[Hidden-tech] New Massachusetts Encryption Law

David Korpiewski davidk at cs.umass.edu
Thu Feb 26 11:16:11 EST 2009

Previous message: [Hidden-tech] Fwd: AZ seeking publicist and PR assist
Next message: [Hidden-tech] New Massachusetts Encryption Law
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I was just notified about a new Massachusetts data encryption law that 
is going into effect May 1, 2009.   It is pretty harsh and requires all 
data with personal information to be encrypted, even on backup tapes. 
I'm trying to find a software solution that will use software encryption 
when backing up to a tape library one of the companies I work for 
already owns.   Does anyone know of any backup software that supports 
software encryption when dumping data to tape?

Also, I have SQL servers and Access databases with personal data (that I 
did not create, but maintain).   Does anyone know how to encrypt this data?

Thanks
David

Massachusetts encryption law even stricter than Nevada’s

Written by Dan Blacharski on October 24, 2008

I recently wrote about Arizona’s new law concerning encryption of 
personal data. Several states are enacting similar legislation, and 
encrypting such data is becoming a de facto national policy. Most 
recently, Massachusetts issued new regulations on the same subject last 
month, and that state’s laws will take effect on January 1, 2009.

The Massachusetts legislation, known as the Standards for the Protection 
of Personal Information of Residents of the Commonwealth, is very 
far-reaching and considered the strictest regulations to date. The new 
law adds to Massachusetts’ already stringent security regulations, by 
requiring all portable personal data about any Massachusetts resident to 
be encrypted. This applies to data transmitted over public networks, or 
that is stored on a laptop, or on any type of removable memory device. 
The law requires other mandatory security procedures, including updated 
user authentication and authorization.

There is a technical difference between Nevada’s and Massachusetts’ 
statute in how encryption is defined. For the Nevada law, “encryption” 
is defined as the use of a protective or disruptive measure, including 
cryptography, enciphering, encoding, or a computer contaminant, to 
render data unintelligible. The Massachusetts statute is more specific, 
stating that “encryption” is an algorithmic process that requires a 
confidential process or key to decode. Some have argued that since the 
Nevada law does not use the word “algorithmic,” then password-protection 
is adequate to adhere to the letter of the law.

Also, the laws differ in scope. Nevada’s law focuses on the electronic 
transmission of data, while Massachusetts also includes portability. 
Accordingly, if you have data on a resident of Massachusetts on your 
hard drive, even if you do not send it via email or over the Internet, 
you still must encrypt that data.





And the update:



Press Release

http://www.mass.gov/?pageID=ocapressrelease&L=1&L0=Home&sid=Eoca&b=pressrelease&f=081114_IDTheftupdate&csid=Eoca 


http://www.lawlib.state.ma.us/2008/11/identity-theft-regulation.html 

Monday, November 17, 2008
Identity Theft Regulation Implementation Delayed

The Office of Consumer Affairs and Business Regulation announced Friday 
that the effective date of  201 CMR 17 would be delayed. The 
implementation of the regulations designed to protect individuals' 
privacy was delayed "to provide flexibility to businesses that may be 
experiencing financial challenges brought on by national and 
international economic conditions."



New deadlines:

     * "The general compliance deadline for 201 CMR 17.00 has been 
extended from January 1, 2009 to May 1, 2009.
     * The deadline for ensuring that third-party service providers are 
capable of protecting personal information and contractually binding 
them to do so will be extended from January 1, 2009 to May 1, 2009, and 
the deadline for requiring written certification from third-party 
providers will be further extended to January 1, 2010.
     * The deadline for ensuring encryption of laptops will be extended 
from January 1, 2009 to May 1, 2009, and the deadline for ensuring 
encryption of other portable devices will be further extended to January 
1, 2010."






-- 
===========================================
David Korpiewski
Software Specialist I
CSCF - Computer Science Computing Facility
Department of Computer Science
Phone: 413-545-4319
Fax:   413-577-2285
===========================================

Previous message: [Hidden-tech] Fwd: AZ seeking publicist and PR assist
Next message: [Hidden-tech] New Massachusetts Encryption Law
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Hidden-discuss mailing list