If you only want to read a summary of how this law affects our services, see the Summary at the bottom of this page.
Disclaimer: Information on this page is our (Disc Interchange Service Company) interpretation of this law and may not be correct or agree with the Massachusetts Attorney General. Our understanding is based on reading the law and on information provided by the State of Massachusetts in reply to our inquires. The State will not specify which tapes they consider to be exempt, and the information on this page is our understanding of their intent.
Last update: February 14, 2011
The new Massachusetts Data Security Law, 201 CMR 17.00, which went into effect on March 1, 2010, is intended to protect the citizens of Massachusetts from identity theft. It addresses the safeguarding of "Personal Information" for all Massachusetts citizens. "Personal Information" is defined as a person's name, in combination with their Social Security number, driver's license number, credit card number, or financial account number.
This is a Massachusetts law, and only applies to "Personal Information" on Massachusetts residents. According to the State of Massachusetts, the law applies to any business who "owns or licenses Personal Information on any Massachusetts resident", regardless of their location (inside or outside of Massachusetts).
Section (2) states the scope:
Although you might think this does not apply to a data conversion service such as Disc Interchange, since we neither own nor license the data we convert, "Owns or Licenses" is further defined as:
This definition does include the conversions Disc Interchange performs, since we "process" and "otherwise have access to" the data sent to us for conversion.
Therefore, the scope of the law includes our services. Of course it also applies to the owner of the data.
While the law addresses all aspects of safeguarding personal information, from physically securing records, to written policies, to employee training, this article is only concerned with the security of computer tapes and disks which would be sent to Disc Interchange for conversion. You can read the full law on the Massachusetts web site: 201 CMR 17.00.
The law is quite general and brief, and was written mostly to address security at companies that keep a lot of records on their customers and employees.
There is no mention of tapes or removable disks, and initially we didn't think it applied to tapes or removable disks. But the
State says it does. Section 17.04, titled "Computer System Security Requirements" addresses security of
data stored on computers. Element 5 requires:
The State considers tapes and removable disks to be "portable devices", and they are therefore subject to the law.
The law applies to data conversion in several ways. For example, it stipulates that companies such as Disc Interchange must have adequate procedures in-place to ensure the safety of our client's data, and must maintain adequate safeguards when handling the data. Disc Interchange has always had excellent security for your data while it is at our facility, that far exceeds the requirements of the new law. The new issue this law creates for us is the security of your data while in transit to and from Disc Interchange via FedEx or UPS. In general, the law prohibits sending any "personal information" of a Massachusetts resident via common carrier unless it is encrypted or contained on an exempt tape. You can transport unencrypted tapes if you hire a courier with "sufficient security" to deliver them here and pick them up. If you are considering transporting unencrypted tapes, you might want to read the State's FAQ, and in particular, "Must I encrypt my backup tapes?" on page 2.
If your tape or disk does not contain any "personal information" on a Massachusetts resident, then this law does not apply, and our services are not affected. We will require you to complete one of our Security Statement forms certifying there is no personal information in the data you are sending us.
According to the Attorney General, the owner of the data is responsible for making that determination. Disc Interchange will ask you to specify if your data contains "Personal Information". If it does not, DISC will convert and return the data as usual. If your tape contains "Personal Information" and we are returning the data on a PC tape or disk, we will encrypt the converted data before returning it.
Since it is not possible for us to encrypt a tape in the process of performing a tape-to-tape copy, we are not able to accept PC tapes for copying if they contain "Personal Information" that is not already encrypted. (We can accept mainframe tapes which are exempt; see the section below.)
Note: The following is how we at Disc Interchange interpret the law. It has not been sanctioned by the Commonwealth of Massachusetts, although we are asking the Attorney General's Office to read it. If they offer any corrections or further information, we will post it here.
Discussion:
The requirement to encrypt data applies "when technically feasible", and therefore certain types of tapes are exempt from the encryption requirement when it is not technically feasible to encrypt the data on them. We have discussed this point with both the Office of Consumer Affairs and Business Regulation and the Office of The Attorney General, and they agree. However, the State will not specify which tapes are exempt, and we have found it exceedingly difficult to understand their interpretation of "technically feasible". Furthermore, the interpretation we received from the Office of Consumer Affairs and Business Regulation concerning exempt tapes differs with the interpretation we received from the Office of The Attorney General. The representative at the Office of Consumer Affairs and Business Regulation has said that the interpretation by The Attorney General takes precedence over the Office of Consumer Affairs and Business Regulation, and so we have based our conclusions on information from the Office of The Attorney General.
