I had the pleasure yesterday to attend a small-format seminar hosted by Wilmer Hale on the Massachusetts data security regulations.  The event was organized by Machiko Sano Hewitt of the Lawyers Clearinghouse.  (Who, by the way, organized my seminars on the same topic).

Gerry Young, Secretariat Chief Information Officer of the Commonwealth of Massachusetts presented along with Becky Burr, Molly Fox, Libby Black and Scott Kopcha of Wilmer Hale.  The presentation was excellent and the presenters were well prepared, knowledgeable and genuinely interested in helping (and Gerry clearly loves his work).

The presentation was geared for non-profits so I was perhaps a bit of an interloper (but my intentions were pure).

The biggest takeaway for me from the presentation was the emphasis on adopting “industry standards” in order to comply with the new regulations.  The standards provide both a framework for assessment and a shortcut or template for drafting a comprehensive written information security plan.  Gerry Young, Scott Kopcha and Becky Burr all mentioned adopting industry standards independently and ultimately all agreed that the best industry standard to follow would be ISO 27001 and ISO 27002 (even though they cost money to purchase).

Gerry Young and Scott Kopcha also highlighted the weakest link in any security program.  Gerry noting that the “biggest threat is the internal threat” and Scott commenting that it is “generally the carbon-based units that are to blame for breaches . . . education and awareness are key.”

Gerry Young noted that organizations need to be “thinking proactively about data protection” in order to be in compliance and that “the biggest problems are something happening and people not knowing how to respond.”  This highlights the importance of having a breach response protocol and team in place before a breach happens because according to Gerry Young, a “data security breach is not a question of if, it’s a question of when.”

The most troubling revelation (to me) was that Gerry Young, arguably in a position to understand best (at least in the room yesterday) the drafters’ intent with respect to the regulations (as he was involved in the drafting process) said on more than one occasion that many of the terms and provisions of the regulations will not be fully understood until they are litigated.

Popularity: 26% [?]

Related posts:

1. New seminars on the Massachusetts data privacy regulations planned We are planning another round of seminars on the new Massachusetts regulations...
2. New Massachusetts data privacy regulations posts updated I went back yesterday and updated the posts outlining the new Massachusetts...
3. Regulator heal thyself – Massachusetts Data Privacy Regulations hardly proactive It is an axiom of organizational compliance – awareness of compulsory policies...
4. More tweaks to the Massachusetts data privacy regulations on the way Update: More information on the Foley, Hoag site. According to the Hunton...
5. (Latest) final version of the Massachusetts data privacy regulations The latest final version of the new Massachusetts data privacy regulations have...
6. Q: Massachusetts data privacy regulations? A: Now! Q: When do we need to worry about the new Massachusetts data...