"I was very pleased to have the opportunity to address the OCABR directly on this critically important issue.  It's very important that the regulators understand the impact of the law, especially on small businesses and the IT providers like Jenaly that help these same businesses to be compliant with regulations like these", said MJ Shoer.  "I am very grateful to CompTIA for providing me with the opportunity to help shape the final form of this important new legislation and is so doing, represent the interests of our clients and my colleague's in the industry" MJ added.

The testimony MJ provided follows:

Good Morning.  My name is MJ Shoer, president of Jenaly Technology Group.  Like Jacob, I am an IT service provider, servicing small and medium sized businesses that own personal information (PI) of Commonwealth residents.  Perhaps most importantly, my company is based in neighboring New Hampshire and will be affected by 201 CMR 17.00, as will our clients in both States.  I feel strongly enough about this issue to be here with you today.  I, too, am a member of the Computing Technology Industry Association, having served on its board for three years from 2005 until 2008.   

Thank you for addressing this important issue.  I would like to expand on Jacob’s testimony, namely the human aspects of cyber security, and then address how this applies to the rules. 

Maintaining the integrity of PI – especially when more and more of this data moves so easily between people, businesses and government agencies – deserves the attention it is receiving here today.  When transmitted over the Internet or connected networks, PI represents some of the most valuable and yet vulnerable aspects of our networks.  Lacking proper cyber security safeguards, our economy and society could not function as fluidly or safely.

Fortunately, breaches are relatively rare events when viewed in the context of literally trillions of day-to-day transactions.  Moreover, it is more likely than not that if one were to employ better human behavior – such as adhering to clear security guidelines, policies and protocols, and then reinforcing that with training and certification – one could defeat this threat.  The bad news is, however, a large majority don’t adequately modify their behavior to the circumstances, and consequently PI breaches are rising.

Jacob and I help businesses that own PI manage in this challenging environment.  We provide them with a “trusted solution”.  In fact, both Jacob and I have a business-level, Security Trustmark from CompTIA.  This Trustmark – rigorously based on industry standards and best practices – can quickly tell businesses that we know what we’re doing; that we specialize in protecting PI on a business-level, across all of its many characteristics, and thus we’re a better choice than others when it comes to this job.

So, how does “trust” concern the rules:

Section (f)(1) requires companies that contract with services providers to use “reasonable steps”  in selecting them.  Though the rules were designed with a risk-based implementation model in mind – in this context, “reasonable steps” lends little practical guidance to owners of PI. 

This we believe may do one of two things:

Because a “reasonable” choice of service provider has no definition in the rules, owners of PI might actually avoid professional services like ours, seeking to minimize their exposure to this prosecutorially-friendly standard.  The unfortunate result being that such avoidance may actually place PI at greater risk in some instances.

Or, it may lead owners of PI to overcompensate, and perform onerous and time consuming audits of services providers.  Of course, a single owner need only come up with an auditing framework once.  But, if you’re in the security business, you may be subject to a limitless variety of auditing from a range of companies, presenting a formidable administrative hurdle.  In short – this overcompensation may actually limit service providers who might compete in the marketplace.  This will likely lift costs for consumers, and may not necessarily result in the best service providers remaining in the market.   

“Reasonable steps” should be clarified, allowing owners to more easily show their due diligence in choosing a service provider.    

Consequently, for owners of PI, they should be able to rely on industry-recognized and developed, business-level accreditations, which demonstrate that for service providers who posses such up-to-date accreditations, they can properly maintain PI fully consistent with, or at a higher level, than the Commonwealth’s rules.

This clarification provides more certainty for owners, and through its administrative simplicity will lead to better, more cost-effective choice.

Thank you for the opportunity to address this important matter, and will be pleased to answer any questions you may have.

About Jenaly Technology Group

Founded in 1997, Jenaly Technology Group provides outsourced IT services to its clients, small and mid-size businesses, from its headquarters in Portsmouth, New Hampshire.  Jenaly's vision is to provide a more client centric approach to delivering IT services and support, helping clients to stay focused on their business objectives without having to worry about the day to day health of their IT infrastructure.  For more information, please visit www.jenaly.com.

###

MJ Shoer
President & Virtual Chief Technology Officer
Jenaly Technology Group, Inc.
603-431-7864
This e-mail address is being protected from spambots. You need JavaScript enabled to view it