Notice about the Massachusetts Data Security Law, 201 CMR 17.00

Massachusetts has implemented a new Data Security Law, 201 CMR 17.00.  It is intended to protect the citizens of Massachusetts from identity theft.  It addresses the safeguarding of "Personal Information" for all Massachusetts citizens.

What does the law cover?

While the law addresses all aspects of safeguarding personal information, from physically securing records, to written policies, to employee training, it affects our services because it prohibits shipping computer media containing "Personal Information" on Massachusetts citizens unless it is encrypted.  "Personal Information" is defined as a person's name, in combination with their Social Security number, driver's license number, credit card number, or financial account number. You can read the full law on the Massachusetts web site: 201 CMR 17.00.

How does the law apply to conversion services?

Although the law does not directly prohibit us from offering data conversion services, it does prohibit shipping tapes or disks via common carrier (UPS, FedEx, USPS) if they contain "Personal Information" on any Massachusetts residents, and the data is not encrypted.  Since 99% of our work ships via common carrier, and about 75% of it contains "Personal Information", this law impacts about three-quarters of our business.

People who use our service generally do so because they can't read the tape or disk they have, so they are not able to encrypt it to meet the requirements of the law.  And if they could encrypt the data, they wouldn't need our services in the first place.   Furthermore, none of the tape drives we own support encryption, which makes it nearly impossible to encrypt the data in many cases.

The law states that data must be encrypted "when technically feasible".  Initially we believed mainframe tapes were exempt from the requirement to encrypt because there is, in our opinion, no feasible way to encrypt data on a mainframe tape. (See the link below.)  We contacted the Office of Consumer Affairs and Business Regulation (who wrote the law) to confirm this, but were told we were wrong and mainframe tapes were not exempt.   When we pushed for a list of tapes they considered exempt and non-exempt, they referred us to the Office of the Attorney General.   When we contacted the Office of the Attorney General, they were quite cordial, but explained they had not undertaken a determination of which tapes would be exempt under the "technically feasible" clause.

Such a determination was at the heart of being able to continue to conduct business in Massachusetts, so we undertook such a determination ourselves.  We tried our best to understand the intent of the law, and which tapes would be considered "technically feasible" to encrypt and which would not.   After much review of all the information we could find on the law, we thought we understood it, and we wrote a document describing which tapes we believed were exempt and which were not, and we offered the technical reasons for our conclusions.   We requested that the Office of the Attorney General review it to confirm we correctly understood the intent of the law. 

We received a reply from the Attorney General that they  "...cannot provide you legal advice concerning which tapes used in your business are covered by the regulations and which are not covered by the regulations due to the fact that such an analysis involves a fact-specific technological determination that you must make based on your knowledge of the technological capabilities of the tapes and how they are used in connection with your business in terms of portability."

A "fact-specific technological determination" is what we thought we had written.  Apparently it did not satisfy the Attorney General.  After investing well over a hundred hours trying to understand the intent of the law, we are at a loss to provide anything more conclusive.  And the State will not clarify the law.

You can read what we wrote on our Massachusetts Data Security Law page, but please be aware we can no longer consider it to be correct, based on the reply from the State.  You can also read the full reply in the A.G.'s letter.

Since the Office of Consumer Affairs and Business Regulation has informed us that our understanding of the law was incorrect, and the Office of the Attorney General has not accepted our analysis of exempt tapes, we cannot consider any tapes to be exempt until such time as the State clarifies the law.

There is no reasonable way we can find for either ourselves or our customers to encrypt data on most mainframe tapes, so the only way to comply with the law is to not accept those tapes if they contain personal information on Massachusetts residents.  We had already discontinued our PC conversion services to comply with the new law.

How has the law impacted our services?

In order to be in compliance with the new law, we can no longer accept any tapes or disks for conversion if they contain "Personal Information" on Massachusetts residents.  Since that was the majority of our business, we have discontinued most of our services:

1. We have discontinued all personal computer conversions. Those include MSDOS, Windows, Macintosh, Netware, UNIX, and all word processors, typesetters, and old computers, including all 240 CP/M formats.
2. DISC is still doing Mainframe and VMS conversions, but only if the data does not contain "Personal Information" on Massachusetts residents.
3. We can make a tape-to-tape copy only if the data does not contain "Personal Information" on Massachusetts residents.

This law has eliminated over 75% of our business, causing major changes to the company. You may find that people you worked with in the past are no longer here. We appreciate your patience and understanding while we try to re-organize to accommodate the new law.