Mass. Data Security Law Says "Thou Shalt Encrypt"

emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"

Politicians...

[CondeZer0]

Politicians should stay the fuck away from shit they don't understand!

Which I guess in practice means they should stay the fuck away from pretty much everything.

Not just electronic records?

[joshtimmons]

I just read the text of the law (IANAL) and it doesn't seem that this law is restricted to network transmissions and data storage - in fact it explicitly mentions paper records. How would one even go about encrypting paper? I'd think it would even affect newspapers which listed a reporter's name, or the name of somebody in the news. What if that newspaper was just left on a bench somewhere? Data breach.

Cellphones contain databases...

[h00manist]

I wonder what the fine will be for losing a cellphone with 300 phone numbers of your friends and family in MA.