MA law on information security

Massachusetts has passed an Executive Order No. 504 that goes into effect in 2009, to protect personal data. Here’s an excerpt:

Section 3. All state agencies shall develop, implement and maintain written information security programs governing their collection, use, dissemination, storage, retention and destruction of personal information. The programs shall ensure that agencies collect the minimum quantity of personal information reasonably needed to accomplish the legitimate purpose for which the information is collected; securely store and protect the information against unauthorized access, destruction, use, modification, disclosure or loss; provide access to and disseminate the information only to those persons and entities who reasonably require the information to perform their duties; and destroy the information as soon as it is no longer needed or required to be maintained by state or federal record retention requirements. The security programs shall address, without limitation, administrative, technical and physical safeguards, and shall comply with all federal and state privacy and information security laws and regulations, including but not limited to all applicable rules and regulations issued by the Secretary of State’s Supervisor of Public Records under Chapter 93H.

New Encryption Law

Nevada is said to be the first state to pass a law that requires the encryption of data in transit: NRS: CHAPTER 597 – MISCELLANEOUS TRADE REGULATIONS AND PROHIBITED ACTS

NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]

1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

2. As used in this section:

(a) “Encryption” has the meaning ascribed to it in NRS 205.4742.

(b) “Personal information” has the meaning ascribed to it in NRS 603A.040.

(Added to NRS by 2005, 2506, effective October 1, 2008)

New PCI Deadlines

The global deadline has been set by Visa:

Level-one retailers — those processing more than six million Visa transactions per year — must prove adherence to the Payment Card Industry Data Security Standard (PCI DSS) by Sept. 30, 2010, Visa said in a news release. After that date, Visa may begin issuing fines to acquiring banks, which typically pass the penalties down to the merchants.

Visa also announced that as of Sept. 30, 2009, level-one and level-two merchants — which process between one and six million Visa transactions — cannot retain any data encoded on the magnetic stripe on the back of the card, such as PINs or security codes.

Benedetti Haikus

At this rate, I must learn Spanish, or at least work on ferreting the words out myself from the poems of Benedetti; his writing is so compelling…until then, translations by Katya Rascovsky:

la muerte invade
de vez en cuando el sueño
y hace sus cálculos
death invades
sleep from time to time
and makes its calculations
en todo idilio
una boca hay que besa
y otra es besada
in every love affair
there is a mouth that kisses
and another that is kissed
el preso sueña
algo que siempre tiene
forma de llave
the prisoner dreams
something that always has
the form of a key
la poesía
dice honduras que a veces
la prosa calla
conveys depths that sometimes
prose silences
un pesimista
es sólo un optimista
bien informado
a pessimist
is just an optimist
who is well informed
me gustaría
ser noble y elegante
como un pingüino
i would like
to be noble and elegant
like a penguin