Computerworld details continuing controversy over a Massachusetts data-protection law designed to safeguard individual privacy:
After more than a year of delay and several modifications, a contentious Massachusetts data protection regulation appears set to go into effect March 1.
The law is aimed at getting companies to better protect consumer data. It affects all businesses that store personal information on Massachusetts residents, regardless of where the companies might be based.
The rules (see PDF) require businesses to encrypt sensitive personal information on Massachusetts residents that is stored on portable devices such as PDAs and laptops or on storage media such as memory sticks and DVDs. Any personal information that is transmitted over a public or wireless network will also need to be encrypted.
Companies are required to take reasonable measures to control end-user access to sensitive data and to protect authentication information that can be used to gain access to the data. Businesses will also need to limit the amount of personal data they collect and must maintain an inventory of the information, monitor its usage and have a formal security plan for protecting the data. The rules were crafted by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) and were originally supposed to go into effect Jan. 1, 2009. […]
One remaining area of concern pertains to the encryption requirement for mobile devices. Many companies are struggling to figure out how to efficiently encrypt data that’s stored on mobile devices such as BlackBerries and other smartphones, [Boston attorney Deborah Birnbach] said. Some companies are also struggling to ensure that personal data stored on backup storage media is encrypted, she said.