Mass. Data Security Law Says "Thou Shalt Encrypt"

emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"

Doesn't sound so bad

[rwa2]

That's pretty much already corporate policy at the last two major places I've worked for a few years now. It would be nice if the government starts treating that data the same way.

In fact, it would also be nice to mandate encryption and signatures for email so there will be no more unsolicited spam. And finally it would be great if no one was allowed to open up a line of credit without my cryptographic signature so I wouldn't have to protect my SSN, birthdate, and mother's maiden name like it was some sort of safety deposit box combination.

Re:Doesn't sound so bad

[TheRaven64]

You know, all of the use cases you describe can be supported by ticking the 'encrypt' checkbox that Windows NT has had since version 4, or by storing commercial data on an encrypted partition, which pretty much all modern(ish) operating systems support. It's really not hard, and is probably the minimum that a small business should be doing anyway.

Re:Doesn't sound so bad

[FuckingNickName]

Install Truecrypt; set up on system drive.

It's fairly shockingly idiot proof for a free and supposedly strong encryption solution.

Or Bitlocker if you have Ultimate, maybe.

Or VileFault if you must use a Mac.

Re:Doesn't sound so bad

[jhoegl]

So.... Encryption is a big headache for small businesses?

There are free encryption tools out there. The "headache" would probably be for IT, because Encryption means if you didnt back it up you lost it. If you forgot the PW, you lost it, if that person leaves and doesnt give you the PW, you can sue them, but you lost it.

One thing I have noted in my "small business" IT jobs, if you dont take IT seriously and stick them in a windowless room in the basement like you would a janitor, you will not succeed in your business. A small business treated me like I was a lost revenue instead of like a member of the company, they lost me and they regret it to this day. But this company is a medical billing business, where HIPAA was a daily worry. I figured it out.

Kind of went off on a tangent there, but the point is small businesses have it better than large companies. Its not hard to encrypt, its hard to keep track and train how to use.

Re:Doesn't sound so bad

[maxume]

Yeah, it's way less damaging when your personal information is stolen from a small business.

Re:Doesn't sound so bad

[sustik]

Do you mean an OS upgrade? Since your encrypted volume is separate and backed
up I fail to see the hardship.

The OS corrupting your data - due to a virus or bug - is more pain because you may not
notice the corruption until recovering from backups means losing some of the latest data.

Re:Doesn't sound so bad

[sustik]

> People email orders to her.
> Not payment information, just name and delivery address+order.
    ^^^^^^
> But a name and address is personally identifiable. Does that mean she h

No it does not. Read the text of the law, it will relieve your anxiety!

Re:Doesn't sound so bad

[Theaetetus]

It's one thing for anyone who's core business is on-line selling, let alone a corporation. But don't think like them. Suppose you run a local used bookstore that's willing to ship books to customers out of the area, or are a musician who is happy to supplement performance income by selling that self-recorded CD? You handle the orders with paypal, but have you really encrypted that customer list you used to keep in a notebook but is now in Excel? Have you even thought of it?

Does that customer list include the customer's social security numbers? How about their drivers license numbers? No, obviously not, and if your bookstore collects that information, you should be on the hook.
What about their credit card information? Now, you're into the PII stuff, and you should encrypt it. Or don't store it - what are you doing with it anyway? You handle orders through Paypal, as you said, which means that you should never be seeing their credit card information.

Finally, how about their addresses? You need their mailing address and email so that you know where to ship and can contact them for receipts and information regarding upcoming sales, right? Well, don't worry... under the new law, those aren't PII. You have no worries.

Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
(a) Social Security number;
(b) driver's license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account;

provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

See? It's really not quite as bad as it seems.

Re:Doesn't sound so bad

[Theaetetus]

It seems like they really do mean just about everyone. Within a year we'll start seeing stories about how part-time small business people doing exactly what you described are the new source of major data breaches, because their Excel files and whatnot are being stolen via trojans and viruses

What is a neighborhood dry cleaner doing storing my credit card information and/or social security number in an Excel file anyway?

Re:Doesn't sound so bad

[Theaetetus]

They are more likely storing your name and phone number so they can call you when your trousers are ready for pickup. Since that's Personally Identifiable Information, they will apparently have to encrypt that.

