[Hidden-tech] New Massachusetts Encryption Law

[Charlie Heath]

Thanks for the clarification; indeed, I think anyone handing this 
information (SS, credit cards, drivers license) should already be 
handling it with appropriate care, less the regulatory compliance liability.

If you're storing plain-text passwords of any kind, you should encrypt 
those, even if the password does not give access to a critical 
account.   It shouldn't be hard to do, and will help protect users 
accounts not only to the accounts you control but also elsewhere, where 
there might be more critical information. I don't want to know the 
passwords of the people I set up accounts for, and certainly don't want 
to leave their passwords anywhere on a system I've got responsibility 
for, even if the only thing the password does is grant access to a 
semi-public website.

Charlie


J. Cohen wrote:
>    ** Be sure to fill out the survey/skills inventory in the member's area.
>    ** If you did, we all thank you.
>
>
> David Korpiewski wrote:
>   
>> I was just notified about a new Massachusetts data encryption law that
>> is going into effect May 1, 2009.   It is pretty harsh and requires all
>> data with personal information to be encrypted, even on backup tapes.
>> I'm trying to find a software solution that will use software encryption
>> when backing up to a tape library one of the companies I work for
>> already owns.   Does anyone know of any backup software that supports
>> software encryption when dumping data to tape?
>>     
>
> Thanks for the warning. I've never heard of it before.
>
> I wasn't sure what "personal data" meant, but looked it up:
>
> "Personal information," a  Massachusetts resident's first name and last
> name or first initial and last name in combination with any one or more
> of the following data elements that relate to such resident:
> (a)  Social Security number;
> (b)  driver's license number or state-issued identification card number; or
> (c)  financial account number, or credit or debit card number, with or
> without any required security code, access code, personal identification
> number or password, that would permit access to a resident’s financial
> account;
> provided, however, that “Personal information” shall not include
> information that is lawfully obtained from publicly available
> information, or from federal, state or local government records lawfully
> made available to the general public.
>
>
> I was worried that it applied to any usernames, email addresses and
> passwords...
>
>
> Josh
>
>
>