That's a bit scary, I've never heard of this law. What is considered personal data? Thanks, Mindi Fried, DC Motion Chiropractic Center David Korpiewski wrote: > ** Be sure to fill out the survey/skills inventory in the member's > area. > ** If you did, we all thank you. > > > I was just notified about a new Massachusetts data encryption law that > is going into effect May 1, 2009. It is pretty harsh and requires > all data with personal information to be encrypted, even on backup > tapes. I'm trying to find a software solution that will use software > encryption when backing up to a tape library one of the companies I > work for already owns. Does anyone know of any backup software that > supports software encryption when dumping data to tape? > > Also, I have SQL servers and Access databases with personal data (that > I did not create, but maintain). Does anyone know how to encrypt > this data? > > Thanks > David > > Massachusetts encryption law even stricter than Nevada’s > > Written by Dan Blacharski on October 24, 2008 > > I recently wrote about Arizona’s new law concerning encryption of > personal data. Several states are enacting similar legislation, and > encrypting such data is becoming a de facto national policy. Most > recently, Massachusetts issued new regulations on the same subject > last month, and that state’s laws will take effect on January 1, 2009. > > The Massachusetts legislation, known as the Standards for the > Protection of Personal Information of Residents of the Commonwealth, > is very far-reaching and considered the strictest regulations to date. > The new law adds to Massachusetts’ already stringent security > regulations, by requiring all portable personal data about any > Massachusetts resident to be encrypted. This applies to data > transmitted over public networks, or that is stored on a laptop, or on > any type of removable memory device. The law requires other mandatory > security procedures, including updated user authentication and > authorization. > > There is a technical difference between Nevada’s and Massachusetts’ > statute in how encryption is defined. For the Nevada law, “encryption” > is defined as the use of a protective or disruptive measure, including > cryptography, enciphering, encoding, or a computer contaminant, to > render data unintelligible. The Massachusetts statute is more > specific, stating that “encryption” is an algorithmic process that > requires a confidential process or key to decode. Some have argued > that since the Nevada law does not use the word “algorithmic,” then > password-protection is adequate to adhere to the letter of the law. > > Also, the laws differ in scope. Nevada’s law focuses on the electronic > transmission of data, while Massachusetts also includes portability. > Accordingly, if you have data on a resident of Massachusetts on your > hard drive, even if you do not send it via email or over the Internet, > you still must encrypt that data. > > > > > > And the update: > > > > Press Release > > http://www.mass.gov/?pageID=ocapressrelease&L=1&L0=Home&sid=Eoca&b=pressrelease&f=081114_IDTheftupdate&csid=Eoca > > > http://www.lawlib.state.ma.us/2008/11/identity-theft-regulation.html > Monday, November 17, 2008 > Identity Theft Regulation Implementation Delayed > > The Office of Consumer Affairs and Business Regulation announced > Friday that the effective date of 201 CMR 17 would be delayed. The > implementation of the regulations designed to protect individuals' > privacy was delayed "to provide flexibility to businesses that may be > experiencing financial challenges brought on by national and > international economic conditions." > > > > New deadlines: > > * "The general compliance deadline for 201 CMR 17.00 has been > extended from January 1, 2009 to May 1, 2009. > * The deadline for ensuring that third-party service providers are > capable of protecting personal information and contractually binding > them to do so will be extended from January 1, 2009 to May 1, 2009, > and the deadline for requiring written certification from third-party > providers will be further extended to January 1, 2010. > * The deadline for ensuring encryption of laptops will be extended > from January 1, 2009 to May 1, 2009, and the deadline for ensuring > encryption of other portable devices will be further extended to > January 1, 2010." > > > > > > -- ÐÏࡱá