No, it isn't, and no, they won't. PII is defined in the law. You've read the law, right? It does not include your phone number, or even your address. It's your social security number, driver's license number, credit card number, or bank account number. And your dry cleaner shouldn't be keeping that information.

That could be quite a burden on small businesses like dry cleaners, and plumbers whose wives make up the invoices and send them out at the end of the month.

First, plumbers may have husbands who send out invoices for them.
Second, if those small plumbing businesses are storing customers' social security numbers, drivers license numbers, credit card numbers, or bank account numbers, then they damn well should be encrypting that data.

Re:Doesn't sound so bad

[phoenix321]

On the other hand, disgruntled admins now have not only their old rm / -f weapon of mass destruction, but the ultimate superweapon of doom.

Corporate risk management will now become a nightmare, when 2.5 million names in a database equal 12.5 billion USD in damages if leaked. All these names fit in a 128mb USB stick. Uncompressed. A LZMA2 7z file will probably be around 30mb. 12.5 billion USD in damages caused in 0.5 seconds over a T1 by one admin gone rogue.

I fully expect admins now to have tenure for life. They will probably never be fired anymore, only taken behind the barn and shot.

Re:Doesn't sound so bad

[fm6]

Stupid law. It means, for example, that you can no longer keep an email in unencrypted form.

This is why you should never ask Slashdotters for legal advice. Not only are they not lawyers, they overestimate their psychic abilities, and are willing to interpret a law based on a third-hand summary.

Neither TFA (actually a blog by somebody who's using this kerfuffle to encourage people to move to Microsoft SQL server) or the original Information Week article are specific as to who this law applies to. I found the text of the law online:

http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

Remarkably readable for legislation. It applies to anybody who "receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment." So your email is OK.

Despite what TFA says, I don't see anything that would require anybody to encrypt their databases. The encrypted transmission requirement is there, but it isn't as if SSL is rocket science. But the biggest misinformation in TFA is what has to be protected. Somebody's first and last name isn't sensitive unless it's transmitted or stored "in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number". It then goes on to say that any information that's in the public record is not sensitive and does not need to be protected.

All in all, a pretty reasonable law that merely mandates practices that are already standard at many companies — including Facebook.

Re:Doesn't sound so bad

[BZ]

> Actually, I read the article that was referenced in the summary, and the article that was
> referenced in that article. Neither one said anything like what you just posted.

As usual on most topics, the articles are more or less complete bullshit. The text of the law (all 4 pages of it) is at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf and the definition you want is on page 2 under "Personal information" in the alphabetical list of definitions.

What I find scary, really, is that any time I see an article on a topic I know something about it's pretty bogus. Do I really have any indication that the press does better on topics I _don't_ know about? :(

About fucking time.

[wiredog]

Now maybe if they actually enforce it businesses will get the idea that they should protect the data.

Re:About fucking time.

[Sandbags]

Actually, that's already been upheld in federal courts. States DO have the right to collect taxes for cross-state purchases for their residents, and CAN regulate business transactions with their residents. This is a nominal extension of that power, and quite likely completely legal. Enforcing it directly outside their boarders (ex. inspecting corporations, or mandating standards)? Likely no, but this regulation does not do that. This is a fine levied on data breech, and that CAN be collected across state lines.

Thanks for the math!

[hansraj]

It would have been very difficult for us to figure out how much the fine would be if you lost the records of 1000 people.

It would have been nicer though if you gave us another example. How much would the fine have been for losing records of 2000 people?

Re:Thanks for the math!

I'm sure you could get a discount for large quantities.

What's so scary about this?

[MartinSchou]

What is so scary about this?

With a high cost of PII, there is now an economic incentive for companies to actually give a rats ass. It's the same kind of incentive that is used to make sure companies don't just dump toxic chemicals in kindergarten sandboxes.

Re:What's so scary about this?

[El+Lobo]

It IS scary because extremes are always bad. Yes, it sounds politically correct here on /., privacy, bla bla bla, but when you just are going to extremes like the need of encrypting *public* and easily available information like, say the name of a person, which is also available (with even more details) in your favorite telephone directory, you are not being "good". You're being ridiculous.

I understand the need of encrypting credit card numbers, etc, but too much is too much.

In Sweden it is illegal to publish any information about who the owner of a vehicle is, for example. Yet, it is perfectly legal to send a SMS to the traffic authorities to get the same info. Go figure.

