(Update, Feb 16, 2009: All dates for meeting compliance have been extended to January 1, 2010)

Sometimes, if you surf the net long enough, you end up uncovering a gem, such as this checklist published by the Commonwealth of Massachusetts.  Titled "201 CMR 17.00 Checklist," it was compiled by the OCABR "to help small businesses in their effort to comply with 201 CMR 17.00."

As the paper notes, it's not meant to be comprehensive, but it will show you the least you need to do to be in compliance with the law, which goes into effect on May 1, 2009, with certain, specific issues going into effect on January 1, 2010.  Originally, the compliance date was January 1 of this year, but was pushed back to give businesses some breathing room.

And without further ado, here's the link:

http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf

The checklist shows why this new law is not just about encryption.  Sure, there are items that can be successfully resolved via the use of file encryption software programs like AlertBoot data security solutions.

But then, there are others aspects of the law that cannot be solved via encryption.  For example, encryption can't keep your malware software up to date, nor can it train your employees about data security.

So, keep that in mind--and start early: compliance will take time.  And hire a lawyer or someone who can actually guide you through the process.