David Korpiewski wrote: > I was just notified about a new Massachusetts data encryption law that > is going into effect May 1, 2009. It is pretty harsh and requires > all data with personal information to be encrypted, even on backup > tapes. I'm trying to find a software solution that will use software > encryption when backing up to a tape library one of the companies I > work for already owns. Does anyone know of any backup software that > supports software encryption when dumping data to tape? > > Also, I have SQL servers and Access databases with personal data (that > I did not create, but maintain). Does anyone know how to encrypt > this data? yup. That can all be a major major PITA. However, worse is if you get hacked and that personal data is exposed. Then you have all kinds of legal hoops, liabilities and forensics to deal with. There are a number of backup programs that can deal with encryption. The thing is, I think you are also required to encrypt personal data that is stored on the system itself, whether it be in ordinary files on the drive or in a database. It sounds like you are dealing with Windows systems -- since you mention SQL server and Access. I don't know about their abilities to deal with this. You should also make sure you understand exactly what is legally meant by personal information. A customer database with addresses and contact information may not matter (they can get that out of the phone book). However, if it has social security numbers or credit card numbers, then it matters. You should assess whether or not you really need to keep that kind of information. If you don't *really* need it, and don't want the hassle and liability of keeping it, then dump it. Don't keep it. You can always ask the customer at the point of transaction where it matters and then immediately dump it. Outsource web credit card transactions. This was actually discussed on the list at some length some time ago (maybe last fall). Check the archives if that is of interest. If you are a medical or dental office, then you really really need to deal with this, and you should have a software vendor who understands the issues and has already prepared to deal with it. All the way back about 1996 I was responsible for a customer database for Specular (software company in Amherst) and configured a system that they could take to trade shows, handle customer transactions, and bring them back to upload into our database in Amherst. We were very concerned about security. I ended up configuring the system so that the whole drive was encrypted and the embedded driver in the boot sector of the drive would not let you access the drive and boot up without providing a password (if you plug it into another system and try to access it, same thing). The President of the company offloaded the system daily to an encrypted diskette which he held personally. The interesting thing was that at the end of the trade show a whole pallet of office equipment and computers simply disappeared. It was never found. But we were covered, both in the sense of having our data and in the sense of no one else being able to get it. -- --------------- Chris Hoogendyk - O__ ---- Systems Administrator c/ /'_ --- Biology & Geology Departments (*) \(*) -- 140 Morrill Science Center ~~~~~~~~~~ - University of Massachusetts, Amherst <hoogendyk at bio.umass.edu> --------------- Erdös 4