In this blog I look beyond the obvious and try to find out why people and companies do what they do - and what it means for the rest of us. 
I’ve been harping on the fact that sooner or later (mostly later, unfortunately) all data is going to have to be encrypted if it’s worth anything – to anyone.
Most of us have been burned at least once by now – having our personal information stolen or lost. It’s happened about six times to me in the last five years.
Not ones to do the right thing until a crisis occurs, the MA government has followed Nevada and enacted what is a good first step – 201 CMR 17.00 “Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts.”
Basically, it says that if you keep personal information on a MA resident, you have to encrypt it to transmit it. It doesn’t address data at rest, but it’s a start.
After the TJX fiasco and other assorted absurdities, the good of folks in MA finally forced what should have been a common sense best practice. So be it.
Interestingly, if a MA company has personal information on you and you aren’t a resident, you are out of luck apparently. It’s written sort of oddly – it says anyone who keeps data about a MA resident has to encrypt it during transmission, but it doesn’t specifically say that the company who stores/transmits it has to be in MA. I’m no lawyer, but I think that’s unenforceable. If a company in Rhode Island has my information, the way this law is written, that company has to encrypt my information as I’m a MA resident – but how could that be enforced? Maybe the lawmakers in MA are planning a coup.
All in all, it’s a good start, so let’s be positive. What the law should say is that any MA company storing/transmitting personal information of ANYONE has to encrypt it – as that would be enforceable (let alone much more useful). Eventually, at least in the U.S., this will have to be mandated federally. Why is it OK for someone with my information in Kansas to leave it in clear text – or why should my company be allowed to keep your personal information in clear text just because you don’t reside in MA?
Nirvanix’s Stephen Foskett picked up a nice angle on the issue. He notes that “transmission” can be simply moving a tape from the premises to a storage facility – if you don’t encrypt that tape, you are breaking the law.
It may be common sense, but I for one am glad that I no longer have to count on it being applied – at least on this issue. Soon, it will be mandatory. What’s it going to mean? Eventually, those of us in the U.S. will almost catch up to the privacy practices of our European pals. It will mean more process, more planning, and more complexity for a while – but the downstream positive effects will more than make up for any headache that implementing this common sense practice causes. It also means it’s a good time to be in the encryption business.
No related posts.
Tags: 201 CMR 17.00, consumer privacy, data privacy, encryption, Foskett, Nirvanix, security, TJX
blogs
Steve,
A prominent Massachusetts company is currently wringing their hands, trying to figure out how to respond to this encryption mandate with regard to offsite tape storage. This is a huge deal, and lots of folks haven’t figured out how to deal with it yet. I’ll be covering that in another blog post (tomorrow?).
As for enforcement, I agree it’s weird. The Massachusetts AG gets to enforce it, and I can’t see how they would go after, say, Bank of America or someone else outside the state!
Stephen
There are many possible interpretations of the new laws, Steve.
Can an attorney successfully argue that tape is not “an electronic transmission…to a person outside of the secure system of the business”? In fact, the transportation of tape off-site is not electronic, it’s physical. The electronic transmission of the data to tape occurs before the tape leaves the facility. By the time it’s on tape, electronic transmission is no longer a factor. And if a fax – a combination of electronic and physical transmission – is permissible, then why not tape?
Mincing words, I know, but we all know that cases are won and lost in court based on wording and semantics. Legislators will need to be more clear about that.
Massachusetts’ decision highlights this critical trend that people have a need to protect more and more data.
As we move forward, with the efforts in Massachusetts, combined with similar laws in Nevada on encryption on data at rest, on disclosure in California, and movement at the federal level with the recent HITECK act that has given HIPPA some real teeth, a good way to look at this is by our focusing on data in use.
Data only really needs to be in an unencrypted form while in use, and should be encrypted everywhere else.
I agree that this is a good first step. However, it shows the backward thinking and application by government. The lawmakers appear to be very brick-and-mortar centric, e.g. if a local bank is transmitting data, it must be encrypted.
Ten years ago, identity theft was a rare occurrence and a nightmare to unravel. Yes, it’s still a nightmare for anybody victimized, but now the public awareness and cost-of-business has changed the game: companies must reduce losses and the public (hopefully) is choosing service providers more wisely.
The business and technology communities will respond much faster and better than the government ever will. The well intentioned, but poorly written, MA law is a perfect case in point.