It looks like Massachusetts will be one of the handful of states that are beginning to require the use of data encryption solutions like hard drive encryption from AlertBoot, to protect consumer data —and not just recommend them like in the watershed legislation passed by California years ago. The Boston Globe is reporting that state regulators released new rules (201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth) that require companies to protect personal information.
According to the Globe, companies must encrypt data stored on laptops, monitor data access by employees, and engage other security measures to protect consumer information. All of this must be in place by January 1, 2009. Sounds like a short period to me—and no doubt some are grumbling that having about a year to prepare for the new legal requirements would have been best. On the other hand, there is no sense in dillydallying when it comes to data security. The only time you’re allowed to do that is if you’re starting from a clean slate, and don’t have any data to speak of. In that case, wait all you want: there is nothing to protect, so you can’t have a data breach.
But, if you already have data, and it doesn’t happen to be protected with the use of some type of security measure like file encryption, there is no guarantee that you won’t have a data security breach in the time you’re preparing your company for protection (which sounds weird. If you’re preparing your company for employing protection, it implies there’s a viable threat…so why are you preparing, as opposed to starting whatever you need to actually protect your data? Isn’t that like warming up to run away from a hungry, charging bear?) In other words, no time like the present to start encrypting important or sensitive data.
If you’re a company in MA, though, there are some caveats that you should be aware of. For example, there is the definition of personal information. It’s defined as a combination of a person’s first and last name with SSN, driver’s license number, or financial account number. In other words, the Hannaford breach wouldn’t have required the company to have the data encrypted because only credit card numbers were affected. (Which, I should point out, is a moot point since credit card numbers have to be encrypted to begin with, per credit card industry rules.)