in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Massachusetts Data Protection & Privacy Law - 201 CMR 17.00 / Massachusetts General Law, Chapter 93A

Covered in this post:

  • Compliance date of March 1, 2010 for Mass. Data Privacy Law
  • What's it going to cost?
  • How AlertBoot encryption can help
  • Penalties: $5,000 per violation

Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00

If you do business in Massachusetts, you know by now that your company will have to abide by the "Massachusetts Encryption Laws."  While the rules compromise more than the encryption of personal data, it's expected that a lot of the costs of compliance will be centered around encryption.  Compliance is required on or before March 1, 2010.

The following two URLs to http://www.mass.gov/ show the actual legal text (quite readable, considering) and a FAQ for the layperson.  As a layperson myself, I'd recommend reading the FAQ first.  It just makes things easier, not to mention it covers most aspects of what an organization--be it small, medium, big, or Fortune 500--is supposed to do to become compliant.

http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf

Some highlights to the law:

  • Laptops with sensitive information must be encrypted (per the FAQ).

  • Other portable devices with sensitive data must also be encrypted if technically feasible.

  • Password-protection is not an acceptable substitute to encryption.

  • The regulations apply to anyone and everyone that "collects and retains personal information in connection with the provision of goods and services or for the purposes of employment" including lawyers, hospitals, etc.  About the only exclusions are individuals (you won't have to encrypt your family's data on your home computer, for example) and government agencies, including municipalities.

What's Compliance Going to Cost?

In March 2009 I found an on-line document from OCABR (Office of Consumer Affairs and Business Regulation) that listed a hypothetical cost based on the following assumptions:

  • 10-employee business
  • 3 laptops
  • 1 network server, serving 7 desktops
  • Network consultant already employed (having such a mix of computers usually means there is one being employed by the business)

The upfront cost was expected at $3,000 with $500 a month for on-going technical support.

I had blogged about the issue here but sadly the link to the original OCABR page is dead.

My guess is that once the amended law was announced back in November 2009, they decided their calculations may not be up-to-date anymore.  I'd expect, however, that the price wouldn't veer too far from the above.

How AlertBoot Can Help

AlertBoot can get you up and running--right now! Even if it were 2 AM where you live--when it comes to laptop encryption, portable hard disk encryption, and file encryption.  And, it won't cost you $2,000 upfront to protect 10 computers.

  • Centrally managed so you won't have to deal key management issues.
  • Pay month-to-month.  No annual or minimum license fees.
  • Strong, safe AES-256 encryption.
  • Easy setup. (See this YouTube video to see how easy and fast it is.)
  • No delays.  You can get started straight away by visiting our subscription / signup page.

If you'd like to learn more about AlertBoot, please visit our product tour page.

$5,000 Per Violation: MA 201 CMR 17.00 Penalties For Non-Compliance

Under the law (MGL, Ch93A.4), the Attorney General of Massachusetts has the ability to seek injunctive relief against any organizations that are in violation of MA 201 CMR 17.  What this means is that the AG can ask for a court-order to stop an organization from being in violation of the law.

I'd say that's essentially a roundabout way of stating that you'll have encrypt your laptops, install any firewalls, get yourself a locking file cabinet, etc.--whatever's necessary to be in compliance with the law.  Not so bad, considering that a business had to do it to begin with.

However, the same law also authorizes the courts to impose a maximum $5,000 civil penalty for each violation." It's been pointed out that the language is quite nebulous: is losing a laptop computer with a database of 1,000 names one violation or 1,000 violations?

Depending on the interpretation, it could mean a maximum fine of $5,000 or $5 million.

I've covered other potential penalties here.

 
<Previous Next>

Data Encryption Software: What The Brittany Murphy Leak Teaches Us

Netbook Encryption: Full Disk Encryption Degrades Low-Powered Device?

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.