The intent of the law is to require the data be encrypted when "technically feasible". On page 2 of the FAQ,they describe "technically feasible":
Also on page 2, under "Must I encrypt my backup tapes?" they state you must encrypt tapes if:
That would imply that you are not required to encrypt the data if the tape drive does not allow it, which is the case for all the tapes we convert. But through discussions with the State we have learned it is not that simple. After three letters and two phone conversations with the Office of Consumer Affairs and Business Regulation and the Office of The Attorney General, we have arrived at the following understanding:
Tapes, or the data contained on them, must be encrypted "when an accepted industry method is available" (a quote from our conversation with the Attorney General's office). The "accepted" methods of encryption vary, depending on the type of computer in use. On a personal computer, for example, it is quite feasible to encrypt a file on disk using commonly available encryption software, then write that file to a tape, using the same methods as for any other (unencrypted) file. Or to use backup software that encrypts the file in the backup process. Either of those methods are quite feasible and do not interfere with writing the tape, or make the tape more difficult to restore later.
Mainframe tapes, however, are normally written in a manner where the structure of the tape is dependent on the structure of the data; for example an integral number of records per tape block. (See our Tech-Talk technical articles for details on mainframe tapes.) But if the data is encrypted before being sent to the tape drive, it will no longer be in a form that can be written that way, using standard methods. Encrypting the data makes it impossible to write the most common types of mainframe tapes, IBM Standard Label Fixed Block or IBM Standard Label Variable Block tapes.
The only way to write an encrypted file to one of these tapes would be to use a method that is not an "industry standard", and the receiver of the tape would have to understand the non-standard method and be able to reverse the process and recover the data. In fact this is what CMS (Centers for Medicare & Medicaid Services) does, but it was expensive (they contracted with PKWare to write a custom mainframe encryption application and to administer it), and difficult. We have received such tapes from CMS, but it took four people from three companies an hour on a conference call to figure out how to read the tape. This expense and difficulty is not within the scope of "technically feasible" for most companies.
Because of the way mainframe computers write to tape, the accepted method of encrypting data on a mainframe tape is to build the encryption into the tape drive. That allows the mainframe to use the standard method of writing data to tape, maintaining the accepted method of writing tapes. But only the newest tape drives offer encryption. The vast majority of mainframe tape drives in use today, including all the drives we own, do not support encryption.
To summarize this difference in simple terms:
PCs encrypt the data, then send the encrypted data to regular tape drives.
Mainframes send unencrypted data to the tape drive, and the tape drive encrypts it.
This difference in methods determines whether it is feasible to encrypt data when using a tape drive that does not have encryption capabilities built into the drive.
As we interpret the law, then, both the type of drive and what computer the drive is connected to determine if the data is required to be encrypted. If a tape drive connected to a mainframe supports encryption (has encryption built into the drive), then you are required to use it and write an encrypted tape. However, if the drive does not support encryption, that tape is exempt, when used on a mainframe. On the other hand, no drives would be exempt when connected to a PC, since there are other accepted methods of encrypting the data on a PC.
Although there is little overlap of tape drives from the mainframe and PC worlds (mainframe tape drives generally cost tens of thousands of dollars and few people put a $30,000 drive on a PC), if the same drive (which does not support encryption) were installed on both a PC and a mainframe, we believe the mainframe tape would be exempt from encryption while the PC tape would not be exempt.
There is one further classification: obsolete computers. DISC does a lot of DEC VAX VMS conversions. VMS is essentially frozen in time after the demise of Digital Equipment Corporation in 1998, and as far as we know there are no industry-accepted methods for encrypting data on VMS tapes (of any kind). We believe that makes those tapes exempt, but to be sure we are making an inquiry of the Attorney General.
Conclusion:
In the following sections we address how this law affects the different types of conversions we perform. This is our interpretation of the law, and is subject to change as we receive further information from the State of Massachusetts, so even if you have read this page before, please review it again for changes.
The law has caused us to discontinue many of our conversion services, and alter others. This section explains how various services are affected. Please understand the following:
The rest of this article is a discussion of what kinds of tapes and disks can be shipped by common carrier (FedEx and UPS in particular). The discussion is limited to tapes and disks which contain "Personal Information" on a Massachusetts resident. If your tapes or disks do not contain any "Personal Information" on a Massachusetts resident, there are no restrictions on shipping them.
Note: We are using the generic term "mainframe" to include the class of computers that operate like IBM Mainframes and store data in a similar fashion, including other brands of mainframe computers, as well as AS/400 computers and other midrange systems.
