The state of Massachusetts has passed a new law that goes into effect May 1, 2009, that requires businesses that “own, license, store, or maintain personal information” on customers to encrypt that data, especially on portable devices such as laptops. That responsibility is extended from the primary business to contractors, such as telemarketing firms, and it extends to transmissions on wireless devices such as BlackBerries.
This law is more comprehensive than most other laws currently on the books. The law takes the view that companies have wide leeway to collect data—such as Social Security numbers, driver’s licenses and financial account numbers—as long as they don’t cause overt harm to the consumers. The Massachusetts law is reflective of European law, which places more restrictions on data collection. The legislation is similar to HIPAA rules that govern the way medical information is protected. The Massachusetts law extends its encryption mandate to portable devices including flash drives, CDs, and cell phones. The problem is that encryption technology is not available for all of these devices.
Even businesses that have no facilities or personnel in Massachusetts should anticipate being subject to this new regulation if they maintain any personal information on a Massachusetts resident.
Firms that operate in the state, or with businesses in the state, are now required to designate an employee to maintain a security program. That worker must identify all paper and electronic records that contain personal information, and the devices that house that data. The security program has to include processes for granting and withdrawing employee access to sensitive information, developing authentication processes, assigning passwords, maintaining firewalls and malware protections, training employees, and creating discipline procedures for employees who violated the security rules.
Nevada also has a law that took effect January 1 that requires encryption of any personal information that leaves the computers of the original collector and passes electronically to another entity. But that law does not address laptops and portable devices.
