Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mass. Data Security Law Says "Thou Shalt Encrypt"

Posted by timothy on from the some-serious-micromanagement dept.

emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"

4 of 510 comments (clear)

  1. Re:Politicians... by Improv · · Score: 1, Flamebait

    Libertarians should stay the fuck away from shit they don't understand!

    Which I guess in practice means they should stay the fuck away from pretty much everything.

    --
    For every problem, there is at least one solution that is simple, neat, and wrong.
  2. Re:Doesn't sound so bad by Bing+Tsher+E · · Score: 0, Flamebait

    One thing I have noted in my "small business" IT jobs, if you dont take IT seriously and stick them in a windowless room in the basement like you would a janitor, you will not succeed in your business.

    But basically, that's what IT is. You're file clerks at best. Data janitors is another way to describe it.

    But I see some resentment there. Didn't get the prestige you thought you deserved? How did you make sure they regretted it? Can you tell us, and any future employees what you did?

  3. Re:Doesn't sound so bad by innocent_white_lamb · · Score: 0, Flamebait

    They probably aren't storing your credit card information and social security number.
     
    They are more likely storing your name and phone number so they can call you when your trousers are ready for pickup. Since that's Personally Identifiable Information, they will apparently have to encrypt that.
     
    That could be quite a burden on small businesses like dry cleaners, and plumbers whose wives make up the invoices and send them out at the end of the month.

    --
    If you're a zombie and you know it, bite your friend!
  4. Re:Doesn't sound so bad by flajann · · Score: 0, Flamebait

    "Covered businesses range from neighborhood dry cleaners to Fortune 100 companies, but the law stipulates that the program be appropriate to the size and resources of the business."

    It seems like they really do mean just about everyone. Within a year we'll start seeing stories about how part-time small business people doing exactly what you described are the new source of major data breaches, because their Excel files and whatnot are being stolen via trojans and viruses. And the data security industry will push for more laws and expensive software to remedy the situation. Just a cynical hunch...

    Would having a password on a spreadsheet file constitute enough 'security'?

    The deep and intricate details of security and encryption will typically NOT be understood by your neighbourhood dry cleaners, and I would even state that many in a so-called "Fortune 500" company would be equally as clueless, if not more so.

    Oh, but whacking people on the head will certainly solve the problem. Well, therein lies the problem. Government's "solution" to all problems great and small is to put everyone at gunpoint. We may as well be dealing with mobsters. Whee!

    --
    Ruby Neural Evolution of Augmenting Topologies