COLUMN

Encrypt now to meet new Mass. data protection law

By Ed Moyle 03 Feb 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Right now, most states have some type of breach disclosure notification requirement. But some folks might remember when this wasn't the norm -- when there were only a few states leading the breach disclosure charge and the rest weren't there yet.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

At that time, we had a real pickle to contend with. Unless we knew what state our customers were residents of, we had to treat them all as if the notification requirement applied. And, at the end of the day, knowing what state customers really live in (not just what state is on record) is harder than you might think.

For most companies, the path of least resistance was pretty clear: disclose for all customers, no matter where they live. It seemed simpler at the time to just assume that the requirement applied, especially since other states were rapidly jumping on the bandwagon.

Encryption: Should open source disk-encryption software be used? When it comes to IT security, Michael Cobb recommends encryption devices or software that provide the most effective product for the threat being mitigated. Seagate hardware-based disk encryption could gain traction: Dell focuses on the enterprise, selling laptops with McAfee endpoint encryption and Seagate encrypted hard drives. Encryption no longer an optional technology: Unravel the ins and outs of how your organization should deploy encryption.

But while the Nevada law applies only to companies doing business in Nevada, the Massachusetts law doesn't limit scope in the same way. The Massachusetts law addresses itself more generally to "Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth…"

That's potentially quite a wide audience. It's possible that many organizations will find implementing the mandates of the law across the board to be the path of least resistance. As such, sitting up and taking notice of this law now is a pretty good idea.

Section 17.03, Duty to Protect and Standards for Protecting Personal Information, outlines specific administrative requirements that we must adhere to such as a formal, written information security program, designation of an individual to maintain the security program, and requirements for third-parties that will have access to covered data.

SearchSecurity radio:

Now don't be surprised if some of this sounds familiar. Organizations that have already put effort into compliance with other legislation (for example, HIPAA or GLBA) or that have taken steps to comply with industry self-regulation (e.g., the PCI DSS) may find that they've already met many -- in some cases all -- of these requirements.

But section 17.04, Computer System Security Requirements, which outlines specific technical controls required to protect the data, is more likely to catch some of us by surprise. It requires, among other things, encryption of all records being transmitted across public networks (such as the Internet or wireless networks), encryption of all data on laptops or other portable devices, monitoring of systems for unauthorized exposure of personal information, and blocking of a user account after multiple incorrect login attempts.

For industries such as healthcare, which are used to less prescriptive regulations like HIPAA, making sure that these technical controls are in place could prove quite challenging. Even if you have many of these controls, the clock is ticking toward that deadline. May 1 isn't that far away, and given the scope of the technical controls required, now's the time to bring this law into the fold of your compliance program.

Tags: Disk Encryption and File Encryption,  Data Privacy and Protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Disk Encryption and File Encryption Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? What are the export limitations for AES data encryption? Data Privacy and Protection Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Data Privacy and Protection Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) encryption  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary