On Fri, Mar 12, 2010 at 2:59 PM, David Lum <david....@nwea.org> wrote: > Can someone clarify who this applies to?
The law applies to anyone who processes protected information of a MA resident. Protected information is basically Social Security, bank account, and/or credit card numbers. I'm told US Congress is encouraging all states to adopt similar legislation. > Does that mean if my company does business with someone in Mass that any > personal data of theirs I have needs to be encrypted when transmitted or > stored on my systems? Requirements are mostly: A1. You need to have a plan. The plan needs to address all of the following. A2. Identification of protected information A3. Protection against improper access internally A4. On-the-wire encryption for transmission across a public network A5. Encryption of all storage for portable devices A1 can be a single page that tells all employees about this. A2 can be as simple as having designated server folders where all this stuff gets stored. A3 can be NTFS ACLs. A4 would mean things like VPN instead of open access, SSH instead of Telnet, SSL instead of HTTP, etc. A5 would mean whole-disk encryption for laptops, password encryption of BlackBerry, etc. Does *not* apply to desktops. Most of this should be stuff we're all doing already anyway. :) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
