Compliance is becoming an increasingly thorny challenge for enterprise IT, as businesses face a growing body of laws, regulations and other legal obligations that touch on information security. Some of the most challenging compliance areas these days involve data breach notification laws and e-discovery obligations.

States are getting tougher when it comes to trying to protect their residents' personal data from breaches, and a new law in Massachusetts raises the bar by setting a fine of $5000 per record lost. As Randy George at InformationWeek reports, a company could be fined $1 million for losing one laptop with personal data on just 200 residents of the Bay State.  

The Massachusetts law applies not only to businesses in the state but to any company that keeps personal data on the state's residents. George examines two parts of the law that are particularly notable because they require action to avoid breaches--not just notify victims after the fact. Businesses are required to have a working information security program for protecting personally identifiable information, and they must submit a written information security program to the state. They also must encrypt data in motion and at rest, including information on portable devices such as USB drives, laptop computers and smartphones.

A second complicated--and evolving--area of compliance is e-discovery, which is the process of handing over electronically stored information requested during a lawsuit. Best practices are evolving and opinions vary on how enterprises should prepare for e-discovery, but many experts agree that it is important to manage backup tapes carefully. Backup tapes can be a particularly costly component of e-discovery, and reducing the number of stored tapes can make the process more manageable, writes Behzad Behtash at InformationWeek.  

For more:
- see Randy George's article at InformationWeek
- see Behzad Behtash's article at InformationWeek

Related Articles:
Another stolen laptop, another breach
Bad account management leads to breaches
Morgan Stanley email actions under scrutiny