[Hidden-tech] New Massachusetts Encryption Law

Chris Hoogendyk hoogendyk at bio.umass.edu
Thu Feb 26 12:36:52 EST 2009



David Korpiewski wrote:
> I was just notified about a new Massachusetts data encryption law that 
> is going into effect May 1, 2009.   It is pretty harsh and requires 
> all data with personal information to be encrypted, even on backup 
> tapes. I'm trying to find a software solution that will use software 
> encryption when backing up to a tape library one of the companies I 
> work for already owns.   Does anyone know of any backup software that 
> supports software encryption when dumping data to tape?
>
> Also, I have SQL servers and Access databases with personal data (that 
> I did not create, but maintain).   Does anyone know how to encrypt 
> this data? 

yup. That can all be a major major PITA. However, worse is if you get 
hacked and that personal data is exposed. Then you have all kinds of 
legal hoops, liabilities and forensics to deal with.

There are a number of backup programs that can deal with encryption. The 
thing is, I think you are also required to encrypt personal data that is 
stored on the system itself, whether it be in ordinary files on the 
drive or in a database.

It sounds like you are dealing with Windows systems -- since you mention 
SQL server and Access. I don't know about their abilities to deal with this.

You should also make sure you understand exactly what is legally meant 
by personal information. A customer database with addresses and contact 
information may not matter (they can get that out of the phone book). 
However, if it has social security numbers or credit card numbers, then 
it matters. You should assess whether or not you really need to keep 
that kind of information. If you don't *really* need it, and don't want 
the hassle and liability of keeping it, then dump it. Don't keep it. You 
can always ask the customer at the point of transaction where it matters 
and then immediately dump it. Outsource web credit card transactions. 
This was actually discussed on the list at some length some time ago 
(maybe last fall). Check the archives if that is of interest.

If you are a medical or dental office, then you really really need to 
deal with this, and you should have a software vendor who understands 
the issues and has already prepared to deal with it.

All the way back about 1996 I was responsible for a customer database 
for Specular (software company in Amherst) and configured a system that 
they could take to trade shows, handle customer transactions, and bring 
them back to upload into our database in Amherst. We were very concerned 
about security. I ended up configuring the system so that the whole 
drive was encrypted and the embedded driver in the boot sector of the 
drive would not let you access the drive and boot up without providing a 
password (if you plug it into another system and try to access it, same 
thing). The President of the company offloaded the system daily to an 
encrypted diskette which he held personally. The interesting thing was 
that at the end of the trade show a whole pallet of office equipment and 
computers simply disappeared. It was never found. But we were covered, 
both in the sense of having our data and in the sense of no one else 
being able to get it.



-- 
---------------

Chris Hoogendyk

-
   O__  ---- Systems Administrator
  c/ /'_ --- Biology & Geology Departments
 (*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst 

<hoogendyk at bio.umass.edu>

--------------- 

Erdös 4




Google

More information about the Hidden-discuss mailing list