Mainframe tapes written by tape drives which do not offer encryption are exempt from the encryption requirement, as discussed above. None of the mainframe tape drives we support offer encryption, so it is legal for you to ship an unencrypted mainframe tape to us for conversion, and for us to return the unencrypted tape to you. However, the converted data is required to be encrypted upon return to you, if it is written to PC media, not to a mainframe tape. It seems to us that encrypting the converted file offers little protection when it's returned in the same box as the unencrypted tape, but that's the ruling by the State of Massachusetts.
DISC is still converting mainframe and AS/400 tapes, and we will require you to sign one of our Security Statement forms stating if the tape contains Personal Information.
We believe VMS tapes are exempt from the encryption requirement because there are no industry standards for encrypting VMS tapes, and to do so is not technically feasible. However, this has not yet been confirmed by the State. Like mainframe tapes, VMS files that we convert to PC files are required to be encrypted if they contain Personal Information.
DISC is still converting VMS tapes, and we will require you to sign one of our Security Statement forms stating if the tape contains Personal Information.
Our understanding of the law is that it requires all personal computer media -- tapes and disks -- containing personal information to be encrypted in shipment to us, and upon return from us.
This causes a real dilemma. Since it is "technically feasible" to encrypt the PC files on a tape or disk, they are not exempt under the law. However, people use our service because they can't read the tape or disk, and if they can't read it, they can't encrypt it. And if they could encrypt it, they wouldn't need our services.
It appears impossible to meet the requirements of the law and still offer our services, so we have discontinued PC conversions. We realize we could continue to convert tapes and disks that do not contain personal information, but most of the PC conversions we perform do contain personal information, so we would lose more than half our business anyhow. We cannot find a way to break-even on PC conversions after losing half the business, so our only option was to close that division.
We are unsure how the law applies to many older computer formats we used to convert, such as Apple, CP/M, MSDOS, OS/2, and others. However, those conversions were part of our PC division and were done by the same staff, so we have discontinued those conversions along with the PC conversions.
We are also unsure how the law applies to dedicated word processors and typesetters. However, those conversions were also part of our PC division and were done by the same staff, so we have discontinued those conversions along with the PC conversions.
DISC does a lot of tape-to-tape copy work, so this is a large category for us. As discussed above, there are different categories of tape-to-tape copies, some of which are exempt and some that are not. Since a tape-to-tape copy makes a literal image copy of the source tape on the destination, if the source tape is not encrypted, the copy will not be encrypted either. (The only exception could be if the destination drive supports encryption, and none of the drives we own do.)
If your tape contains "Personal Information":
If your tape does not contain "Personal Information":
There are no restrictions and DISC can copy your tape.
This law does not explicitly restrict the services DISC can offer; rather it restricts what can be shipped via common carrier. However, since 99% of our business ships via common carrier, it effectively limits what we can do. For that reason we have discontinued about half our services, in order to comply with the law. (See the section above.)
If your data does not contain any "Personal Information" on Massachusetts residents, this law does not apply to you. "Personal Information" is defined as a person's name, in combination with their Social Security number, driver's license number, credit card number, or financial account number.
We have summarized the six main situations in the table below:
| Condition | How the law applies |
|---|---|
| Your data does not contain any "Personal Information" about Massachusetts residents. | This law does not apply, and our services are not affected. |
| Your data does contain "Personal Information" about Massachusetts residents, but you provide secure transportation to and from DISC. | You have met the requirements of the law and our services are not affected. |
| Your data does contain "Personal Information" about Massachusetts residents, and the tape or disk you are sending and the tape or disc we are returning are encrypted. | It is legal for you to ship the tapes to us and for us to return them to you, encrypted.
Please be aware this limits our services: We will not be able to alter the encrypted data, only transfer it to other media. If you need conversion of the file contents, please call us to discuss encryption methods. |
| Your data does contain "Personal Information" about Massachusetts residents, and the tape you are sending and the tape we are returning are exempt.
(See "What tapes are exempt?" above.) |
It is legal for you to ship the exempt tapes to us and for us to return them to you, unencrypted. |
| Your data does contain "Personal Information" about Massachusetts residents, and the tape you are sending us is exempt, but the media we are returning is not exempt. | It is legal for you to ship the tapes to us, and for us to return them to you. We will encrypt the converted data upon return and also return your exempt tapes to you. |
| Your data does contain "Personal Information" about Massachusetts residents, and your tapes are not exempt and not encrypted. | It is not legal for you to ship the tapes to us or for us to return them to you (unless you use a secure transport). |
The following summarizes how this law has affected our various services:
Disc Interchange Service Company, Inc.
15 Stony Brook Road
Westford, MA 01886
(978) 692-0050