Disc Interchange Service Company, Inc., a Massachusetts corporation, will be closing on December 31, 2015, due to the Massachusetts Data Security Law, 201 CMR 17.00.
The new law prohibits us from shipping or receiving tapes or disks containing Personal Information on Massachusetts residents, unless the tapes are encrypted. Our clients use our services to convert tapes they can't read, and since they can't read them, they can't encrypt them to satisfy the new law. And if they could read them to encrypt them, they wouldn't need our services in the first place.
The law has wiped-out about 95% of our business and we find we cannot sustain the corporate structure and provide the level of service we are accustomed to providing after losing the majority of our business. We have attempted to adapt by offering services not prohibited by the new law, but our expertise is in corporate and financial data conversion, which is precisely what the new law prohibits us from shipping or receiving. Since we can no longer offer those services in Massachusetts, there seems to be no alternative but to close the company. We are investigating opening a new business in another state, but no decision has been made.
We wish to thank all the loyal customers we have been fortunate to have known over the last 32 years. The conversion business has been very interesting and rewarding, and we have met many wonderful people during the years. DISC has employed many talented people, and we wish each of them the best in their next endeavor.
There is a summary of the Massachusetts Data Security Law below.
The Massachusetts Data Security Law, 201 CMR 17.00 is intended to protect the citizens of the Commonwealth of Massachusetts from identity theft. It addresses the safeguarding of "Personal Information" for all Massachusetts citizens. "Personal Information" is defined as a person's name, in combination with their Social Security number, driver's license number, credit card number, or financial account number.
The law applies to data conversion in several ways. For example, it stipulates that companies such as Disc Interchange must have adequate procedures in-place to ensure the safety of our client's data, and must maintain adequate safeguards when handling the data. Disc Interchange has always had excellent security for your data while it is at our facility, that far exceeds the requirements of the new law. The new issue this law creates for us is the transport of your data to and from Disc Interchange via FedEx or UPS. The law prohibits sending any "Personal Information" of a Massachusetts resident via common carrier unless it is encrypted. If you must transport unencrypted tapes, it is necessary to provide sufficient security, such as an armored vehicle. (See "Must I encrypt my backup tapes?" on page 2 of the State's FAQ). This makes it virtually impossible for our customers to get their tapes to us, and for us to return them.
The law is a well-intentioned attempt to protect the citizens of Massachusetts from identity theft. We agree with the intent of the law and applaud the attempt, but we feel the law is poorly planned and executed, with unreasonable requirements and little regard for the burden the law places on businesses in Massachusetts, and for the consequences it creates. The Office of Consumer Affairs and Business Regulation, who authored the law, has refused to (or been unable to) clarify how it applies to computer tapes, especially mainframe tapes.
Our attempts to understand the law
The law classifies tapes as "portable devices", the same category as laptops, and requires that tapes shipped via common carrier (UPS, FedEx, USPS) be encrypted if they contain Personal Information on Massachusetts residents.
There is a clause that says you must encrypt the data when "technically feasible". It is our belief it is not "technically feasible" to encrypt certain types of tapes, especially mainframe tapes.
We contacted the Office of Consumer Affairs and Business Regulation, who wrote the law, for an explanation of which tapes they deemed were and were not "technically feasible" to encrypt. They could not answer the question, and referred us to the Attorney General.
We contacted the Office of the Attorney General. They were cordial and listened to our situation, but would not make a determination of the "technically feasible" clause as it applied to computer tapes, and said it was up to us to determine "technical feasibility". So we spent hundreds of hours researching this law and all the documentation we could find on it. Believing we finally understood the intent of the law, we wrote a detailed description of which tapes we believed were and were not "technically feasible" to encrypt, giving technical justification for our conclusions. We asked the Attorney General to review our determinations. The A.G. replied they would not address the issue until they prosecuted a case. You can read the A.G.'s letter here.
So we wrote to the Office of Consumer Affairs and Business Regulation again, explaining the A.G. was unable to rule, and asking them to please interpret the law they wrote. They never replied to our second letter or to a third follow-up letter. After multiple attempts over two years to understand the law and get the State to clarify it, it finally became clear to us they did not understand the issues of encrypting computer tapes, and had likely not thought-through the ramifications of the law they wrote.
A costly predicament
This leaves businesses like ours in a difficult predicament; we can't understand the law they wrote, and the State won't clarify what they mean, yet we are responsible for implementing the law, and liable if we don't implement it correctly.
The fines are extremely high; up to $11,000 per record, even if the data is just lost in shipping, not stolen or breached. We frequently convert data files with millions of records, so the potential fine should we misunderstand the law and not
implement it correctly is staggering.
How to transport tapes you can't encrypt
If you are unable to encrypt a tape, which is the case for most of the tapes we convert, you may still transport it if you have sufficient security. But what does the State consider "sufficient security"?
On page 2 of their FAQ the State recommends how to transport tapes containing Personal Information if they are not encrypted. They say the following:
"... For example, if you are transporting a large volume of sensitive personal information, you may want to consider using an armored vehicle with an appropriate number of guards."
We have not found a single customer willing to hire an armored vehicle to deliver their tapes to us.
The State does not obey its own law
Infuriatingly, the State doesn't seem to be obeying their own law. Since the law was passed the Massachusetts RMV has twice sent us the entire Massachusetts Drivers License file to convert, and each time they sent it unencrypted, and they did not use an armored vehicle.
In fact, they offered to mail it via First Class Mail! At 6.9 million records of Massachusetts residents this file contains more Personal Information on Massachusetts residents than any other file we have received.
In a separate instance, the Massachusetts Legislature called us to convert a tape containing payroll data of the division's employees. When we informed them it was illegal to ship such data, and that in compliance with the law we could not receive it, they seemed surprised and unaware of the law they passed. The person who called asked for names of other conversion houses and indicated his intent to ship the tape to another conversion service, in total disregard of the law.
In summary
The State has written a law that we can't understand and they won't (or can't) interpret. But we are liable for massive fines if we don't correctly follow the law which we can't fully understand.
Furthermore, requirements such as hiring an armored vehicle to transport unencrypted tapes are, in our opinion, absurd over-kill and unnecessarily burdensome on Massachusetts businesses.
The law has driven our customers to our competition in other states. Massachusetts is the only state with such draconian requirements.
We find it extremely unjust that a law that's so poorly conceived that the agency that wrote it can't even explain it has put a company of 32 years out of business, cost people their jobs, and wiped out the life work and life savings of our founder, while at the same time the State is ignoring their own law, shipping tapes unencrypted via First Class Mail.
An ironic twist
In an ironic twist, one of the employees we laid off as a consequence of the new law had his Personal Information stolen from the Division of Unemployment while he was unemployed due to the new law.
In the 32 years we were in business we never had a single record lost or breached.
You can read the law and the FAQ here: