Vision and leadership for developing and implementing information technology initiatives

Chief Information Officer

Subscribe to Chief Information Officer: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Chief Information Officer: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

CIO Authors: Jason Bloomberg, Jeffrey Abbott, Charles Araujo, Adrian Bridgwater, Ed Featherston

Related Topics: PC Security Journal, CIO, Security Journal, Government Information Technology

Blog Feed Post

Massachusetts Says Encrypt It All!

Everyone in IT knows that much of the data crossing networks around the world is still unencrypted

Protecting personal data, like backup and disaster recovery, can be hard to get people excited about. Although we see the problem plainly and solutions are widely available, it can be hard to convince business management that technologies like encryption are worth the investment. But new regulations promise to change all that: Massachusetts and Nevada have enacted data protection laws that require encryption of personal information in transit.

It's about time, too. Data losses have been all over the news for a decade, and everyone in IT knows that much of the data crossing networks around the world is still unencrypted. The situation with backup tapes is even worse: The majority of corporations still don't encrypt backup data, and most have poorly-controlled procedures for handling tapes. Every day, businesses create backup tapes containing their most critical and personal data and leave them sitting in a box for a stranger to pick up at a loading dock or reception desk.

Nevada's law, NRS 597.970, took effect Oct 1, 2008. It states the encryption requirement quite plainly:

"A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission"

The Massachusetts law, 201 CMR 17.00, takes effect Jan 1, 2010. It's even more restrictive than the Nevada statute, including the following:

  • "All persons that own, license, store or maintain personal information about a resident of the Commonwealth," which presumably means any business anywhere that does business with Massachusetts residents
  • Paper as well as electronic records
  • Secure user user authentication protocols
  • Secure access control measures
  • Encryption on all wireless networks linked to personal information repositories
  • Monitoring and encryption for all portable devices with personal information
  • Firewall protection for any database containing PII
  • System security software must be installed and kept up to date
  • Education and training is also required

This kind of regulation tends to spread rapidly from state to state, and it is likely that the comprehensive and detailed Massachusetts wording will be the template used.

In both cases, the law calls for protection of personal information, which Massachusetts clarifies to include a person's name in combination with a social security number, driver's license number, financial account number, credit card number and related information. Most organizations were already beginning to identify and address the problem of data leaks, but these laws demand immediate action.

What does this mean for information technology pros? If you're in Nevada or Massachusetts, the time has come to act. You must immediately secure all personal information, as defined by law. At the very least you must conduct a data classification exercise and ensure that such information is protected by a firewall, that access controls are in place, and that no network transmission or tape copy leaves the premises without being encrypted first.

Even those outside Massachusetts and Nevada should adopt these controls. They're sensible, widely accepted, and appropriate tools are commonly available. One might say they're best practices already, if only more information was protected in this way!

In a recent podcast, Gerry Young CIO and David Murray of the Massachusetts Office of Consumer Affairs and Business Regulation laid it out: If data classification has not been performed, "organizations have the option of declaring all of their data personal information and protect it across the network." You read that right: Massachusetts says you should encrypt all data if you can't be sure where your personal information lies! Are you ready for this?

Update: Read Enterprise Strategy Group's Steve Duplessie's take on mandatory encryption as well.

Read the original blog entry...

More Stories By Stephen Foskett

Stephen Foskett has provided vendor-independent end user consulting on storage topics for over 10 years. He has been a storage columnist and has authored numerous articles for industry publications. Stephen is a popular presenter at industry events and recently received Microsoft’s MVP award for contributions to the enterprise storage community. As the director of consulting for Nirvanix, Foskett provides strategic consulting to assist Fortune 500 companies in developing strategies for service-based tiered and cloud storage. He holds a bachelor of science in Society/Technology Studies, from Worcester Polytechnic Institute.