Venyu Blog

Every national retailer has customer credit cards on file including yours – what they most fear is someone hacking that information. National retailer TJ Maxx was hacked, exposing at least 47 million credit cards. On March 1, 2010 the fallout from that security breach comes full circle when MASS 201 CMR 17 becomes law.  Make no mistake. That’s cause and effect and this is groundbreaking legislation as it becomes the first law in the nation to require encryption to protect personal information contained in both paper and electronic records.  In fact, if you license or own any personal data of a Massachusetts resident, regardless of the size of your business or where you’re located, you must comply with this law.

So, what does this mean for your business? That depends, but the singular thread that runs through this legislation – data encryption – is only problematic if you’re still relying on physical tape for backup and storage.  Consider:

• The law requires that backup tapes must be encrypted as they are being created. If  you currently use tape-based storage you will likely have to use an intermediary encryption appliance between the data source and the actual storage device (e.g. tape library) in order to meet the letter and spirit of the law.  If you don’t  already own one, prepare to pony up. 
• Data never really ages and you may be asked to produce it on-demand a month or ten years from now.   Chances are, particularly if you’re in a regulated industry, an auditor will ask you to produce specific data your appliance encrypted in years prior.  Even if that appliance can be located, will it still be able to read that data so far down the road?
• Trust but verify. Hackers aside, what happens to your tapes even before they reach the point of encryption? How are your tapes stored? Who has access to them? Are all your employees loyal and trustworthy? Pilfering just a single tape has the capacity to produce significant corporate damage, the kind of damage that only class-action lawsuits satisfy.
• Reputation is everything.  How long could your organization survive if your customers’ data is compromised?  Do you really have enough goodwill left in reserve to put up with the accusation and second-guessing?
• Non-compliance draws significant penalties. Under current enforcement statutes businesses who are found in non-compliance are subject to a $5,000 fine per violation – admittedly a far cry from the $2.5M judgment against TJX but multiple $5,000 violations could be the difference between your business surviving or going the way of the dot.coms.

MASS 201 CMR 17 is a game-changer in terms of applying legal standards to data protection. As you take stock of your company’s reliance on tapes, how wedded are you to them if you’re constantly wondering how safe they are and how accessible the data is contained on them?

Read more here: