[Hidden-tech] New Massachusetts Encryption Law

[Jan Werner]

Before you get too excited about this, it helps to note what the law 
defines as personal information:

"Personal information," a  Massachusetts resident's first name and last 
name or first initial and last name in combination with any one or more 
of the following data elements that relate to such resident: (a)  Social 
Security number; (b)  driver's license number or state-issued 
identification card number; or (c)  financial account number, or credit 
or debit card number, with or without any required security code, access 
code, personal identification number or password, that would permit 
access to a resident’s financial account; provided, however, that 
“Personal information” shall not include information that is lawfully 
obtained from publicly available information, or from federal, state or 
local government records lawfully made available to the general public.

If you have that kind of information on your computers in an unencrypted 
form, whether for yourself or others, you are being rather foolish.

Jan Werner
_____________


David Korpiewski wrote:
>   ** Be sure to fill out the survey/skills inventory in the member's area.
>   ** If you did, we all thank you.
> 
> 
> I was just notified about a new Massachusetts data encryption law that 
> is going into effect May 1, 2009.   It is pretty harsh and requires all 
> data with personal information to be encrypted, even on backup tapes. 
> I'm trying to find a software solution that will use software encryption 
> when backing up to a tape library one of the companies I work for 
> already owns.   Does anyone know of any backup software that supports 
> software encryption when dumping data to tape?
> 
> Also, I have SQL servers and Access databases with personal data (that I 
> did not create, but maintain).   Does anyone know how to encrypt this data?
> 
> Thanks
> David
> 
> Massachusetts encryption law even stricter than Nevada’s
> 
> Written by Dan Blacharski on October 24, 2008
> 
> I recently wrote about Arizona’s new law concerning encryption of 
> personal data. Several states are enacting similar legislation, and 
> encrypting such data is becoming a de facto national policy. Most 
> recently, Massachusetts issued new regulations on the same subject last 
> month, and that state’s laws will take effect on January 1, 2009.
> 
> The Massachusetts legislation, known as the Standards for the Protection 
> of Personal Information of Residents of the Commonwealth, is very 
> far-reaching and considered the strictest regulations to date. The new 
> law adds to Massachusetts’ already stringent security regulations, by 
> requiring all portable personal data about any Massachusetts resident to 
> be encrypted. This applies to data transmitted over public networks, or 
> that is stored on a laptop, or on any type of removable memory device. 
> The law requires other mandatory security procedures, including updated 
> user authentication and authorization.
> 
> There is a technical difference between Nevada’s and Massachusetts’ 
> statute in how encryption is defined. For the Nevada law, “encryption” 
> is defined as the use of a protective or disruptive measure, including 
> cryptography, enciphering, encoding, or a computer contaminant, to 
> render data unintelligible. The Massachusetts statute is more specific, 
> stating that “encryption” is an algorithmic process that requires a 
> confidential process or key to decode. Some have argued that since the 
> Nevada law does not use the word “algorithmic,” then password-protection 
> is adequate to adhere to the letter of the law.
> 
> Also, the laws differ in scope. Nevada’s law focuses on the electronic 
> transmission of data, while Massachusetts also includes portability. 
> Accordingly, if you have data on a resident of Massachusetts on your 
> hard drive, even if you do not send it via email or over the Internet, 
> you still must encrypt that data.
> 
> 
> 
> 
> 
> And the update:
> 
> 
> 
> Press Release
> 
> http://www.mass.gov/?pageID=ocapressrelease&L=1&L0=Home&sid=Eoca&b=pressrelease&f=081114_IDTheftupdate&csid=Eoca 
> 
> 
> http://www.lawlib.state.ma.us/2008/11/identity-theft-regulation.html
> Monday, November 17, 2008
> Identity Theft Regulation Implementation Delayed
> 
> The Office of Consumer Affairs and Business Regulation announced Friday 
> that the effective date of  201 CMR 17 would be delayed. The 
> implementation of the regulations designed to protect individuals' 
> privacy was delayed "to provide flexibility to businesses that may be 
> experiencing financial challenges brought on by national and 
> international economic conditions."
> 
> 
> 
> New deadlines:
> 
>     * "The general compliance deadline for 201 CMR 17.00 has been 
> extended from January 1, 2009 to May 1, 2009.
>     * The deadline for ensuring that third-party service providers are 
> capable of protecting personal information and contractually binding 
> them to do so will be extended from January 1, 2009 to May 1, 2009, and 
> the deadline for requiring written certification from third-party 
> providers will be further extended to January 1, 2010.
>     * The deadline for ensuring encryption of laptops will be extended 
> from January 1, 2009 to May 1, 2009, and the deadline for ensuring 
> encryption of other portable devices will be further extended to January 
> 1, 2010."
> 
> 
> 
> 
> 
>