Notice about the Massachusetts Data Security Law, 201 CMR 17.00

Disclaimer: Information on this page is our (Disc Interchange Service Company) interpretation of this law and may not be correct or agree with the Massachusetts Attorney General.

Last update: February 19, 2011

Massachusetts has implemented a new Data Security Law, 201 CMR 17.00, which went into effect on March 1, 2010. It is intended to protect the citizens of Massachusetts from identity theft. It addresses the safeguarding of "Personal Information" for all Massachusetts citizens.

Does the law affect data conversion services?

Although the law does not directly affect the services we can perform, it does prohibit shipping some types of tapes via common carrier (UPS, FedEx, USPS) if they contain "Personal Information" on any Massachusetts residents, and the data is not encrypted. "Personal Information" is defined as a person's name, in combination with their Social Security number, driver's license number, credit card number, or financial account number. Please note that this only applies for Massachusetts citizens, not residents of other states.

In brief, the law prohibits shipping computer media containing "Personal Information" on Massachusetts citizens unless it is encrypted, sent via secure courier, or is on an exempt tape or disk.

Here is how the law applies:

1. If your tapes or disks do not contain any "Personal Information" on Massachusetts residents, this law does not apply and there are no restrictions on shipping.
2. If your tapes or disks do contain "Personal Information" on Massachusetts residents, one of the following situations applies:

• Mainframe, AS/400, and VMS tapes are exempt. You may ship the tape to us. We will return the converted data encrypted if it is on non-exempt media.
• Other tapes and disks (Windows, UNIX, Mac, Novell, MSDOS, etc.) are not exempt, and you are not permitted to ship them via common carrier (to us or anyone else) unless the data on them is encrypted.
• You may, however, ship them via a courier who offers sufficient security to satisfy the law.

This is a Massachusetts law, and only applies to "Personal Information" on Massachusetts residents. According to the State of Massachusetts, the law applies to any business who "owns or licenses Personal Information on any Massachusetts resident", regardless of their location (inside or outside of Massachusetts).

The following summarizes how this law has affected our various services:

1. We have discontinued all personal computer conversions. Those include MSDOS, Windows, Macintosh, Netware, most UNIX, and all word processors, typesetters, and old computers.
2. DISC is still doing Mainframe and AS/400 to PC conversions. If your data contains Personal Information, we are required to encrypt the converted PC files for shipping.
3. DISC is still doing DEC VMS to PC conversions. If your data contains Personal Information, we are required to encrypt the converted files for shipping.
4. We can make a tape-to-tape copy of an unencrypted mainframe tape, if the drive that wrote that tape does not support encryption.
5. Due to the shipping restriction, we can only perform a tape-to-tape copy of PC tapes that are encrypted or hand-delivered, or do not contain any Personal Information on a Massachusetts resident.

Many of our customers are confused by this law, and we have found it difficult to interpret which tapes are exempt. We have written extensively about this on our Massachusetts Data Security Law page.