Slashdot Mirror
Mass. Data Security Law Says "Thou Shalt Encrypt"
emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"
"""
Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
"""
So this doesn't apply to places like slashdot and facebook. Only places that should be securing your data in the first place.
Can you construct some sort of rudimentary lathe?
Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose
Summary and article fail.
Sorry to disappoint all the SQL consultants out there, but the law (as passed) says NOTHING about requiring encryption of data at rest.
Earlier versions of the bill had the requirement for at-rest encryption, but that was lobbied out.
The only time it mentions encryption is for data in-flight over public networks, wireless access, and laptops/"other portable devices".
Everything else states "reasonable security precautions" (aka: access control/passwords).
But don't take my word for it read it yourself. (it's only 4 pages)
(3)Encryption of all transmitted records and files containing personal information that will
travel across public networks, and encryption of all data containing personal information to be
transmitted wirelessly.
[...]
(5) Encryption of all personal information stored on laptops or other portable devices;
- Mass CMR1700 (the only occurrences of the word "encrypt")
A little googling finds the text of the law:
Personal information, a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public.
So it looks like phone companies are safe.
You know, all of the use cases you describe can be supported by ticking the 'encrypt' checkbox that Windows NT has had since version 4, or by storing commercial data on an encrypted partition, which pretty much all modern(ish) operating systems support. It's really not hard, and is probably the minimum that a small business should be doing anyway.
I am TheRaven on Soylent News
But encryption of live servers and databases is a farce. Encryption without key management is itself a farce, and a servers which require keys to operate necessarily lack key management. Furthermore, server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.
I'm not a lawyer and I didn't read the entire law that was passed (grain of salt, etc.), but from my layman interpretation nothing in here says that you have to encrypt data on your live servers.
The penalties are assigned based on breaches, that is, if someone hacks into your server and steals Massachusetts residents' records, you owe $5k for each non-encrypted record that was stolen (as well as notify the person and the state). Also if you have employees taking un-encrypted data off site on laptops that get stolen, similar penalties apply if the laptop was stolen.
Make sure your servers are secure, up to date, and fire walled, encrypt roaming laptops and you'll be fine.
If my understanding is correct, I think this is a great law. If more states implement it, we won't have companies leaving sensitive data on laptops that get stolen because of a careless contractor/employee.
The damages to a company would be so real and enormous that they will have to implement stringent security protocols, or one breach can very possibly take them out of business.
If you can't mod them join them.
eihab seems to have it right.
IANAL, either, but I did read the whole law and there is no broad encryption mandate as the SQL Mag author claimed.
The encryption-related sections of the law that I can find (17.04 (3) & (5)) actually mandate:
In other words, if you send data over public networks, or wirelessly, or store it on laptops, you should encrypt it. Excuse me for not getting excited about this.
Law: 201 CMR 17.00 reg
FAQ: 201 CMR 17 faqs
The whole thing seems pretty sensible overall.
Ask the author of the article where he got that notion from.
That phrase does not appear in the law nor in Massachusetts FAQ.
Nor does anything like it, except in reference to