I’m all for data protection, and I believe we can all agree that the protection of personal information is extremely important. However, if our government wishes to enact laws to protect our data, then it should do a better job of crafting unambiguous wording. Ambiguity is an attorney’s best friend. With the number of attorneys-turned-legislators in government one would think they should know better.

I was inspired by a recent post on Stephen Foskett’s Enterprise Storage Strategies Blog titled “Massachusetts Says Encrypt It All!” Stephen raised an interesting issue about tape encryption in the context of MA and NV data protection laws. His post compelled me to take a closer look at the wording of the laws. For your reference, the laws are:

• NRS 597.970: Restrictions on transfer of personal information through electronic transmission. [In effect since October 1, 2008]
• NRS 603A: Security of Personal Information
• 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth [Effective January 1, 2010]

I began with a comment on Stephen’s blog:

“Stephen, I’ll suggest the same interpretation of Nevada’s law here that I used in a comment on Steve’s IT Rants.

Can an attorney successfully argue that tape is not ‘an electronic transmission…to a person outside of the secure system of the business’? In fact, the transportation of tape off-site is not electronic, it’s physical. The electronic transmission of the data to tape occurs before the tape leaves the facility. By the time it’s on tape, electronic transmission is no longer a factor. And if a fax - a combination of electronic and physical transmission - is permissible, then why not tape?

Mincing words, I know, but we all know that cases are won and lost in court based on wording and semantics. Legislators will need to be more clear about that.

Right now, it seems the wording is too vague. I suspect transporting a tape off-site would not break the law as it is now worded.”

Unlike Massachusetts law in which the word “electronic” is defined as ”relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities” and “record” is defined as “any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics”, Nevada law offers no such definitions and leaves the door wide open for interpretation.

I continued reading the laws, and paused to write a few observations along the way:

•  Massachusetts legislators conveniently and hypocritically defined “person” in a way that exempts the State from its own data protection law.  201 CMR 17.00 defines “person” as “a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.”  Shades of Sarbanes-Oxley and the federal government—do as I say, not as I do. Massachusetts business owners should be furious that the State is not prepared to shoulder the same burden. After all, what Massachusetts entity stores more private information on Commonwealth citizens than the State itself?
• 201 CMR 17.03  states “Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.” As Steve Duplessie of ESG already pointed out, it remains to be seen if 201 CMR 17.00 can be enforced against out-of-state violators. I doubt it, but the threat alone will undoubtedly compel many out-of-state businesses to take action.
• It also appears that the law may not be enforced consistently and equitably.  201 CMR 17.03  states “Whether the comprehensive information security program is in compliance with these regulations for the protection of personal information, shall be evaluated taking into account (i) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program, (ii) the amount of resources available to such person, (iii) the amount of stored data, and (iv) the need for security and confidentiality of both consumer and employee information.” Will this mean that a relatively small law firm or retail business will not be held to the same level of accountability as larger firms?
• 201 CMR 17.03 (f): “Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information…Prior to permitting third-party service providers access to personal information, the person permitting such access shall obtain from the third-party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations.” Certified by whom? The service provider? The State?
• 201 CMR 17.03 (h): “Inventorying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to identify those records containing personal information.” I do not have to tell you how prohibitively expensive and time consuming it would be to inventory and identify every paper record that contains personal information within an organization. Fortunately, software applications do exist to aid electronic discovery. Unfortunately, most discovery tools cannot easily accommodate the data on tape backups. Do the legislators fully comprehend the impact of this requirement?  I doubt it. Encrypting everything is not a solution.
• 201 CMR 17.04 (1)(iii): “control of data security passwords to ensure that such passwords are kept at a location separate from that of the data to which such passwords permit access.” I believe a definition is needed for the word “location”. Without it, I can interpret this to mean that the passwords should not be stored electronically alongside the protected data. What about data on a remote server accessed via a desktop computer containing a local unprotected password file?

Data protection laws need to be crystal clear, practical and affordable.  I’m pleased with the spirit of the MA and NV data protection laws, however, state legislators must tighten the language and re-evaluate their expectations.  As they stand now, the laws are ripe for abuse and misinterpretation so long as they remain poorly defined and impractical. 

What do you think of the laws and the impact on your business? Join one of the conversations at Steve’s IT Rants or Enterprise Storage Strategies.

I’m doubtful, but hopeful.

Bob Hill over at www.BusinessBrief.com crafted a list of 10 lessons every CEO can learn from Fortune 500’s biggest losers.

I agree with Bob. There are lessons to be learned. However, I added:

And what, perhaps, is the biggest lesson of all? If you are F500 don’t worry about all of the above. If you screw things up royally, rest assured that (one way or another) Uncle Sam will bail you out.