Re:What's so scary about this?

No, this law is not "too much". Slashdot makes it look like "too much" because the article summary is incomplete and misleading.

This law only applies to certain databases that should have been encrypted anyway.

Phone book

[kjart]

I hope the phone company has deep pockets, because the phone book is full of first and last names and, last time I checked, it was totally unencrypted!

Re:Phone book

A little googling finds the text of the law:

Personal information, a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public.

So it looks like phone companies are safe.

Re:Phone book

[EvanED]

You mean Slashdot posted an incorrect and sensationalist summary? Say it ain't so!

A pain to implement, but..

[Improv]

This seens pretty sensible. Given how many people are hurt by these things, this seems like a reasonable standard for future industry practice, and the fines hammer home the idea to the companies that "oops, sorry!" isn't the level of seriousness these things should be given. I imagine most of the time these breaches are against the privacy promises the companies make anyhow.

The only downside is that the fine is kind of daunting for people who would like to enter a relevant market, although .. perhaps it's analogous to car manufacturers being liable for poor design of their products - when they fail, it can be a big deal.

Definition of PII from the text of the law

[kgo]

"""
Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
"""

So this doesn't apply to places like slashdot and facebook. Only places that should be securing your data in the first place.

Re:Definition of PII from the text of the law

[noidentity]

I'm glad I don't live in Massachusetts, because I have my full name, social security number, driver license number, and financial account numbers stored unencrypted in my house (and I don't have $5000 in the financial account to cover the fine). Phew.

Re:Definition of PII from the text of the law

[julesh]

So this doesn't apply to places like slashdot and facebook.

Or, indeed, to 95%+ of small ecommerce businesses. As a consultant, I've always recommended to my clients that they hand off processing credit cards (for example) to one of the services that'll do it securely without them ever seeing the card number, in order to avoid any responsibility for looking after the data.

Re:This'll get shot down

[zarthrag]

That's already started to go south with online sales tax. Simply doing business with a resident of the state is enough of an opening to allow the state to preserve the rights of their citizens. The only way to circumvent that would probably be to not do business there (i.e. void where prohibited.) Though, I must say, this is a GOOD thing.

It's about time

[barius]

Sounds awesome to me. This should have been made law in every state/country a long time ago. Now if they would just make it law that all companies must provide an easy and thorough means for any individual to expunge their details from company records (I'm looking at you Facebook) then I might finally be able to stop that little bit of throwing up in my throat I get every time a company asks for my email address.

Not really

Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose

Summary and article fail.

Sorry to disappoint all the SQL consultants out there, but the law (as passed) says NOTHING about requiring encryption of data at rest.
Earlier versions of the bill had the requirement for at-rest encryption, but that was lobbied out.
The only time it mentions encryption is for data in-flight over public networks, wireless access, and laptops/"other portable devices".
Everything else states "reasonable security precautions" (aka: access control/passwords).

But don't take my word for it read it yourself. (it's only 4 pages)

(3)Encryption of all transmitted records and files containing personal information that will
travel across public networks, and encryption of all data containing personal information to be
transmitted wirelessly.
[...]
(5) Encryption of all personal information stored on laptops or other portable devices;

- Mass CMR1700 (the only occurrences of the word "encrypt")

Scarier not to

[starfishsystems]

It's scarier to contemplate that such information is so often exposed as a matter of routine carelessness.

On the other hand, it's not clear what to do about the classic perimeter problem. Sooner or later, somewhere, the encrypted data has to be processed or presented in plaintext. The key and the data have to be brought together. Now we've converted the problem of securing the data to the problem of securing the key - probably many keys in practice - and the systems on which those keys reside - probably many systems.

!Micro-management

[cmholm]

I think the /. article sub-header "some-serious-micromanagement dept" is incorrect. "Micromanagement" would be to specify a particular technical approach. The law(220kB PDF) doesn't even mention https. So, I think the legislation's level of detail appropriate: "just do it." The author of the FA seems to think this'll sell a lot of SQL Server upgrades, and if SQL Server is what someone is running to persist data, I suppose so.

Re:!Micro-management

[maxwell+demon]

Does rot13 encryption suffice?

Re:!Micro-management

[narcberry]

Just do it twice to be sure.

rot26

[houghi]

Does rot26 count as encryption?

Re:rot26

[grcumb]

Does rot26 count as encryption?

