I recently wrote about Arizona’s new law concerning encryption of personal data. Several states are enacting similar legislation, and encrypting such data is becoming a de facto national policy. Most recently, Massachusetts issued new regulations on the same subject last month, and that state’s laws will take effect on January 1, 2009.
The Massachusetts legislation, known as the Standards for the Protection of Personal Information of Residents of the Commonwealth, is very far-reaching and considered the strictest regulations to date. The new law adds to Massachusetts’ already stringent security regulations, by requiring all portable personal data about any Massachusetts resident to be encrypted. This applies to data transmitted over public networks, or that is stored on a laptop, or on any type of removable memory device. The law requires other mandatory security procedures, including updated user authentication and authorization.
There is a technical difference between Nevada’s and Massachusetts’ statute in how encryption is defined. For the Nevada law, “encryption” is defined as the use of a protective or disruptive measure, including cryptography, enciphering, encoding, or a computer contaminant, to render data unintelligible. The Massachusetts statute is more specific, stating that “encryption” is an algorithmic process that requires a confidential process or key to decode. Some have argued that since the Nevada law does not use the word “algorithmic,” then password-protection is adequate to adhere to the letter of the law.
Also, the laws differ in scope. Nevada’s law focuses on the electronic transmission of data, while Massachusetts also includes portability. Accordingly, if you have data on a resident of Massachusetts on your hard drive, even if you do not send it via email or over the Internet, you still must encrypt that data.