March 1 is days away. If you do business with people from Massachusetts, the month might arrive like a lion -- and not because of another Nor'easter. March 1 is the deadline date for a new state law that requires companies to encrypt sensitive personal information on Commonwealth residents that is stored on laptops or any external storage devices. Information that is transmitted on wireless or public networks also must be encrypted.
As Jaikumar Vijayan wrote in a Computerworld article:
Companies are required to take reasonable measures to control end-user access to sensitive data and to protect authentication information that can be used to gain access to the data. Businesses will also need to limit the amount of personal data they collect and must maintain an inventory of the information, monitor its usage and have a formal security plan for protecting the data.
As it stands, businesses only have to take "reasonable steps" to verify that their third-party service providers have the ability to protect personal information via measures that are comparable to those prescribed by the [Office of Consumer Affairs and Business Regulation.] Companies have until March 2012 to include language in their third-party contracts obligating their vendors to employ reasonable measures for protecting personal information.
In a webinar today hosted by Cellcrypt, MacDonnell Ulsch, CEO and chief risk analyst for ZeroPoint Risk Research pointed out that the new law will also include smartphones. He said:
If you have a BlackBerry, for example, and it's used to convey in any way privileged information that falls under this statute, you are obligated to encrypt that device.
Enforcing the law, however, will be a challenge, and companies will hold the burden of proof to show they are in compliance with the law. Ulsch said:
This is basically a statute that says in the event you are compromised, you must then show that you provided the appropriate levels of due care and meet all the requirements.
Difficulties will lie, he added, in areas where third parties are involved and in technology concepts like cloud computing. The cloud architecture can include private, public and hybrid clouds that gets farmed out to multiple enterprises around the world. Will it be possible to enforce those privacy regulations on companies that might not know they are participating in that cloud architecture? he asked.
It will be interesting to follow this new law, which is good in theory, to see how it works in real life.