Xor( Xor( NO ) )

Storage of encryption key?

[vlm]

Any specifics for encryption key storage? How bout another column in the DB? That seems a likely implementation, very convenient and all that. Or we could just hardcode it to something memorable "password".

Any specifics for encryption scheme? I've heard ROT-13 is fast, but XOR is faster.

Re:Storage of encryption key?

[takev]

If it is something Alice and Bob are likely to do it is encryption.

What about IPSec?

[loufoque]

Sending PII over HTTP instead of HTTPS? That's a big no no.

Even if you're using IPSec?

Re:This'll get shot down

[Gr8Apes]

The thing is, I'm not a resident of MA and MA has no rights to enforce any laws where I live, as I'm outside their jurisdiction.

Last time I checked, if I do happen to do business with a MA resident, MA still has 0 rights regarding any such business as it would be interstate commerce, which is solely controlled by the federal gov per the Constitution.

However, I do agree that companies need to be held to stricter standards regarding personal information and probably should be handled by the feds sooner than later.

Looks like an example of a smart regulation

[Presence1]

I'm glad to hear that at least one state is starting to implement a reasonable law. Between corporations too cheap to pay for systems that implement even a hint of real security, and perhaps a few lazy developers, we have a mess on our hands. I don't really understand the "yikes" exclamations in TFA. At least now there are some consequences for being so sloppy with your and my data.

My approach to coding web apps is that we are playing theater in the round -- playing to at least three audiences at once. In any pool of users, you have Group-1) probably 98% of users in various states of computer illiteracy for whom you need a very well thought-out UI that gets them through the app with no errors (and good recovery *when* they make errors, you have Group-2) 2% users that have a clue and want things really streamlined, and you have Group-3) a half-dozen bunches of malicious crackers.

All three groups are always present, and you cannot ignore any of them. Ignore Group-1, and you'll pretty much have no audience. Ignore Group-2, and you drive off the 'experts' to whom much of Group-1 looks for advice, and you'll consequently lose not only Group-2 but also a lot of Group-1. Ignore Group-3 and you'll get cracked and mess up a lot pf people's lives by losing their data, and/or you'll get embarrassed.

Unfortunately, too many buyers and devs of software ignore Group-3 because of costs, and the "it'll never happen to us" attitude. They need this kind of stick to nudge them towards doing the right thing.

I come from a very libertarian perspective, and I hate excess regulation, but I'm smart enough to know that the magic Market alone does not fix everything; it needs some smart regulation to prevent excesses or omissions, and appears to this is an example of such good regulation (presuming that they haven't screwed up the details).

TFA got a very important detail wrong

[walmass]

If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it’s persisted.

Incorrect. The author either did not do any research at all, or got the definition of PII horribly wrong as far as this law is concerned. The directive that sets the standard based on the law states:

Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

It is abundantly clear that a person's first and last name alone does not constitute PII, SSN, financial account number or some other not so public information is also required.

Interestate Commerce

[aitikin]

I think this is a great idea, however I bet that some idiot will not find out about this law, not follow it, lose the data for say, 50 people, get fined and then fight it (because it's cheaper than the fine), and then find it in front of a US court which will idiotically deem it unconstitutional because it interferes with interstate commerce.

[Congress has power] To regulate Commerce with foreign Nations, and among the several States, and with the Indian tribes;

~Article I, section 8, clause 3, United States Constitution.

Read the law yourself, four pages pdf

[h00manist]

http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

THIS IS A FARCE

[Lord+Ender]

Encryption in transit is great. Encryption of backup tapes is great. Encryption of end-user systems which store the data is great.

But encryption of live servers and databases is a farce. Encryption without key management is itself a farce, and a servers which require keys to operate necessarily lack key management. Furthermore, server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.

The only case in which server encryption would do a bit of good is if the datacenter has no physical security, and every time a system boots, someone has to walk over to it and type a 20+ character random password.

Yes, I work in IT security. Yes, I think encryption is great, but NOT ON SERVERS.

Re:THIS IS A FARCE

[Ire]

Simple solution. Encrypt the sensitive information before storing it in the database. Leave all of the other information unencrypted. You don't need to search by the sensitive fields anyway, so the inability to index them doesn't matter.

