Mainframe Anti-virus packages do exist but most people use other devices to scan mainframes for infections. The law is meant to make the companies perform the "due diligence" needed to be entrusted with individual's PI. What is so hard to understand about that? Where AV can be used, it should.. Where it can't, what do you do to protect the machine? If you can't protect the machine properly, is it the proper place to put this info?

Again, Mass. EO 5-04 - Here's the link to the PDF (http://www.mass.gov/Agov3/docs/Executive%20Orders/executive_order_504.pdf) I think the thing you are getting confused on is this law is meant for Businesses and there are other laws aimed at government agencies..

It may be but these items alone are not considered PI.

I don't suppose you've heard of Root Kits? They effect more than just Windows these days.If you have this kind of info on a server, you need to make sure no one else is getting at it and running a scan for any intrusions is not that onerous.If you think it is then maybe you've never had to go thru the hassle to clear your name after having it sullied by an Identity theft. Companies have gotten away with not protecting this type of data for too long in my mind and then when they have a breach they hand the mess to the customer and tell them they are sorry but you need to fix this. At least now the cost of having the breach is more cost prohibitive than putting the proper tools in place to prevent the breach.

I think you may want to read Mass. Executive Order 5-04. They have to follow this so they are not exempt. http://www.mass.gov/?pageID=gov3terminal&L=3&L0=Home&L1=Legislation+%26+Executive+Orders&L2=Executive+Orders&sid=Agov3&b=terminalcontent&f=Executive+Orders_executive_order_504&csid=Agov3

Why would you need to? I don't think the law has called out that you have to. All it is asking companies to do is perform the due diligence to protect PHI and PII for the citizens of Massachusetts.