Summarizing what you quoted, "any storage containing personal data of a Mass. resident which could be intercepted or lost must be encrypted. Presumably one wouldn't lose one's data center so data center storage is exempted. Carl _____
From: David Lum [mailto:[email protected]] Sent: Friday, March 12, 2010 2:59 PM To: NT System Admin Issues Subject: Massachusetts law about encryption Can someone clarify who this applies to? "persons who own or license personal information about a resident of the Commonwealth of Massachusetts" defined as: Owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof. Because those people, as of two days ago are to perform "Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly" AND "[e]ncryption of all personal information stored on laptops or other portable devices . . http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf?mtcCampaign=-1 <http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf?mtcCampaign=-1&mtcE mail=13086283> &mtcEmail=13086283 Does that mean if my company does business with someone in Mass that any personal data of theirs I have needs to be encrypted when transmitted or stored on my systems? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
