tag:blogger.com,1999:blog-13756280.post1066906195194296196..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Hey Massachusetts, where is your application security requirement?Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-13756280.post-26685409517188376302010-02-19T06:41:41.009-08:002010-02-19T06:41:41.009-08:00You hit the nail on the head Jeremiah! What's ...You hit the nail on the head Jeremiah! What's most surprising is that the Massachusetts regulation (201 CMR 1700) is not some poorly thought out piece of legislation that somehow slipped under the radar. There have been numerous revisions and a great deal of discussion during the drafting of this regulation.<br /><br />I have blogged <a href="http://www.boazgelbord.com/2009/11/mass-security-regulation-gets-tech.html" rel="nofollow">before</a> about the mistake of omitting application security from the Massachusetts regulation. And the Massachusetts regulation might now become a model for other states. When California introduced the first data breach notification law a few years back, it was eventually replicated in almost all 50 states. <br /><br />201 CMR 17.00 is essentially the first state-level regulation with specific technical mandates for protecting PII. So there are undoubtedly other states considering a version of their own. Although it is too late for this version of the Massachusetts regulation, hopefully this will be corrected in future versions or in other states.Boaz Gelbordhttps://www.blogger.com/profile/01493802980748650574noreply@blogger.com