Massachusetts Says Encrypt It All!

A law that takes effect in Jan 2010 reads like this

• "All persons that own, license, store or maintain personal information about a resident of the Commonwealth," which presumably means any business anywhere that does business with Massachusetts residents
• Paper as well as electronic records
• Secure user user authentication protocols
• Secure access control measures
• Encryption on all wireless networks linked to personal information repositories
• Monitoring and encryption for all portable devices with personal information
• Firewall protection for any database containing PII
• System security software must be installed and kept up to date
• Education and training is also required

It is pretty restrictive yet it is still open for interpretation and leaves a lot of leverage for prosecutors to go after a company that they want to bring down. If you have ever been involved with the PIN or SAS70 type audits then you know how these rules can be interpreted differently by any governing body. Bottom line is this is going to be VERY costly to many organizations. It is not a bad thing to a degree, but it will be costly and probably abused by law enforcement officials who do not understand how computer technologies actually work.