Slashdot Mirror


Mass. Data Security Law Says "Thou Shalt Encrypt"

emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"

8 of 510 comments (clear)

  1. Phone book by kjart · · Score: 3, Interesting

    I hope the phone company has deep pockets, because the phone book is full of first and last names and, last time I checked, it was totally unencrypted!

  2. Re:This'll get shot down by zarthrag · · Score: 2, Interesting

    That's already started to go south with online sales tax. Simply doing business with a resident of the state is enough of an opening to allow the state to preserve the rights of their citizens. The only way to circumvent that would probably be to not do business there (i.e. void where prohibited.) Though, I must say, this is a GOOD thing.

    --
    Why can't all fpga/microcontroller manufacturers just release free optimizing compilers???
  3. !Micro-management by cmholm · · Score: 5, Interesting

    I think the /. article sub-header "some-serious-micromanagement dept" is incorrect. "Micromanagement" would be to specify a particular technical approach. The law(220kB PDF) doesn't even mention https. So, I think the legislation's level of detail appropriate: "just do it." The author of the FA seems to think this'll sell a lot of SQL Server upgrades, and if SQL Server is what someone is running to persist data, I suppose so.

    --
    Luke, help me take this mask off ... Just for once, let me butterfly kiss you with my own eyes.
  4. Storage of encryption key? by vlm · · Score: 3, Interesting

    Any specifics for encryption key storage? How bout another column in the DB? That seems a likely implementation, very convenient and all that. Or we could just hardcode it to something memorable "password".

    Any specifics for encryption scheme? I've heard ROT-13 is fast, but XOR is faster.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  5. Looks like an example of a smart regulation by Presence1 · · Score: 3, Interesting

    I'm glad to hear that at least one state is starting to implement a reasonable law. Between corporations too cheap to pay for systems that implement even a hint of real security, and perhaps a few lazy developers, we have a mess on our hands. I don't really understand the "yikes" exclamations in TFA. At least now there are some consequences for being so sloppy with your and my data.

    My approach to coding web apps is that we are playing theater in the round -- playing to at least three audiences at once. In any pool of users, you have Group-1) probably 98% of users in various states of computer illiteracy for whom you need a very well thought-out UI that gets them through the app with no errors (and good recovery *when* they make errors, you have Group-2) 2% users that have a clue and want things really streamlined, and you have Group-3) a half-dozen bunches of malicious crackers.

    All three groups are always present, and you cannot ignore any of them. Ignore Group-1, and you'll pretty much have no audience. Ignore Group-2, and you drive off the 'experts' to whom much of Group-1 looks for advice, and you'll consequently lose not only Group-2 but also a lot of Group-1. Ignore Group-3 and you'll get cracked and mess up a lot pf people's lives by losing their data, and/or you'll get embarrassed.

    Unfortunately, too many buyers and devs of software ignore Group-3 because of costs, and the "it'll never happen to us" attitude. They need this kind of stick to nudge them towards doing the right thing.

    I come from a very libertarian perspective, and I hate excess regulation, but I'm smart enough to know that the magic Market alone does not fix everything; it needs some smart regulation to prevent excesses or omissions, and appears to this is an example of such good regulation (presuming that they haven't screwed up the details).

  6. Re:Definition of PII from the text of the law by julesh · · Score: 4, Interesting

    So this doesn't apply to places like slashdot and facebook.

    Or, indeed, to 95%+ of small ecommerce businesses. As a consultant, I've always recommended to my clients that they hand off processing credit cards (for example) to one of the services that'll do it securely without them ever seeing the card number, in order to avoid any responsibility for looking after the data.

  7. Re:THIS IS A FARCE by Sabriel · · Score: 2, Interesting

    Here's a kicker - this law apparently does not apply to the politicians themselves. From the FAQ at http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf

    Does 201 CMR 17.00 apply to municipalities?
    No. 201 CMR 17.01 specifically excludes from the definition of “person” any “agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.” Consequently, the regulation does not apply to municipalities.

    So it seems if your little business gets its 100-member customer db hacked, you're out half a million dollars; if the State of Massachusetts gets its DMV records hacked, they pay you zilch... or am I reading this wrong?

  8. Re:I couldn't disagree more by Corbets · · Score: 3, Interesting

    I'm sorry, but I strongly disagree with your position on almost every count.

    Firstly, your point about different territories with different rules is fundamentally flawed. Many places — all of Europe, for example — already have stronger data protection laws than most of the US. This causes no earth-shattering problem with compliance. Large companies keep the data they can't legally export within their European offices. Smaller companies just outsource things like payment collection to services that guarantee any personal data will be processed securely and not transferred outside of EU borders. They were going to outsource it anyway, so the only people who lose out are services that want to handle sensitive information but can't make the same guarantees as others about security, whose flawed business model just became obsolete.

    While I don't disagree with your post, I wonder just how many large European businesses you've worked for. I'm a consultant in this field, and have quite a few clients who are multinational. While a minority make efforts to stay in compliance with such data privacy laws, such as by keeping PII in the country of origin, a vast majority have no idea where their PII is stored or transmitted. They think data privacy doesn't really apply to them because they don't keep credit cards, and they don't understand the nature of Safe Harbor agreements or what, exactly, is covered therein.

    Data privacy is important, and probably needs to be legislated at some level, but don't go telling people that simply because it's the law here, companies actually comply with it.