[Hidden-tech] New Massachusetts Encryption Law

DrFried DrFried at MotionDoc.com
Thu Feb 26 11:50:41 EST 2009


That's a bit scary, I've never heard of this law.  What is considered 
personal data?

Thanks,
Mindi Fried, DC
Motion Chiropractic Center


David Korpiewski wrote:
>   ** Be sure to fill out the survey/skills inventory in the member's 
> area.
>   ** If you did, we all thank you.
>
>
> I was just notified about a new Massachusetts data encryption law that 
> is going into effect May 1, 2009.   It is pretty harsh and requires 
> all data with personal information to be encrypted, even on backup 
> tapes. I'm trying to find a software solution that will use software 
> encryption when backing up to a tape library one of the companies I 
> work for already owns.   Does anyone know of any backup software that 
> supports software encryption when dumping data to tape?
>
> Also, I have SQL servers and Access databases with personal data (that 
> I did not create, but maintain).   Does anyone know how to encrypt 
> this data?
>
> Thanks
> David
>
> Massachusetts encryption law even stricter than Nevada’s
>
> Written by Dan Blacharski on October 24, 2008
>
> I recently wrote about Arizona’s new law concerning encryption of 
> personal data. Several states are enacting similar legislation, and 
> encrypting such data is becoming a de facto national policy. Most 
> recently, Massachusetts issued new regulations on the same subject 
> last month, and that state’s laws will take effect on January 1, 2009.
>
> The Massachusetts legislation, known as the Standards for the 
> Protection of Personal Information of Residents of the Commonwealth, 
> is very far-reaching and considered the strictest regulations to date. 
> The new law adds to Massachusetts’ already stringent security 
> regulations, by requiring all portable personal data about any 
> Massachusetts resident to be encrypted. This applies to data 
> transmitted over public networks, or that is stored on a laptop, or on 
> any type of removable memory device. The law requires other mandatory 
> security procedures, including updated user authentication and 
> authorization.
>
> There is a technical difference between Nevada’s and Massachusetts’ 
> statute in how encryption is defined. For the Nevada law, “encryption” 
> is defined as the use of a protective or disruptive measure, including 
> cryptography, enciphering, encoding, or a computer contaminant, to 
> render data unintelligible. The Massachusetts statute is more 
> specific, stating that “encryption” is an algorithmic process that 
> requires a confidential process or key to decode. Some have argued 
> that since the Nevada law does not use the word “algorithmic,” then 
> password-protection is adequate to adhere to the letter of the law.
>
> Also, the laws differ in scope. Nevada’s law focuses on the electronic 
> transmission of data, while Massachusetts also includes portability. 
> Accordingly, if you have data on a resident of Massachusetts on your 
> hard drive, even if you do not send it via email or over the Internet, 
> you still must encrypt that data.
>
>
>
>
>
> And the update:
>
>
>
> Press Release
>
> http://www.mass.gov/?pageID=ocapressrelease&L=1&L0=Home&sid=Eoca&b=pressrelease&f=081114_IDTheftupdate&csid=Eoca 
>
>
> http://www.lawlib.state.ma.us/2008/11/identity-theft-regulation.html
> Monday, November 17, 2008
> Identity Theft Regulation Implementation Delayed
>
> The Office of Consumer Affairs and Business Regulation announced 
> Friday that the effective date of  201 CMR 17 would be delayed. The 
> implementation of the regulations designed to protect individuals' 
> privacy was delayed "to provide flexibility to businesses that may be 
> experiencing financial challenges brought on by national and 
> international economic conditions."
>
>
>
> New deadlines:
>
>     * "The general compliance deadline for 201 CMR 17.00 has been 
> extended from January 1, 2009 to May 1, 2009.
>     * The deadline for ensuring that third-party service providers are 
> capable of protecting personal information and contractually binding 
> them to do so will be extended from January 1, 2009 to May 1, 2009, 
> and the deadline for requiring written certification from third-party 
> providers will be further extended to January 1, 2010.
>     * The deadline for ensuring encryption of laptops will be extended 
> from January 1, 2009 to May 1, 2009, and the deadline for ensuring 
> encryption of other portable devices will be further extended to 
> January 1, 2010."
>
>
>
>
>
>

-- 
ÐÏࡱá




Google

More information about the Hidden-discuss mailing list