Massachusetts Extends Encryption Deadline

As reported here in Network World, Massachusetts has extended the deadline on its data encryption law until January 1, 2010. The law mandates encryption of sensitive data, particularly personal data such as a combination of a name along with a Social Security number, bank account number, or credit card number.

The law is a good start, but still includes too many loopholes in my opinion. For instance, rather than mandating 2-factor authentication, it calls for "a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices" (17.04 (1) (ii)). There's no incentive to actually implement unique identifier technologies in that language - instead, just set up a policy for some sort of password rotation and declare it to be "reasonably secure"...

Similarly, in 17.04 (3), the law requires that "To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly." I'm having a hard time thinking of many, if any, cases in which it is technically infeasible to apply encryption to records and files being transmitted across public and/or wireless networks. Why is the modifier necessary?

With the drumbeat of data breaches growing ever more constant, it seems that now is the time to get tough and demand -- not just suggest -- the use of best practices in encryption and authentication.