Massachusetts encryption law even stricter than Nevada’s

I recently wrote about Arizona’s new law concerning encryption of personal data. Several states are enacting similar legislation, and encrypting such data is becoming a de facto national policy. Most recently, Massachusetts issued new regulations on the same subject last month, and that state’s laws will take effect on January 1, 2009.

The Massachusetts legislation, known as the Standards for the Protection of Personal Information of Residents of the Commonwealth, is very far-reaching and considered the strictest regulations to date. The new law adds to Massachusetts’ already stringent security regulations, by requiring all portable personal data about any Massachusetts resident to be encrypted. This applies to data transmitted over public networks, or that is stored on a laptop, or on any type of removable memory device. The law requires other mandatory security procedures, including updated user authentication and authorization.

There is a technical difference between Nevada’s and Massachusetts’ statute in how encryption is defined. For the Nevada law, “encryption” is defined as the use of a protective or disruptive measure, including cryptography, enciphering, encoding, or a computer contaminant, to render data unintelligible. The Massachusetts statute is more specific, stating that “encryption” is an algorithmic process that requires a confidential process or key to decode. Some have argued that since the Nevada law does not use the word “algorithmic,” then password-protection is adequate to adhere to the letter of the law.

Also, the laws differ in scope. Nevada’s law focuses on the electronic transmission of data, while Massachusetts also includes portability. Accordingly, if you have data on a resident of Massachusetts on your hard drive, even if you do not send it via email or over the Internet, you still must encrypt that data.

Written by Dan Blacharski

The corporate world unceremoniously booted Dan Blacharski out of his cubicle over 15 years ago, and he’s never looked back. Since that time, he has been a full-time professional freelance writer, public relations consultant and analyst, and has published six books and thousands of articles. He divides his time between South Bend, Indiana and Bangkok, and married the renowned Thai writer Charoenkwan Prakthong in 2005. He and his wife enjoy traveling the world, and spending time with their Boston Terrier, Pladook.

3 Comments

  1. Keith McPhail · November 9, 2008

    Dan, do you have some thoughts as to why it has taken these States to be proactive in this area to force encryption of data?

    How do you think that the mobile device vendors are going to make this happen? Especially in the timeframe that MA is talking about (1/2009)?

    thanks,

    Keith

  2. Dan Blacharski · November 19, 2008

    Regrettably, it often takes either (1) legislation or (2) an earth-shattering event to shake us out of our complacency. And now with mobile computing on the rise, the need for encryption is going to become more evident. Mobile device vendors are going to have to get on the stick here. Some laptop vendors have already risen to the challenge with built-in encryption (Dell, Lenovo, etc.), but the purveyors of smartphones like the iPhone, BlackBerry and Android phones, haven’t gotten with the program. On the iPhone for example, it’s possible for third parties to create applications to endrypt individual applications, but not the entire device–and that’s a serious liability for Apple and a big reason the iPhone can’t be a serious competitor outside of the consumer market. Short answer, mobile device vendors won’t make it happen by January 2009, but eventually they will have to if they want to survive.

  3. MobileAdmin · February 9, 2009

    I support a F100 with over 3,000 mobile devices (Blackberry, Windows Mobile and yes some iPhone)

    Blackberry is covered as BES includes the functionality to enforce encryption for both the device AND removeable media.

    Windiws Mobile via ActiveSync in Exchangre 2007 has the ability to encrypt. For Removeable media you need to have Mobile Device Manager 2008.

    iPhone has nothing and I’ve checked with every major encryption vendor on the market. Apple will not release the API and this will be impossible to meet for 2010. Thus we are removing support for iPhone likely prior to the date so we will be compliant.

Leave A Reply