Slashdot Mirror
Mass. Data Security Law Says "Thou Shalt Encrypt"
emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"
"""
Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
"""
So this doesn't apply to places like slashdot and facebook. Only places that should be securing your data in the first place.
Can you construct some sort of rudimentary lathe?
Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose
Summary and article fail.
Sorry to disappoint all the SQL consultants out there, but the law (as passed) says NOTHING about requiring encryption of data at rest.
Earlier versions of the bill had the requirement for at-rest encryption, but that was lobbied out.
The only time it mentions encryption is for data in-flight over public networks, wireless access, and laptops/"other portable devices".
Everything else states "reasonable security precautions" (aka: access control/passwords).
But don't take my word for it read it yourself. (it's only 4 pages)
(3)Encryption of all transmitted records and files containing personal information that will
travel across public networks, and encryption of all data containing personal information to be
transmitted wirelessly.
[...]
(5) Encryption of all personal information stored on laptops or other portable devices;
- Mass CMR1700 (the only occurrences of the word "encrypt")
A little googling finds the text of the law:
Personal information, a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public.
So it looks like phone companies are safe.
You know, all of the use cases you describe can be supported by ticking the 'encrypt' checkbox that Windows NT has had since version 4, or by storing commercial data on an encrypted partition, which pretty much all modern(ish) operating systems support. It's really not hard, and is probably the minimum that a small business should be doing anyway.
I am TheRaven on Soylent News
No, this law is not "too much". Slashdot makes it look like "too much" because the article summary is incomplete and misleading.
This law only applies to certain databases that should have been encrypted anyway.
Incorrect. The author either did not do any research at all, or got the definition of PII horribly wrong as far as this law is concerned. The directive that sets the standard based on the law states:
It is abundantly clear that a person's first and last name alone does not constitute PII, SSN, financial account number or some other not so public information is also required.
See this comment from 2005: EFS & stand-alone computers? Can you make it work?
TrueCrypt is reliable, reputable, fast, free, open source, and works on Windows, Mac OS X, and Linux. The TrueCrypt documentation is very good, but not perfect. TrueCrypt can make an encrypted drive letter or encrypt and entire partition, even the boot partition.
Only open source encryption should be accepted, since the U.S. government has decided it can force executives of corporations to work in secret to help gather data from or about users. If software is not open source, there may be hidden methods of decryption.
This will ultimately probably only end up affect Mass businesses or people with presence in Mass directly. Otherwise this kind of requirement has the potential to impact interstate commerce which states expressly do not have the authority to legislate.
Nope, this is only affecting in-state commerce with Massachusetts residents. And the states are absolutely allowed to pass laws that affect out-of-state businesses when they do business in the state. The only constitutional prohibitions on that are when the law is protectionist - imposes additional cost on out-of-state businesses that in-state business don't have to pay. Here, because the law applies equally to in-staters and out-of-staters, it isn't protectionist and isn't unconstitutional.
The FAQ for the law: http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf
Please note, this FAQ contains personally identifiable information - First and last names, job titles, address of employment, phone and fax number, of Governor Deval L. Patrick, Lieutenant Governor Timothyt P. Murray, Secretary of Housing and Economic Development Gregory Bialecki, and Undersecretary Barbara Anthony. It was obtained by http - NOT https, as required by the law.
The only reason THEY can get away with it is because ... guess what ... government agencies are excluded. "Do as I say, not as I do."
Cripes, dude. You link to the full text of the law, but apparently never read past the URL.
First, that is NOT personally identifiable information. As has been said in many posts, and as is listed in your links:
[Definition of] Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
(a) Social Security number;
(b) driver's license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account;
See? You found names, job titles, addresses, and phone numbers, but no personal information listed in the law.
Second, what's the very next farking sentence in the definition?
provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
See that? Government agencies are not excluded from the law... rather, information lawfully obtained from government agencies are not personal information, which means that people who use it - like you - are not violating the law.
The shocking part is the amount of effort you went to to find the text, the FAQ, and the compliance checklist, plus creating two Slashdot posts about it, and yet you never actually read any of it.
How would your example be covered by the law:
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
Personal information, [is defined as] a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public.
so basically you'd be in the clear. Names and addresses are in the phone book / government public records. If your list contained the names and SSN of the members, then you'd be violating the law, which is still slightly silly as SSN *are not* supposed to be personal identifiers, but that's the world we've wound up with.
They are more likely storing your name and phone number so they can call you when your trousers are ready for pickup. Since that's Personally Identifiable Information, they will apparently have to encrypt that.
No, it isn't, and no, they won't. PII is defined in the law. You've read the law, right? It does not include your phone number, or even your address. It's your social security number, driver's license number, credit card number, or bank account number. And your dry cleaner shouldn't be keeping that information.
That could be quite a burden on small businesses like dry cleaners, and plumbers whose wives make up the invoices and send them out at the end of the month.
First, plumbers may have husbands who send out invoices for them.
Second, if those small plumbing businesses are storing customers' social security numbers, drivers license numbers, credit card numbers, or bank account numbers, then they damn well should be encrypting that data.
But encryption of live servers and databases is a farce. Encryption without key management is itself a farce, and a servers which require keys to operate necessarily lack key management. Furthermore, server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.
I'm not a lawyer and I didn't read the entire law that was passed (grain of salt, etc.), but from my layman interpretation nothing in here says that you have to encrypt data on your live servers.
The penalties are assigned based on breaches, that is, if someone hacks into your server and steals Massachusetts residents' records, you owe $5k for each non-encrypted record that was stolen (as well as notify the person and the state). Also if you have employees taking un-encrypted data off site on laptops that get stolen, similar penalties apply if the laptop was stolen.
Make sure your servers are secure, up to date, and fire walled, encrypt roaming laptops and you'll be fine.
If my understanding is correct, I think this is a great law. If more states implement it, we won't have companies leaving sensitive data on laptops that get stolen because of a careless contractor/employee.
The damages to a company would be so real and enormous that they will have to implement stringent security protocols, or one breach can very possibly take them out of business.
If you can't mod them join them.
eihab seems to have it right.
IANAL, either, but I did read the whole law and there is no broad encryption mandate as the SQL Mag author claimed.
The encryption-related sections of the law that I can find (17.04 (3) & (5)) actually mandate:
In other words, if you send data over public networks, or wirelessly, or store it on laptops, you should encrypt it. Excuse me for not getting excited about this.
Law: 201 CMR 17.00 reg
FAQ: 201 CMR 17 faqs
The whole thing seems pretty sensible overall.
Ask the author of the article where he got that notion from.
That phrase does not appear in the law nor in Massachusetts FAQ.
Nor does anything like it, except in reference to