Use filesystem/os level support for locking down the key on the system that needs to be able to decrypt it so that only the account/application authorized to access it can. That limits the vulnerabilities a single system. Even once on that system it is limited to "root" and the actual application.

Now you may safely let any number of insecure systems query your database. You can use trivial database backup schemes with no additional encryption. You don't need to worry about the physical security of those backups. Since you only need to backup the key when you first generate it, there is never any danger of the key and backup data being lost together in transit.

There is no speed penalty anywhere in the system except the sensitive parts.

Re:THIS IS A FARCE

[pem]

... server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.

No, it also protects the rest of us against idiots who sell old hard drives on ebay.

Re:THIS IS A FARCE

[EdIII]

But encryption of live servers and databases is a farce.

It's not even possible. The example the article gave of a thousand users is cute, as in, "awwwww that's so cute". I am pretty sure a lot of people in the real world are dealing with databases with +2 million records. Personally, I have dealt with over 250 million records.

One of the biggest failures people make just starting out is not planning to scale. That's why some low end database products grind to a halt getting above even 50k records.

There is simply no way with our current resources we could encrypt data in the individual fields in databases and maintain any level of performance with indexes, primary keys, constraints, etc. You might as well throw the ability to search out the window.

You are quite right about the hacking. Even if all of your data is encrypted that hardly protects you against an SQL injection attack.

Re:THIS IS A FARCE

[flajann]

Encryption in transit is great. Encryption of backup tapes is great. Encryption of end-user systems which store the data is great.

But encryption of live servers and databases is a farce. Encryption without key management is itself a farce, and a servers which require keys to operate necessarily lack key management. Furthermore, server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.

The only case in which server encryption would do a bit of good is if the datacenter has no physical security, and every time a system boots, someone has to walk over to it and type a 20+ character random password.

Yes, I work in IT security. Yes, I think encryption is great, but NOT ON SERVERS.

Agreed. I'm a MySQL guru (among other things), and I can't see keeping names and email addresses encrypted in the database on the server. Credit card numbers and other sensitive foreign account numbers? Absolutely. But what they are asking for is a joke. And what? The entire world would have to change how it stores things on its servers just to appease Massachusetts? Gee, if every territory starts lubbing its own rules about how the world should handle data of its residents/citizens, you can just kiss the Internet good-bye.

What this all means though is that the small startup/merchant/mom-and-pop Internet operations will find it more and more expensive to swim in these waters infested with little fiefdoms everywhere with delusions of hegemony.

Then again, it's always dangerous when politicians -- especially local ones -- try to legislate anything on the global Internet. Some years back some idiot New Hampshire legislature tried to impose a tax on -- are you sitting down? -- email. Can you believe it?

Re:THIS IS A FARCE

[eihab]

But encryption of live servers and databases is a farce. Encryption without key management is itself a farce, and a servers which require keys to operate necessarily lack key management. Furthermore, server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.

I'm not a lawyer and I didn't read the entire law that was passed (grain of salt, etc.), but from my layman interpretation nothing in here says that you have to encrypt data on your live servers.

The penalties are assigned based on breaches, that is, if someone hacks into your server and steals Massachusetts residents' records, you owe $5k for each non-encrypted record that was stolen (as well as notify the person and the state). Also if you have employees taking un-encrypted data off site on laptops that get stolen, similar penalties apply if the laptop was stolen.

Make sure your servers are secure, up to date, and fire walled, encrypt roaming laptops and you'll be fine.

If my understanding is correct, I think this is a great law. If more states implement it, we won't have companies leaving sensitive data on laptops that get stolen because of a careless contractor/employee.

The damages to a company would be so real and enormous that they will have to implement stringent security protocols, or one breach can very possibly take them out of business.

Re:THIS IS A FARCE

[KDR_11k]

Sounds to me like the fines only apply if the data is actually compromised. The obvious answer would be: Don't let that data get compromised!

