in the market as a comprehensive provider of information
management solutions. Its customers now have greater
flexibility to store and manage their information onsite
or in the cloud, where it makes sense for their budget and
business.”
NearPoint joins a broad portfolio of content archiving,
data protection and recovery, and eDiscovery solutions
from Iron Mountain Digital. Customers wanting to archive
email can now choose either NearPoint for onsite archiving
or Iron Mountain’s Total Email Management Suite, pow-
ered by Mimecast® technology, for archiving email in the
cloud. Additionally, customers can use Iron Mountain’s
Digital Record Center® for Compliant Messaging for email
that must meet SEC regulations and supervision.
New Personal ID Encryption Mandates:
Nevada, Massachusetts and Beyond
any company that owns or leases property in Nevada or massachusetts should
consider complying with recently enacted privacy laws.
With Nevada and Massachusetts now requiring encryption of
personal information when that information is transmitted over
public networks or stored on portable media, information managers need to consider carefully the impact of these new rules.
While the impact of these new laws will be far-reaching, their
precise effect is unclear, and lots of questions remain. Below is a
brief primer on the laws:
Nevada
First, a business must answer basic question such as whether it is
a data collector and whether it is doing business in Nevada.
It may sound simple, but determining whether an out-of-state
organization is doing business in Nevada can be a laborious, fact-intensive inquiry resolved on a case-by-case basis.
Bottom line: Any company that owns or leases property in
Nevada or employs Nevada residents should consider complying
with the new law. Also, any business that advertises or makes sales
to Nevada residents on a regular basis, regardless of the marketing
channel or channels it uses, should expect the state to assert jurisdiction in the event of an apparent violation of the new law.
TraNsmissioN aNd sTorage
A common interpretation of Nevada’s law is that it covers all
electronic transmissions, except conventional faxes and voice
telephone calls that are sent outside the data collector’s internal
computer and communications systems.
These provisions put a heavy burden on a business to control
its employees’ use of laptops, flash drives, and other devices and
media that can easily be loaded with sensitive data and removed
from the employer’s premises.
Massachusetts requires encryption to be adopted as part of a
broader “written, comprehensive information security program”
by every “person that owns or licenses personal information about
a resident of [Massachusetts] and electronically stores or trans-
mits such information . . .” The program also must include “[e]
ncryption of all personal information stored on laptops or other
portable devices . . .”
Similar to Nevada, a business (including an out-of-state busi-
ness) must answer a set of questions to figure out if it’s subject
to the Massachusetts law. For example, what sorts of personal
information does the law cover? Under what circumstances must
such information be encrypted?
An important difference between the Nevada and Massachusetts laws is that Massachusetts protects only personal information of Massachusetts residents. Accordingly, companies that do
not sell to Massachusetts residents, or do not otherwise maintain
their personal information, should have no compliance obligations
under the law.
The regulations are not clear about backup tape encryption.
As best as can be established, the guidelines suggest that the
obligation to encrypt tapes created before March 1 arises only
when the business decides to transport them.
BeyoNd Nevada aNd massaCHUse TTs
The history of privacy and data protection laws shows that once
a state has adopted such a law, others tend to follow suit. Further
initiatives of this kind should be expected, and businesses should
follow those developments and implement compliance measures
accordingly. ▲
