Covered in this post: Compliance date of March 1, 2010 for Mass. Data Privacy Law What's it going to cost? How AlertBoot encryption can help Penalties: $5,000 per violation
Covered in this post:
If you do business in Massachusetts, you know by now that your company will have to abide by the "Massachusetts Encryption Laws." While the rules compromise more than the encryption of personal data, it's expected that a lot of the costs of compliance will be centered around encryption. Compliance is required on or before March 1, 2010. The following two URLs to http://www.mass.gov/ show the actual legal text (quite readable, considering) and a FAQ for the layperson. As a layperson myself, I'd recommend reading the FAQ first. It just makes things easier, not to mention it covers most aspects of what an organization--be it small, medium, big, or Fortune 500--is supposed to do to become compliant. http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdfhttp://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf Some highlights to the law: Laptops with sensitive information must be encrypted (per the FAQ). Other portable devices with sensitive data must also be encrypted if technically feasible. Password-protection is not an acceptable substitute to encryption. The regulations apply to anyone and everyone that "collects and retains personal information in connection with the provision of goods and services or for the purposes of employment" including lawyers, hospitals, etc. About the only exclusions are individuals (you won't have to encrypt your family's data on your home computer, for example) and government agencies, including municipalities.
If you do business in Massachusetts, you know by now that your company will have to abide by the "Massachusetts Encryption Laws." While the rules compromise more than the encryption of personal data, it's expected that a lot of the costs of compliance will be centered around encryption. Compliance is required on or before March 1, 2010.
The following two URLs to http://www.mass.gov/ show the actual legal text (quite readable, considering) and a FAQ for the layperson. As a layperson myself, I'd recommend reading the FAQ first. It just makes things easier, not to mention it covers most aspects of what an organization--be it small, medium, big, or Fortune 500--is supposed to do to become compliant.
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdfhttp://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf
Some highlights to the law:
In March 2009 I found an on-line document from OCABR (Office of Consumer Affairs and Business Regulation) that listed a hypothetical cost based on the following assumptions: 10-employee business 3 laptops 1 network server, serving 7 desktops Network consultant already employed (having such a mix of computers usually means there is one being employed by the business) The upfront cost was expected at $3,000 with $500 a month for on-going technical support. I had blogged about the issue here but sadly the link to the original OCABR page is dead. My guess is that once the amended law was announced back in November 2009, they decided their calculations may not be up-to-date anymore. I'd expect, however, that the price wouldn't veer too far from the above.
In March 2009 I found an on-line document from OCABR (Office of Consumer Affairs and Business Regulation) that listed a hypothetical cost based on the following assumptions:
The upfront cost was expected at $3,000 with $500 a month for on-going technical support.
I had blogged about the issue here but sadly the link to the original OCABR page is dead.
My guess is that once the amended law was announced back in November 2009, they decided their calculations may not be up-to-date anymore. I'd expect, however, that the price wouldn't veer too far from the above.
AlertBoot can get you up and running--right now! Even if it were 2 AM where you live--when it comes to laptop encryption, portable hard disk encryption, and file encryption. And, it won't cost you $2,000 upfront to protect 10 computers. Centrally managed so you won't have to deal key management issues. Pay month-to-month. No annual or minimum license fees. Strong, safe AES-256 encryption. Easy setup. (See this YouTube video to see how easy and fast it is.) No delays. You can get started straight away by visiting our subscription / signup page. If you'd like to learn more about AlertBoot, please visit our product tour page.
AlertBoot can get you up and running--right now! Even if it were 2 AM where you live--when it comes to laptop encryption, portable hard disk encryption, and file encryption. And, it won't cost you $2,000 upfront to protect 10 computers.
If you'd like to learn more about AlertBoot, please visit our product tour page.
Under the law (MGL, Ch93A.4), the Attorney General of Massachusetts has the ability to seek injunctive relief against any organizations that are in violation of MA 201 CMR 17. What this means is that the AG can ask for a court-order to stop an organization from being in violation of the law. I'd say that's essentially a roundabout way of stating that you'll have encrypt your laptops, install any firewalls, get yourself a locking file cabinet, etc.--whatever's necessary to be in compliance with the law. Not so bad, considering that a business had to do it to begin with. However, the same law also authorizes the courts to impose a maximum $5,000 civil penalty for each violation." It's been pointed out that the language is quite nebulous: is losing a laptop computer with a database of 1,000 names one violation or 1,000 violations? Depending on the interpretation, it could mean a maximum fine of $5,000 or $5 million. I've covered other potential penalties here.
Under the law (MGL, Ch93A.4), the Attorney General of Massachusetts has the ability to seek injunctive relief against any organizations that are in violation of MA 201 CMR 17. What this means is that the AG can ask for a court-order to stop an organization from being in violation of the law.
I'd say that's essentially a roundabout way of stating that you'll have encrypt your laptops, install any firewalls, get yourself a locking file cabinet, etc.--whatever's necessary to be in compliance with the law. Not so bad, considering that a business had to do it to begin with.
However, the same law also authorizes the courts to impose a maximum $5,000 civil penalty for each violation." It's been pointed out that the language is quite nebulous: is losing a laptop computer with a database of 1,000 names one violation or 1,000 violations?
Depending on the interpretation, it could mean a maximum fine of $5,000 or $5 million.
I've covered other potential penalties here.