Now I have two things which I really like about Massachussets – The Friendly Toast in Cambridge (mmm… Caribbean waffles) and their new data protection law. As of March 1, any organization which holds personnally identifiable information (PII) about residents of the Commonwealth must attest that they have a written information security plan designed to protect that information. And that PII maust be encrypted both when it travels over the wire and when it is stored in systems. Penalties for violation are quite hefty – $5,000 per violation and per record lost.
The law also requires businesses handling MA residents’ PII to take a number of steps that they should already be doing – having someone responsible for the infosec program, identifying risks, training personnel, preventing terminated employees from accessing the PII, secure authentication and the like. You can read the entire text of the law here…
It is about time and I hope that other states (and the federal government – call me a socialist) follow Massachusetts’ lead. Requiring businesses to take some very basic and inexpensive steps to protect our information from unauthorized access is quite reasonable. It seems to me that complying with the encryption requirements can be accomplished via an SSL cert, laptop encryption software (such as BitLocker, included with Windows 7 or FileVault on Macs), and use of database encryption features are just common sense, as is having an information security plan.