As of March 1, 2010, Massachusetts residents like me now have more protection and safety for their personal information. So what exactly changed?
Now businesses in Mass. that collect personal information such as Social Security numbers, bank or credit card account numbers, have to apply new levels of data protection. The new law applies specifically to data encryption of information stored on any back up platform, even tape. Data is now required to be encrypted if it is moved or copied or is on a mobile device like a laptop or a thumb drive. Companies are now truly responsible for protecting and encrypting personal consumer information.
My guess is that this new change to the law “201 CMR 17.00” is a direct response of the legislature to the huge theft of customer credit information that occurred in 2007 at Massachusetts retailing giant TJX. Additionally, not just companies that collect consumer information but everyone who owns or licenses personal information must have a written plan detailing the measures adopted to safeguard that information.
Here is an excerpt from press release
“Consumers should feel confident that their personal information is protected, and not exposed to loss or theft,” said Governor Deval Patrick. “These regulations improve the safety of personal information, while giving businesses the flexibility to secure that information without undue burden.”
“In two years, over one million pieces of information belonging to Massachusetts residents were lost or stolen, creating stress, worry and financial inconveniences for consumers,” said Barbara Anthony, the Undersecretary of the Office of Consumer Affairs and Business Regulation. “The rules taking effect March 1 will make it less likely that personal information is exposed, and create another layer of protection for consumers.”
In reality the new requirements don’t seem terribly onerous for businesses, even small businesses with limited technical resources given some of the off-the-shelf encryption tools or backup solutions that have encryption built in.
Remote Data Vault