Massachusetts made public its final updates to their so-called encryption laws in November 2009. Laptops have to be protected with encryption software like AlertBoot if it contains sensitive information, but the legal language was changed so that other portable items won't require full disk encryption by default, including data tapes. However, you may be better off with encryption, based on what I'm reading. What am I reading?
Massachusetts made public its final updates to their so-called encryption laws in November 2009. Laptops have to be protected with encryption software like AlertBoot if it contains sensitive information, but the legal language was changed so that other portable items won't require full disk encryption by default, including data tapes.
However, you may be better off with encryption, based on what I'm reading. What am I reading?
The FAQ (link at the bottom) is written in a very easy-to-understand language, so I highly recommend giving it a glance. Among other things, it posits this question: "Must I encrypt my backup tapes?" and give this answer: You must encrypt backup tapes on a prospective basis. However, if you are going to transport a backup tape from current storage, and it is technically feasible to encrypt (i.e. the tape allows it) then you must do so prior to the transfer. If it is not technically feasible, then you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information. For example, if you are transporting a large volume of sensitive personal information, you may want to consider using an armored vehicle with an appropriate number of guards. [my emphases] Compliance deadlines for 201 CMR 17.00 are set for March 1, 2010 or earlier, although this is information missing from the FAQ.
The FAQ (link at the bottom) is written in a very easy-to-understand language, so I highly recommend giving it a glance. Among other things, it posits this question: "Must I encrypt my backup tapes?" and give this answer:
You must encrypt backup tapes on a prospective basis. However, if you are going to transport a backup tape from current storage, and it is technically feasible to encrypt (i.e. the tape allows it) then you must do so prior to the transfer. If it is not technically feasible, then you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information. For example, if you are transporting a large volume of sensitive personal information, you may want to consider using an armored vehicle with an appropriate number of guards. [my emphases]
Compliance deadlines for 201 CMR 17.00 are set for March 1, 2010 or earlier, although this is information missing from the FAQ.
Listen, I don't know about you, but the last time I checked, hiring an armored car with guards is not exactly cheap. And, how easy is it to hire one? I mean, if you have to hire such a vehicle to transport the tape to storage, it means you'll have to hire another one to transport the tape from storage. Does it take a day to get an armored truck? Twelve hours? Do you have that time to spare? One only really reaches for a stored backup tape when it's an emergency, so I figure that any delays that are introduced are not exactly smiled upon.... Here's my guess: unencrypted tapes will not be transported via armored cars. And then, something will happen.
Listen, I don't know about you, but the last time I checked, hiring an armored car with guards is not exactly cheap.
And, how easy is it to hire one? I mean, if you have to hire such a vehicle to transport the tape to storage, it means you'll have to hire another one to transport the tape from storage. Does it take a day to get an armored truck? Twelve hours? Do you have that time to spare? One only really reaches for a stored backup tape when it's an emergency, so I figure that any delays that are introduced are not exactly smiled upon....
Here's my guess: unencrypted tapes will not be transported via armored cars. And then, something will happen.
Encrypting tapes is a real problem. There are those that are designed to be encrypted, and there are others that cannot be--it's the nature of their design. And, this latest round of updates and corrections in the law (note the introduction of "technically feasible") are meant to accommodate such shortcomings and differences in technology (not relegated just to tapes, obviously). This does not exempt companies from not having adequate security for sensitive data, though. For those whose backup tapes can be encrypted--great! For those who cannot, it means finding some kind of method of keeping their backup tapes secure. Like an armored vehicle. Or, perhaps, even though it's going to be a hassle, the answer lies not in tape encryption per se, but in using file encryption software. In other words, create your backup files; encrypt these (one-by-one or as a batch into one big encrypted file); and save that to a backup tape. This way, any sensitive data on a backup tape is encrypted even if the tape itself isn't. There is still the issue of a time delay--encrypting and decrypting data takes time--but I get the feeling that things will be easier than hiring physical security. Plus, can you imagine hiring an entire armored truck to transport a couple of tapes? It'd be like using a suitcase to carry one hundred grand in $100 bills. Anyone who's seen Dodgeball with Ben Stiller knows what I'm talking about.
Encrypting tapes is a real problem. There are those that are designed to be encrypted, and there are others that cannot be--it's the nature of their design. And, this latest round of updates and corrections in the law (note the introduction of "technically feasible") are meant to accommodate such shortcomings and differences in technology (not relegated just to tapes, obviously).
This does not exempt companies from not having adequate security for sensitive data, though. For those whose backup tapes can be encrypted--great! For those who cannot, it means finding some kind of method of keeping their backup tapes secure. Like an armored vehicle.
Or, perhaps, even though it's going to be a hassle, the answer lies not in tape encryption per se, but in using file encryption software. In other words, create your backup files; encrypt these (one-by-one or as a batch into one big encrypted file); and save that to a backup tape. This way, any sensitive data on a backup tape is encrypted even if the tape itself isn't.
There is still the issue of a time delay--encrypting and decrypting data takes time--but I get the feeling that things will be easier than hiring physical security. Plus, can you imagine hiring an entire armored truck to transport a couple of tapes? It'd be like using a suitcase to carry one hundred grand in $100 bills. Anyone who's seen Dodgeball with Ben Stiller knows what I'm talking about.
Related Articles and Sites:http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf