Mass. Data Security Law Says "Thou Shalt Encrypt"

emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"

"Standard practice"... if you're an asshole

[Anal+Surprise]

It's a little irritating to read all the comments about how this is really easy, standard industry practice, etc. Please give me a fucking break.

Suppose you're running a church newsletter. You're not computer-literate. You want to send a newsletter. You write out the names of church members and their mailing addresses on a sheet of paper, and accidentally leave it at the copy shop. This is legal.

Now, you do the same thing on a computer that you keep locked in your church. You use it to print out labels, you put the labels on envelopes, and you put the envelopes in the mail. Is it really reasonable that you've broken the law here? Most of this information is available in public databases anyway. You don't know "encryption" from your asshole. Your computer runs Windows 98, and there's no network.

To my mind, if "creating a list on paper" is legal, "creating a list in a computer" should be too. If you want to hit %%loss or misuse%% of personal information, write a law that does that. Penalize a lack of security, don't legislate what security is, because every situation is not the same.

Re:THIS IS A FARCE

[Khyber]

No it doesn't. Now I've got your drive and can spend my leisure hacking away until that information is mine.

Physical destruction or nothing, folks.

Re:Doesn't sound so bad

[John+Hasler]

> Government's "solution" to all problems great and small is to put everyone at
> gunpoint.

It's the only solution they have. Violence and the threat of violence is what government is all about.

> We may as well be dealing with mobsters.

You are.

Re:I couldn't disagree more

[splogic]

I strongly disagree. And, I know I'm not going to win this one, because people on this site don't give a damn about the truth. They care about keeping their jobs as security administrators. You know that's what this is all about. It's all about money.

Many places — all of Europe, for example — already have stronger data protection laws than most of the US.

And that "precedent" is what, 15 minutes old? Furthermore, the U.S. does not base its laws on the laws of other countries.

In my country, we have had a string of mismanagement or outright leaks of sensitive personal data in recent months.

That's great, but what does that have to do with the United States? You have so many leaks because your laws reward hackers. If there's, for example, a $5000 dollar fine, and the government want money, what do you think they'll do? They'll pay hackers to hack your databases or communications.

Computer "security" is one the biggest lies ever sold, second only to religion. There's no such thing as "security" and there's no such thing as "God".

Re:Sounds mostly reasonable to me...

[John+Hasler]

> This "Written Information Security Plan"-Thing (yes, I read TFA) sounds like
> an unnecessary and useless PITA though...

How else is the state to know exactly what information you have on your customers so that they sieze it when they want it?