Slashdot Mirror


Mass. Data Security Law Says "Thou Shalt Encrypt"

emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"

10 of 510 comments (clear)

  1. Doesn't sound so bad by rwa2 · · Score: 5, Insightful

    That's pretty much already corporate policy at the last two major places I've worked for a few years now. It would be nice if the government starts treating that data the same way.

    In fact, it would also be nice to mandate encryption and signatures for email so there will be no more unsolicited spam. And finally it would be great if no one was allowed to open up a line of credit without my cryptographic signature so I wouldn't have to protect my SSN, birthdate, and mother's maiden name like it was some sort of safety deposit box combination.

  2. About fucking time. by wiredog · · Score: 4, Insightful

    Now maybe if they actually enforce it businesses will get the idea that they should protect the data.

  3. What's so scary about this? by MartinSchou · · Score: 4, Insightful

    What is so scary about this?

    With a high cost of PII, there is now an economic incentive for companies to actually give a rats ass. It's the same kind of incentive that is used to make sure companies don't just dump toxic chemicals in kindergarten sandboxes.

  4. It's about time by barius · · Score: 4, Insightful

    Sounds awesome to me. This should have been made law in every state/country a long time ago. Now if they would just make it law that all companies must provide an easy and thorough means for any individual to expunge their details from company records (I'm looking at you Facebook) then I might finally be able to stop that little bit of throwing up in my throat I get every time a company asks for my email address.

  5. Scarier not to by starfishsystems · · Score: 4, Insightful

    It's scarier to contemplate that such information is so often exposed as a matter of routine carelessness.

    On the other hand, it's not clear what to do about the classic perimeter problem. Sooner or later, somewhere, the encrypted data has to be processed or presented in plaintext. The key and the data have to be brought together. Now we've converted the problem of securing the data to the problem of securing the key - probably many keys in practice - and the systems on which those keys reside - probably many systems.

    --
    Parity: What to do when the weekend comes.
  6. THIS IS A FARCE by Lord+Ender · · Score: 5, Insightful

    Encryption in transit is great. Encryption of backup tapes is great. Encryption of end-user systems which store the data is great.

    But encryption of live servers and databases is a farce. Encryption without key management is itself a farce, and a servers which require keys to operate necessarily lack key management. Furthermore, server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.

    The only case in which server encryption would do a bit of good is if the datacenter has no physical security, and every time a system boots, someone has to walk over to it and type a 20+ character random password.

    Yes, I work in IT security. Yes, I think encryption is great, but NOT ON SERVERS.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:THIS IS A FARCE by pem · · Score: 4, Insightful

      ... server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.

      No, it also protects the rest of us against idiots who sell old hard drives on ebay.

    2. Re:THIS IS A FARCE by flajann · · Score: 5, Insightful

      Encryption in transit is great. Encryption of backup tapes is great. Encryption of end-user systems which store the data is great.

      But encryption of live servers and databases is a farce. Encryption without key management is itself a farce, and a servers which require keys to operate necessarily lack key management. Furthermore, server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.

      The only case in which server encryption would do a bit of good is if the datacenter has no physical security, and every time a system boots, someone has to walk over to it and type a 20+ character random password.

      Yes, I work in IT security. Yes, I think encryption is great, but NOT ON SERVERS.

      Agreed. I'm a MySQL guru (among other things), and I can't see keeping names and email addresses encrypted in the database on the server. Credit card numbers and other sensitive foreign account numbers? Absolutely. But what they are asking for is a joke. And what? The entire world would have to change how it stores things on its servers just to appease Massachusetts? Gee, if every territory starts lubbing its own rules about how the world should handle data of its residents/citizens, you can just kiss the Internet good-bye.

      What this all means though is that the small startup/merchant/mom-and-pop Internet operations will find it more and more expensive to swim in these waters infested with little fiefdoms everywhere with delusions of hegemony.

      Then again, it's always dangerous when politicians -- especially local ones -- try to legislate anything on the global Internet. Some years back some idiot New Hampshire legislature tried to impose a tax on -- are you sitting down? -- email. Can you believe it?

    3. Re:THIS IS A FARCE by GNUALMAFUERTE · · Score: 4, Insightful

      I agree 100% with you. Encrypting is very important, but more important is UNDERSTANDING what encryption is. This guys think if you magically apply DSA/Elgamal over your data, then it's secure. It's the same kind of delusion that development companies have with DRM. They added an if() somewhere on their code that checks a stupid key, and they believe that keeps them safe. It doesn't matter how much you encrypt your data, if you are going to access it eventually in an automated way, that is not going to protect you in any way. Encrypting the data and hardcoding the key on your app means nothing.
      Also, keeping certain information encrypted on the DB is just crazy. Doing a complex JOIN with multiple tables and a few LIKEs when you have a table with 200 million records is complex and resource intensive enough, adding encryption in every motherfucking field to that is only adding insult to injury.
      I manage a pretty complex setup of distributed asterisk servers, with replicating SQL DBs across 3 countries. CC data is only stored on the US server, and the key to decrypt them is not on the server, it's stored securely on another workstation, encrypted with yet another 4096 DSA/Elgamal key that I only have on yet another location. I only enter it once a month for billing purposes, and it only stays in RAM as long as the server is processing the monthly payments. I am a conscious coders, and I take privacy and security very seriously, but this law is just ridiculous.

      --
      WTF am I doing replying to an AC at 5 A.M on a Friday night?
  7. I couldn't disagree more by Anonymous+Brave+Guy · · Score: 5, Insightful

    I'm sorry, but I strongly disagree with your position on almost every count.

    Firstly, your point about different territories with different rules is fundamentally flawed. Many places — all of Europe, for example — already have stronger data protection laws than most of the US. This causes no earth-shattering problem with compliance. Large companies keep the data they can't legally export within their European offices. Smaller companies just outsource things like payment collection to services that guarantee any personal data will be processed securely and not transferred outside of EU borders. They were going to outsource it anyway, so the only people who lose out are services that want to handle sensitive information but can't make the same guarantees as others about security, whose flawed business model just became obsolete.

    Secondly, I think you (and several other DB admins and such in this Slashdot discussion) are far, far too casual about this subject. In my country, we have had a string of mismanagement or outright leaks of sensitive personal data in recent months. The number of people who have wound up losing money or suffering long-term hassle just to set their records straight is absurd, and rising every day. A $5,000 fine per leak is nothing compared to the hassle and indirect costs of someone suffering identity theft, even if they get everything put right in the end and recover their direct losses. To one side, it's several months of hell to get your identity back. To the other, it's a mere business expense, a footnote on page 172 of the annual financial statement.

    In my not so humble opinion, both business and governments need to learn this lesson, and I have absolutely nothing against sending a business to the wall if it collects personal information but fails to secure it properly. We have allowed more-or-less unrestricted collection of personal data for a few years, easily long enough for the industry to gets its act together. The result has just been organisations hoarding personal information about people for reasons that are entirely self-serving, pretty much all of whom could just die and make the world a better place anyway, and the string of screw-ups I mentioned before from many organisations that do have a legitimate reason to hold that sort of data.

    It is time for organisations that think this is OK to be taught otherwise, and frankly these fines are on the light side. I would have preferred an additional statutory duty of care with unlimited liability to cover the cost of putting right any damage done to an individual following a leak. Go ahead and reevaluate your security protocols and whether it is really impossible to do these things or just inconvenient/expensive, when the other side of the inequality you're testing looks like an 8 on its side instead of a $10 per person class action settlement.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.