Re:THIS IS A FARCE

[GNUALMAFUERTE]

I agree 100% with you. Encrypting is very important, but more important is UNDERSTANDING what encryption is. This guys think if you magically apply DSA/Elgamal over your data, then it's secure. It's the same kind of delusion that development companies have with DRM. They added an if() somewhere on their code that checks a stupid key, and they believe that keeps them safe. It doesn't matter how much you encrypt your data, if you are going to access it eventually in an automated way, that is not going to protect you in any way. Encrypting the data and hardcoding the key on your app means nothing.
Also, keeping certain information encrypted on the DB is just crazy. Doing a complex JOIN with multiple tables and a few LIKEs when you have a table with 200 million records is complex and resource intensive enough, adding encryption in every motherfucking field to that is only adding insult to injury.
I manage a pretty complex setup of distributed asterisk servers, with replicating SQL DBs across 3 countries. CC data is only stored on the US server, and the key to decrypt them is not on the server, it's stored securely on another workstation, encrypted with yet another 4096 DSA/Elgamal key that I only have on yet another location. I only enter it once a month for billing purposes, and it only stays in RAM as long as the server is processing the monthly payments. I am a conscious coders, and I take privacy and security very seriously, but this law is just ridiculous.

Re:THIS IS A FARCE

[Attila+Dimedici]

What this all means though is that the small startup/merchant/mom-and-pop Internet operations will find it more and more expensive to swim in these waters infested with little fiefdoms everywhere with delusions of hegemony.

What, you thought this law was passed for some purpose other than that? Laws like this serve two purposes: One, to be able to put a sound bite into ads and two is to help big companies keep small competitors out of the field.

Re:THIS IS A FARCE

[dingman]

There is one other case where disk encryption on a server could be useful, though it is not widely applicable: if you have a need to be able to rapidly destroy data, say in the event of a physical security breach. Having data stored on encrypted storage devices can mean that to render the data on the drives unrecoverable only requires wiping the header region of the encrypted block device. That, in turn, means wiping at most a few KB instead of several GB, and thus the difference between many passes in mere seconds and hours for a single pass.

Having said that, this is probably primarily of significance to military, intelligence, and criminal organizations. Few others are likely to be faced with the need to destroy large volumes of data on very short notice.

(If you care about why, this is because most/all disk encryption systems use a randomly-generated master key to encrypt the data on the disk. A copy of that master key is then stored in a header, encrypted with the password or passwords known by the user. No plaintext copy of the master key exists, so to access the data you have to provide the user-known password and use it to decrypt the master key. Changing the password can then be done simply by re-encrypting the master password, rather than by re-encrypting the entire drive. If the encrypted copy of the master key is destroyed, then it doesn't matter how many people you torture to get the password, it's still useless for decrypting the data on the disk.)

Re:THIS IS A FARCE

[Sabriel]

Here's a kicker - this law apparently does not apply to the politicians themselves. From the FAQ at http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf

Does 201 CMR 17.00 apply to municipalities?
No. 201 CMR 17.01 specifically excludes from the definition of “person” any “agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.” Consequently, the regulation does not apply to municipalities.

So it seems if your little business gets its 100-member customer db hacked, you're out half a million dollars; if the State of Massachusetts gets its DMV records hacked, they pay you zilch... or am I reading this wrong?

Re:THIS IS A FARCE

[Sabriel]

Update to my above post - apparently the government's security is covered by different-but-similar pieces of legislation, and not being a US resident I'm not about to go wading through it to find out where they've hidden the inevitable loopholes.

Re:THIS IS A FARCE

[LarryWest42]

Ask the author of the article where he got that notion from.

That phrase does not appear in the law nor in Massachusetts FAQ.

Nor does anything like it, except in reference to

1. public networks
2. wireless
3. laptops & portable devices

Re:THIS IS A FARCE

[moortak]

Honestly what would it matter if the law did apply to them. They would have to give themselves $5000 per record compromised, tell themselves about it, and tell the affected party (probably covered under different disclosure laws).

Re:THIS IS A FARCE

[mysidia]

Complexity such as that actually reduces security. Since managers and developers believe the 'compartmentalization' will save them, they are less concerned about writing secure code, due to risk compensation, they wind up with something less secure than if they had not encrypted DB data.

Compartmentalization of that nature is just one of those things that sounds cool but has not been shown to actually tangibly improve security in reality.

Increased complexity and poorer review of DB schema and database contents, that results from the additional complexity, can lead to poorer app performance, and more DB-related security issues slipping through the cracks.

In other words compartmentalization has a chance of improving security slightly in some cases, but in many cases it is very likely to have a negative impact on overall security, resulting in a less secure situation (although you will definitely feel more secure, even though you aren't, since you have shrouded your internal DB with an added layer of security --- which by the way, will make it hard even for the company themselves to analyze their own database and detect certain types of attack attempts).

