Massachusetts data protection, encryption law extended

By Robert Westervelt, News Editor 13 Feb 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A new Massachusetts law scheduled to take effect in May has been extended to Jan. 1, 2010, giving businesses more time to address and deploy technologies that tighten control of consumer data.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The law requires any firm conducting business with state residents to deploy encryption and protect against data leakage. A combination of a person's name along with their Social Security number, bank account number or credit card number must be encrypted when stored on portable devices, or transmitted wirelessly on public networks, according to the new law.

Encryption of personal information on portable devices carrying identity data like laptops, PDAs and flash drives must also be completed by Jan. 1, according to the Massachusetts Office of Consumer Affairs and Business Regulation, which announced the extension Thursday.

Listen to the Mass. data protection law podcast: Mass. officials explain new data protection regulations: In this podcast, Gerry Young and David Murray of the Massachusetts Office of Consumer Affairs and Business Regulation, discuss the details of the new data protection rules.

"We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections," Daniel C. Crane, the Undersecretary of the Office of Consumer Affairs and Business Regulation said in a statement.

The extension included a revision to the rules relaxing a requirement holding third-parties accountable to the security rules. Under the original law companies had to attest that a third party provider was compliant with the regulations.

Massachusetts has been ground zero for one of the most significant data security breaches in history. In 2007, TJX Cos., based in Framingham, Mass., announced a data breach in which hackers exposed at least 45.7 million credit and debit card holders to identity fraud. TJX has since settled a number of lawsuits and agreed to implement tighter security and obtain independent audits every other year for 20 years, according to a settlement reached with the Federal Trade Commission. Since then, lawmakers have been trying to find ways to force businesses to implement tighter security controls.

Folks in Massachusetts were pretty well versed on it but a lot of other firms outside the state were caught a little bit by surprise. Ed Moyle founding parnter, Security Curve

The regulations in Massachusetts and similar rules in Nevada are the first of their kind in the country, and experts say could be even more substantial than the data breach notification laws in which California was the first to enact. In October, California Gov. Arnold Schwarzenegger vetoed a bill that would have proposed rules that prohibited sensitive consumer data being stored at all after a purchase is authorized. At the time, Schwarzenegger called the proposed law more demanding than the current Payment Card Industry Data Security Standard (PCI DSS) and said it would have been too costly to businesses.

The economy has played a role in slowing investments in new security measures, said Khalid Kark, a senior analyst at Forrester Research. Many organizations are moving toward outsourced services and new projects are being done at a slower pace.

"Companies are paying higher prices but they're having the ability to change course when necessary," Kark said.

New data protection law: Encrypt now to meet new Mass. data protection law: A Massachusetts law taking effect in May requires encryption and could have organizations implementing the mandates across the board nationwide as the path of least resistance.

Ed Moyle, a manager with CTG's Information Security Solutions practice and a founding partner of Security Curve said many businesses may have been blindsided by the rules, which extend to any business that collects data on Massachusetts residents. A heavy investment in technical controls would have been burdensome by the original May 1 deadline, Moyle said.

"Folks in Massachusetts were pretty well versed on it but a lot of other firms outside the state were caught a little bit by surprise," Moyle said. "The law hits them right in the center of their sweet spot."

Moyle said organizations should implement the mandates across the board nationwide as the path of least resistance. He called the breach disclosure laws useful, since they protect the consumer, but they were reactive. The laws have been helpful to shed light on the data leakage problem, but have done little to protect against it.

"Proactive measures protect the data ahead of some kind of breach and that's what these new rules set out to do," Moyle said.

Tags: Disk Encryption and File Encryption,  Enterprise Data Governance,  Identity Theft and Data Security Breaches,  Data Privacy and Protection,  PCI Data Security Standard,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Disk Encryption and File Encryption No major PCI DSS revision expected in 2010 How to use TrueCrypt for disk encryption The future of PCI DSS encryption requirements? Tokenization for PCI What are the top three network intrusion techniques? Health Net healthcare data breach affects1.5 million Prevent meet-in-the-middle attacks with TDES encryption Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) encryption  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary