Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mass. Data Security Law Says "Thou Shalt Encrypt"

Posted by timothy on from the some-serious-micromanagement dept.

emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"

3 of 510 comments (clear)

  1. Re:Doesn't sound so bad by avilliers · · Score: 0, Offtopic

    It is reasonable in principle, and a significant new burden that a lot of small businesses won't be able to handle and will mess with a lot of the ways the internet has empowered the small-time crowds..

    It's one thing for anyone who's core business is on-line selling, let alone a corporation. But don't think like them. Suppose you run a local used bookstore that's willing to ship books to customers out of the area, or are a musician who is happy to supplement performance income by selling that self-recorded CD? You handle the orders with paypal, but have you really encrypted that customer list you used to keep in a notebook but is now in Excel? Have you even thought of it?

    In addition, it applies to anyone who *sells* to a MA resident. If other states follow suit, but don't do things exactly the same, could you imagine trying to keep up? You'll have to do best practices (including written security policies) to have a fighting chance of avoiding fines.

    To be fair, there usually are exemptions for small businesses; I didn't see one skimming the story, but my examples may be irrelevant. Hopefully they are.

  2. Re:Doesn't sound so bad by tomhudson · · Score: 1, Offtopic

    Stupid law. It means, for example, that you can no longer keep an email in unencrypted form.

    Hey. on the other hand - maybe this will help kill off facebook.

  3. Re:Doesn't sound so bad by HungryHobo · · Score: 1, Offtopic

    Ya this seems like a massive headache for small buisnesses.

    One example I can think of: I know a woman who sells cakes and has her own website.

    People email orders to her.
    Not payment information, just name and delivery address+order.

    But a name and address is personally identifiable. Does that mean she has to get some kind of encrypted mailserver of her own?
    How about if she replies to them?
    That's sending that name and address in the clear.(just like how it was sent to her of course)

    And how about social network sites?
    There's plenty of personally identifiable information posted on there which by the very nature of the sites is fairly open but does that mean that myspace has to switch everything to HTTPs and store all that info on your public profile in an encrypted database???

    This is well meaning and sounds nice but this sounds a lot like one of the ham-fisted attemps at regulation that clueless lawmakers are famous for.