Joe’s Amazing Technicolor Weblog

Background: looking at going to a Voice Over IP phone system at work. Wondering if Massachusetts’ new law about information security applies.

Why it might not: a potential (MA based) vendor we’re talking to says

We’ve not been asked this before and about 201 CMR 17 Compliance and I don’t particularly think it applies to our VoIP, or VoIP in general

Why it might: Section 17.04 qualifies the applicability of the rule to

Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include…a security system covering its computers, including any wireless system

Like just about any business, we definitely transmit personal information over our phone system, so I think the technical / legal question is whether an electronic phone system of the type in question is covered under the “its computers” phrase.

Stepping back from the legal to the practical, however, it seems fair to expect reasonable information security from our communications systems, including VOIP. At least in its intent, I think that’s what 201 CMR 17 is after. VOIP is still new enough that I suspect many prospective customers (like us!) aren’t quite sure what constitutes a reasonably secure installation, though we sense that there are all kinds of potential attack vectors not present in POTS.

You could be excused for having missed the news, but the 201 CMR 17 that was just about to go into effect over a year ago… is now just about to go into effect!

some tidbits:

• 201 CMR may even apply to entities entirely outside of MA, as long as they have any data about Massholes in their systems. So don’t get all smirky in Texas or wherever.
• Who knew? Martha Coakley, as AG, gets credit for helping adjust 201 CMR to work better with business’ realities. That, and her Harpoon preference, really ought to be pushed more strongly by the campaign.
• A useful collection of info can be found at one of the ugliest websites in recent memory.

Fortunately, there doesn’t seem to be anything particularly unreasonable in the requirements, so organizations following good data security procedures shouldn’t have to do much work (if any) to be compliant.

Thanks to MSCPA, I finally tracked down the Governor’s press release which, at first glance, has a reasonably clear description of the regulation’s intent. Also came across an analysis by Beth Israel’s CIO, a positive blurb from a Maine consultancy, and a brief mention by a MA payroll company.

As for me, I still need to do my official audit of our procedures vs. those specified by the regulation.

Networks Unlimited just sent out a note (thanks!) about the Mass Office of Consumer Affairs’ new
Standards for The Protection of Personal Information of Residents of the Commonwealth, aka 201 CMR 17.00: M.G.L. c. 93H. It outlines the responsibilities of anyone who gathers personal information on Mass residents. At a glance, they look pretty reasonable. From the intro:

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.

It’ll be interesting to sit down with this & see how our policies & procedures match up.

On my agenda this weekend is the ‘08 edition of the Grassroots Use of Technology conference, happening up in Lowell. I was a volunteer at the conference back in ‘04 and ‘05, but I’ve been out of town for the last couple.

This year I’ll be wearing my IT Manager hat & looking to pick people’s brains particularly about mass emailing, online donations, and fundraisining tools.

Thursday was the fifth day in a row crude prices have set new records.

 — ( extremely out-of-context quote from yahoo story on oil futures’ first trip over $90 / barrel )

Heating oil prices not looking so good lately, either.

I have nothing further to add about the high profile portions of the upcoming Massachusetts election. My thoughts about the less widely covered parts:

Green-Rainbow endorsed Jill Stein for Secretary of State, because the person in charge of state elections ought to show up for his own debates.

The brand-new Working Families party endorsed Rand Wilson for Auditor. Fascinating interview with Wilson here.

On a related topic, I’m voting yes on question two. Good discussion in the interview above; an example of how it’s worked in New York here.

Also voting yes on question three, for these reasons.