Slashdot Mirror


Mass. Data Security Law Says "Thou Shalt Encrypt"

emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"

1 of 510 comments (clear)

  1. !Micro-management by cmholm · · Score: 5, Interesting

    I think the /. article sub-header "some-serious-micromanagement dept" is incorrect. "Micromanagement" would be to specify a particular technical approach. The law(220kB PDF) doesn't even mention https. So, I think the legislation's level of detail appropriate: "just do it." The author of the FA seems to think this'll sell a lot of SQL Server upgrades, and if SQL Server is what someone is running to persist data, I suppose so.

    --
    Luke, help me take this mask off ... Just for once, let me butterfly kiss you with my own eyes.