AVAILABILITY PROGRAM/PROJECT MANAGEMENT SARAH CORTES, PMP, CISA SEPTEMBER 22, 2009