News Stay informed about the latest enterprise technology news and product updates.

Massachusetts data protection, encryption law extended

Law now taking effect Jan. 1, 2010 would require any business collecting information on Massachusetts residents to encrypt sensitive data, protecting it from data leakage.

A new Massachusetts law scheduled to take effect in May has been extended to Jan. 1, 2010, giving businesses more time to address and deploy technologies that tighten control of consumer data.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The law requires any firm conducting business with state residents to deploy encryption and protect against data leakage. A combination of a person's name along with their Social Security number, bank account number or credit card number must be encrypted when stored on portable devices, or transmitted wirelessly on public networks, according to the new law.

Encryption of personal information on portable devices carrying identity data like laptops, PDAs and flash drives must also be completed by Jan. 1, according to the Massachusetts Office of Consumer Affairs and Business Regulation, which announced the extension Thursday.

Listen to the Mass. data protection law podcast:
Mass. officials explain new data protection regulations: In this podcast, Gerry Young and David Murray of the Massachusetts Office of Consumer Affairs and Business Regulation, discuss the details of the new data protection rules.

"We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections," Daniel C. Crane, the Undersecretary of the Office of Consumer Affairs and Business Regulation said in a statement.

The extension included a revision to the rules relaxing a requirement holding third-parties accountable to the security rules. Under the original law companies had to attest that a third party provider was compliant with the regulations.

Massachusetts has been ground zero for one of the most significant data security breaches in history. In 2007, TJX Cos., based in Framingham, Mass., announced a data breach in which hackers exposed at least 45.7 million credit and debit card holders to identity fraud. TJX has since settled a number of lawsuits and agreed to implement tighter security and obtain independent audits every other year for 20 years, according to a settlement reached with the Federal Trade Commission. Since then, lawmakers have been trying to find ways to force businesses to implement tighter security controls.

Folks in Massachusetts were pretty well versed on it but a lot of other firms outside the state were caught a little bit by surprise.
Ed Moyle
founding parnterSecurity Curve

The regulations in Massachusetts and similar rules in Nevada are the first of their kind in the country, and experts say could be even more substantial than the data breach notification laws in which California was the first to enact. In October, California Gov. Arnold Schwarzenegger vetoed a bill that would have proposed rules that prohibited sensitive consumer data being stored at all after a purchase is authorized. At the time, Schwarzenegger called the proposed law more demanding than the current Payment Card Industry Data Security Standard (PCI DSS) and said it would have been too costly to businesses.

The economy has played a role in slowing investments in new security measures, said Khalid Kark, a senior analyst at Forrester Research. Many organizations are moving toward outsourced services and new projects are being done at a slower pace.

"Companies are paying higher prices but they're having the ability to change course when necessary," Kark said.

New data protection law:
Encrypt now to meet new Mass. data protection law: A Massachusetts law taking effect in May requires encryption and could have organizations implementing the mandates across the board nationwide as the path of least resistance.

Ed Moyle, a manager with CTG's Information Security Solutions practice and a founding partner of Security Curve said many businesses may have been blindsided by the rules, which extend to any business that collects data on Massachusetts residents. A heavy investment in technical controls would have been burdensome by the original May 1 deadline, Moyle said.

"Folks in Massachusetts were pretty well versed on it but a lot of other firms outside the state were caught a little bit by surprise," Moyle said. "The law hits them right in the center of their sweet spot."

Moyle said organizations should implement the mandates across the board nationwide as the path of least resistance. He called the breach disclosure laws useful, since they protect the consumer, but they were reactive. The laws have been helpful to shed light on the data leakage problem, but have done little to protect against it.

"Proactive measures protect the data ahead of some kind of breach and that's what these new rules set out to do," Moyle said.

Dig Deeper on Disk and file encryption tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.