• Mass Data Encryption Law 201 - You're required to secure digital data
• Mass Data Encryption Law 201 - You're also required to secure paper-based data

If what I'm reading at ftwlaw.com is true, companies doing business in Massachusetts will need to do more than sign up for laptop encryption software services from AlertBoot to protect electronic data.  They'll also need invest in shredders because the same law requires them to secure paper-based documents.

The above link goes to a site that explains a lot of what's going on with the Massachusetts Data Encryption Law 201 CMR 17.00.  The only problem, as far as I can see, is that it was written on November 10, before the state decided to extend the dates for compliance.  But apart from the dates, everything else should be valid, since the law hasn't changed, only the dates for compliance.

Among things that escaped my notice from previous data encryption law summary:

• The law, 201 CMR 17.00, is drafted so broadly that, although it's supposed to protect customers' personal information, it could apply to vendors, employees, suppliers, etc.
• A company could face penalties of $5000 per violation where they fail to secure data
• A company could face penalties of up to $50,000 for improper data disposal in increments of $100 per data subject affected (per name/record that is in violation, I guess).  It pertains to computers (old computer is dumped) as well as to paper documents (a file cabinet is dumped)

The New Massachusetts Data Law Requires You To Protect Paper Documents As Well

Huh?  What?  Is this news to you?  It certainly is for me.  On the one hand, it makes sense.  I've ranted on this blog, too many times to count, that data is data, whether it's found on a backup tape, a laptop computer, a mainframe computer, or, yes, a stack of documents.  It's not a breakthrough in logic, so of course those drafting the law would see to it that paper records are covered by the law.

Why is it that almost no one mentions this, though?  All the different sites and articles that I've read about the law only covered the need for firewalls, encryption, etc., and other digital related needs.

I think what may have happened is that, because the new Mass Laws have a disproportionate impact on electronic data, people overlooked the fact that paper-based documents need to be secured as well.  Well, that and the fact that most of the sources I read are biased towards technology/electronica.

But wouldn't the paper-based area be more of a headache?  Computers can be used to track electronic data.  Plus, the use of software like file encryption programs and hard drive encryption can dramatically decrease the incidences of a data breach.

For example, if a thief breaks into your company and steals an encrypted laptop, the contents of that laptop are still safe.  If he had opted to filch a folder full of credit applications, though, that's a full-blown data breach right there.

But how do you effectively protect paper records that are being stored?  If getting rid of them, you can shred them…but I don't know of any advances over the years in file cabinet protection technologies.  While the number of companies affected by this paper-security requirement may be small, I get the feeling it will be a bigger headache than securing electronic data.

Related Articles:
http://www.ftwlaw.com/page.php?page=articles&articles=98
http://www.mass.gov/legis/laws/mgl/93i-2.htm