Massachusetts has a new data security law going into effect on March 1st, 2010. Frankly, it scares me.
Here's the problem: most of my customers are in Massachusetts or do business with MA residents. Most of my customers are NOT in compliance with these new regulations and I am very concerned about my exposure to lawsuits if they are ever sued because of that.
I am not a lawyer. I may have some idea of how the new law applies to specific situations, but I'm not in a position to interpret regulations. Do you need to upgrade an old RedHat 8 or SCO 5.0.6 system because they may not meet security requirements and are on the same network as a machine that handles personal information? I DO NOT KNOW.
I'd sarcastically note that your lawyer doesn't really know either: if there's a security breach and somebody wants to sue you, their lawyers will be looking for anything they can blame on anyone, so my bet is, yeah, they'd be trying to pin blame on any old OS on the network. But - I DO NOT KNOW.
I am not a security expert. I don't even like thinking about security. I'm a trusting person: I trust people, I want them to trust me. I truly hate that there are people in this world that you cannot trust, so that makes it very hard for me to get interested in security. Does your Windows 2000 server present a security risk? Probably, but I DO NOT KNOW. Frankly, I don't WANT to know.
I had a conversation this morning with another consultant who hires me now and then when he has Linux or Unix customers. He asked me if I could set password policies for those customers. Sure I can - but is that enough? I DO NOT KNOW. And I don't want to know.
We talked about a specific job where we are moving from a SCO server to Linux. The servers store credit card information. "They need to be in a locked room", he said. I don't know if that's true (I am not a lawyer, remember?) but the room that they are in is often locked - though people work in that room also. Where does that leave me if they want me to assist with the transfer? Should I work on the system? Am I exposing myself to potential liability?
Another of his customers wanted a Samba share added for a particular user. I can think of at least 20 ways this guy is not in compliance. Do I refuse to add the share?
We talked about liability insurance. He's never carried it and neither have I. It's doubtful that it could protect us anyway. It definitely wouldn't cover work we did years ago and unless we were certified security experts, I can't imagine that any insurance company would be dumb enough to cover us for this stuff anyway.
So what do we do? We both agreed that if we were financially able, we'd close our businesses today and retire. That's not an option for either of us.
Do we refuse security related work? Fine, but almost anything is security related in some way. If we do refuse it, we both know damn well that we'll probably lose ALL work from that customer because someone really no better equipped than we are will step in and tell the customer that they CAN advise them on this stuff. That they will likely be lying is no comfort: they'll have the business.
Do we ask for indemnification? Great, you get your customer to sign something that says he won't sue you. Do you think he'll agree to indemnify you if someone sues him AND you? Not likely.
So what do you do? I know a lot of the folks who read this are in similar situations. Maybe your State hasn't passed this sort of legislation yet, but odds are that they will. What are you going to do? What are WE going to do?
I DO NOT KNOW.
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2012-06-30 Anthony Lawrence