Bob, I wish I could believe that CEOs will actually learn from the mistakes of their peers, but history has proven this to be largely untrue. And with a Federal government so willing to prop up institutions in our faux free market economy, what, precisely, is the incentive to genuinely succeed? Companies such as AIG and CITI have demonstrated that even catastrophic failure is rewarded handsomely.

Until the penalties outweigh the incentives, we are unlikely to see genuine change in any industry.

Take, for example, finance, health care and pharmaceuticals. What is the incentive to do the right thing for investors/patients/consumers when the penalties pale in comparison to the anticipated profits? The answer is: none.

Still, Bob’s list is worth reading for those of you who care. Join the conversation over at www.BusinessBrief.com.

Frankly, I simply do not like managing a blog as you can tell by how infrequently I publish.  I much prefer to contribute insight to the blogs and columns of others than to publish my own beyond Data Mobility Group’s usual research.  In fact, I’m quite active in that regard, and my comments can be found on forums of all types from politics and education to transportation and information technology.

In the months ahead, you can expect to find the complete text of a select subset of my comments - past and present - published here with links to the original questions and conversations located elsewhere on the Internet. I encourage you to follow the links and join the conversations.

Cheers,

Following the recent news about David Donatelli’s sudden defection from EMC to HP, blogging pundits jumped at the opportunity to debate the nature of non-compete agreements.

Over the past couple of days I have read more than a dozen blog entries on the topic, written by industry analysts and veterans, and [in my humble opinion] every last one of them - including StorageMojo’s own Robin Harris - completely missed the big picture. (more…)

By now, most of us have experienced vendor “lock-in.” Cell phones sold at a discount in exchange for contract agreements that lock you in to the provider. PC applications that are a nuisance to put up with but would be an even bigger nuisance to switch. And—we all love this one, don’t we?—the surprisingly cheap printer that requires you to buy that company’s surprisingly expensive ink cartridges.

In the business world, we’ve got vendor lock-in and we’ve got it bad. We spend tens of thousands—or tens of millions—of dollars on a complex business system, by which I mean some combination of hardware, software, and business processes sufficiently embedded in the company’s day-to-day operations that it would be extremely painful, difficult, and costly to replace it. Think CRM, ERP, CMS, BI, ILM—the list goes on. Once a system like that is up and running, once people have learned how to use it, once mountains of data have been stored in it and processed by it, once customers are interacting with it, once processes have been re-engineered around it, once a myriad of apps have been made compatible with it, once the IT folks have learned to baby it along . . . Talk about being locked in!

(more…)

As Data Mobility Group nears the end of its sixth year in business, we look back with mixed feelings on what has been accomplished in the world of business. In our opinion, amazing technological achievements have been overshadowed by persistent personnel problems.

Ineffective people management and a lack of high-quality quantitative personnel insight continue to impair every aspect of business, from sales, marketing, and accounting to administration, engineering, and IT. These failings, combined with a misguided focus on technology, are a serious and sometimes fatal impediment to bottom- and top-line growth.

(more…)

Why “the Saltworks”?

Salt is essential for human survival and, according to Mark Kurlansky, the author of a fascinating book titled “Salt: A World History,” was one of the most sought after commodities in human history until about 100 years ago, when innovations in manufacturing and distribution drove the cost down—and the availability up—to a point where we can hardly imagine that salt once fueled wars and financed empires. Salt continues to serve us in more than 14,000 ways—most of which most of us are unaware of—including the manufacture of pharmaceuticals, fertilizers, soaps, water softeners, and textile dyes.

Similarly, the developed world has become inextricably dependent on technology for its survival and on a constant stream of new technology for its economic health. New technologies such as toilets and clocks were at first available only to a very few; it could take centuries before ordinary people could own such things. Today’s innovations in manufacturing and distribution fuel the almost instant commoditization of new technology, quickly giving computers, cell phones, and iPods the ubiquity of salt shakers.

Then there is salt’s broad metaphorical importance which Kurlansky attributes to its “ability to preserve food, to protect against decay, and sustain life.” According to Kurlansky, we associate it with such things as longevity, permanence, immutability, truth, wisdom, and protection from evil. We tend to revere technology in a similar fashion given how it has enhanced healthcare, education, science, digital preservation, social discourse and our standard of living.

Lastly, Kurlansky points out that salt is “a potent and dangerous substance that has to be handled with care.” History has shown that technology is no less dangerous in the wrong hands or the wrong circumstances.

To Data Mobility Group, the essential and virtually invisible technologies that surround and sustain us are the saltworks of modern civilization.