Massachusetts' Office of Consumer Affairs & Business Regulation (OCABR) recently released a revised version of its "Standards for the Protection of Personal Information of Residents of the Commonwealth" (the "Regulation"). This August 2009 version modifies the February 2009 version of the Regulation. The press release for the new revision is here, and the FAQs released by OCABR appear updated to address some of the changes in the regulations.For ease of reference, ISC has taken the time to create a REDLINED VERSION showing the revisions in the new Regulation. The redlines indicate changes between the February 2009 version and the August 2009 version of the Regulation. Also included below is a summary of some of the more significant changes.
In other posts, I addressed the trend in the United States to require encryption for certain categories of personal data that are sought by ID thieves and fraudsters - especially Social Security Numbers, driver's license numbers, and bank account or payment card details - as well as for medical information, which individuals tend to consider especially sensitive. These concerns are not, of course, limited to the United States. Comprehensive data protection laws in Europe, Canada, Japan, Australia, New Zealand and elsewhere include general obligations to maintain "reasonable" or "appropriate" or "proportional" security measures, usually without further elaboration. Some nations have gone further, however, to specify security measures.
In the last post, I talked about the role of encryption in fashioning a "reasonable" security plan for sensitive personal information and other protected data routinely collected, stored, and used by an enterprise. But lawmakers and regulators are getting more specific about using encryption and managing data that is risky from an ID-theft perspective. Here are some leading examples of this trend.
"Exactly what data do we have to encrypt, and how?" That's a common question posed by IT and legal departments, HR and customer service managers, CIOs and information security professionals. In the past, they made their own choices about encryption, balancing the risks of compromised data against the costs of encryption. Those costs are measured not merely by expense but also by increased processing load, user-unfriendliness, and the remote but real possibility of lost or corrupted decryption keys resulting in inaccessible data. After weighing the costs and benefits, most enterprises decided against encryption for all but the most sensitive applications and data categories.
Last month we posted some basics on cloud computing designed to provide some context and identify the legal issues. What is the cloud? Why is everyone in the tech community talking about it? Why do we as lawyers even care? Dave provided a few things for our readers to think about -- privacy, security, e-discovery. Now let's dig a little deeper. I am going to start with privacy and cross-border data transfers. Is there privacy in the cloud? What are the privacy laws to keep in mind? What are an organization's compliance obligations? As with so many issues in the privacy space, the answer begins with one key principle -- location, location, location.
I had the pleasure of hearing an excellent presentation by Tanya Forsheit on the legal issues arising out of cloud computing during the ABA Information Security Committee's recent meeting (at the end of July) in Chicago. The presentation resulted in a spirited debate between several attorneys in the crowd. The conversation spilled over into happy hour and became even more interesting. The end result: my previous misunderstanding of cloud computing as "just outsourcing" was corrected, and now I have a better appreciation of what "the cloud" is and the legal issues cloud computing raises.