Protecting personal data, like backup and disaster recovery, can be hard to get people excited about. Although we see the problem plainly and solutions are widely available, it can be hard to convince business management that technologies like encryption are worth the investment. But new regulations promise to change all that: Massachusetts and Nevada have enacted data protection laws that require encryption of personal information in transit.
See my follow-up article, How to Comply with Data Encryption Laws
It's about time, too. Data losses have been all over the news for a decade, and everyone in IT knows that much of the data crossing networks around the world is still unencrypted. The situation with backup tapes is even worse: The majority of corporations still don't encrypt backup data, and most have poorly-controlled procedures for handling tapes. Every day, businesses create backup tapes containing their most critical and personal data and leave them sitting in a box for a stranger to pick up at a loading dock or reception desk.
Nevada's law, NRS 597.970, took effect Oct 1, 2008. It states the encryption requirement quite plainly:
"A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission"
The Massachusetts law, 201 CMR 17.00, takes effect Jan 1, 2010. It's even more restrictive than the Nevada statute, including the following:
- "All persons that own, license, store or maintain personal information about a resident of the Commonwealth," which presumably means any business anywhere that does business with Massachusetts residents
- Paper as well as electronic records
- Secure user user authentication protocols
- Secure access control measures
- Encryption on all wireless networks linked to personal information repositories
- Monitoring and encryption for all portable devices with personal information
- Firewall protection for any database containing PII
- System security software must be installed and kept up to date
- Education and training is also required
This kind of regulation tends to spread rapidly from state to state, and it is likely that the comprehensive and detailed Massachusetts wording will be the template used.
In both cases, the law calls for protection of personal information, which Massachusetts clarifies to include a person's name in combination with a social security number, driver's license number, financial account number, credit card number and related information. Most organizations were already beginning to identify and address the problem of data leaks, but these laws demand immediate action.
What does this mean for information technology pros? If you're in Nevada or Massachusetts, the time has come to act. You must immediately secure all personal information, as defined by law. At the very least you must conduct a data classification exercise and ensure that such information is protected by a firewall, that access controls are in place, and that no network transmission or tape copy leaves the premises without being encrypted first.
Even those outside Massachusetts and Nevada should adopt these controls. They're sensible, widely accepted, and appropriate tools are commonly available. One might say they're best practices already, if only more information was protected in this way!
In a recent podcast, Gerry Young CIO and David Murray of the Massachusetts Office of Consumer Affairs and Business Regulation laid it out: If data classification has not been performed, "organizations have the option of declaring all of their data personal information and protect it across the network." You read that right: Massachusetts says you should encrypt all data if you can't be sure where your personal information lies! Are you ready for this?
Update: Read Enterprise Strategy Group's Steve Duplessie's and the Data Mobility group's takes on mandatory encryption as well.