Massachusetts State Government Data Breach Revealed: Talk About Not Drinking Your Own Kool Aid
- Date: 16 July 2010
- Author: broyer
- Category: Encryption, data privacy
So much for MASS 201 CMR 17 ― purportedly the most stringent anti-data breach, pro-data encryption legislation in the entire country ―being enforced in its own backyard.
As revealed just this week by the Massachusetts Secretary of State’s Office, the data breach in question occurred when an employee accidentally released confidential information of 139,000 state-registered investment advisors, including their social security numbers, to an investment industry publication, IA Week, via a CD-ROM. While the publication’s request was above board – it was merely seeking the names of Massachusetts registered investment advisors – what returned to the pub was probably far more that it had expected. Recorded on the CD-ROM were not only the aforementioned social security numbers, but also each advisor’s date and location of birth, height, weight, hair and yes, even eye color.
Ironically, and perhaps even more disturbing is that none of the information contained on the CD-ROM was encrypted – a core requirement of the MASS 201 CMR 17 law. On March 1, 2010 the groundbreaking law became the first in the nation to require encryption to protect personal information contained in both paper and electronic records. In fact, the law spells out that if you license or own any personal data of a Massachusetts resident, regardless of the size of your business or where you’re located, you must comply with this law.
While the publication claims it has not copied the data and therefore never placed the investment advisors’ identities in jeopardy, David Berman, a security expert interviewed for the story argues otherwise. “If gotten into the wrong hands, the exposed data could be used to obtain a fake ID, which can subsequently be used by hackers to infiltrate or open personal accounts using the victim’s personal information.” Berman goes on to state that those affected by the breach should consider their identity at risk.
In exercising damage control the Massachusetts Securities Division is weighing whether this all qualifies as a data breach, given that the data was recovered and no apparent abuse resulted.
That’s all well and good of course, however, when it comes to MASS 201 CMR 17 Massachusetts state government must lead by example and frankly, with this latest announcement of a data breach within its own Beacon Hill corridors, it’s falling far short of what the public law requires and private individuals expect. Read the full story here.
I totally agree that this latest Massachusetts government breach is disconcerting, however, a close read of 201 C.M.R. 17 will reveal that the regulation does not apply to the Secretary of State’s Office. There’s a carve out for municipalities, state offices and state agencies (201 C.M.R. defines “Person” as “a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof”). State offices and agencies are, however, subject to Executive Order 504 (see http://www.mass.gov/?pageID=gov3terminal&L=3&L0=Home&L1=Legislation+%26+Executive+Orders&L2=Executive+Orders&sid=Agov3&b=terminalcontent&f=Executive+Orders_executive_order_504&csid=Agov3 ), Unfortunately however, this order contains no requirement for encryption, despite the fact that state offices maintain enormous amounts of personal information belonging to Massachusetts residents.