Re:THIS IS A FARCE

[Sandbags]

1) corporations typically don't resell old hard drives that were once in servers. Many of them get returned at lease end, the rest are of little value as used components having run constantly for 4-8 years under load.
2) Most server HDDs don't go in computers. We use almost exclusively FC and SCSI disks, and a lot of SAS now as well. These drives are 10K or 15K, make a shit load of noise, and
3) RAID controllers obfuscate the data. You'd need a near complete RAID set to be able to reconstitute the data after buying or finding a used disk drive. If the disks were in a SAN chassis, it;s even worse as deduplication, horizontal and vertical striping, and thin provisioning make it virtually impossible to rebuild the system from a collection of disks unless you had the entire SAN system (which are never resold, they're almost always on lease, or are bought out and used as back-end systems for low priority data or copies of data.
4) Under HIPAA, SOx, DOD STIGs, and more standards, HDDs that contained PHI, PCI, or other sensitive data must be scrubbed to government standards before being disposed of. For us, that means full electronic erasure using an approved government tool, followed by drilling not less than 3 holes in the platters!

This standard makes sense for laptops and other portable systems and databases. It also makes sense for backups, which are mostly linear data and easy to decipher with the right drive and software. You'll also notice the law if written to fine people for BREACH, LOSS, and EXPOSURE, but says nothing about fining corporations that simply do not "comply" with the standards. The data actualyl has to be lost in order to be fined. We DO use secure authentication systems (dual factor for most PHI data access) and regardless of whether or not the SQL, DB2 or Oracle systems were encrypted, if the user authenticates, the server will happily decrypt and access the data.

What would have made a lot more sense for MA in this case was simply to demand stict data access (physical) requirements, background screenings, corporate policy for drive and tape and serer disposal and scrubbing, but then, they'd not be doing anything the federal government did not already require for those of use hosting medical, credit card, or other private and secure data... We're already bound by these standards...

Personal Information Definition

[WPIDalamar]

From the law, personal information is defined as:

Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

So just a first+last name isn't enough to incur the wrath of the law. It has to be that, plus SSN, Lic Number, or financial account number.

But from how I read that, it has to be the First name, Last name, Plus one of those. Does that mean I can store a list of social security numbers plus last names completely unencrypted and be off free? Odd

Warning: Microsoft EFS can cause data loss.

[Futurepower(R)]

See this comment from 2005: EFS & stand-alone computers? Can you make it work?

TrueCrypt is reliable, reputable, fast, free, open source, and works on Windows, Mac OS X, and Linux. The TrueCrypt documentation is very good, but not perfect. TrueCrypt can make an encrypted drive letter or encrypt and entire partition, even the boot partition.

Only open source encryption should be accepted, since the U.S. government has decided it can force executives of corporations to work in secret to help gather data from or about users. If software is not open source, there may be hidden methods of decryption.

Re:Probably only applicable to Mass due to interst

[Theaetetus]

This will ultimately probably only end up affect Mass businesses or people with presence in Mass directly. Otherwise this kind of requirement has the potential to impact interstate commerce which states expressly do not have the authority to legislate.

Nope, this is only affecting in-state commerce with Massachusetts residents. And the states are absolutely allowed to pass laws that affect out-of-state businesses when they do business in the state. The only constitutional prohibitions on that are when the law is protectionist - imposes additional cost on out-of-state businesses that in-state business don't have to pay. Here, because the law applies equally to in-staters and out-of-staters, it isn't protectionist and isn't unconstitutional.

No, they don't

[Theaetetus]

The FAQ for the law: http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf

Please note, this FAQ contains personally identifiable information - First and last names, job titles, address of employment, phone and fax number, of Governor Deval L. Patrick, Lieutenant Governor Timothyt P. Murray, Secretary of Housing and Economic Development Gregory Bialecki, and Undersecretary Barbara Anthony. It was obtained by http - NOT https, as required by the law.

The only reason THEY can get away with it is because ... guess what ... government agencies are excluded. "Do as I say, not as I do."

Cripes, dude. You link to the full text of the law, but apparently never read past the URL.
First, that is NOT personally identifiable information. As has been said in many posts, and as is listed in your links:

[Definition of] Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
(a) Social Security number;
(b) driver's license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account;

See? You found names, job titles, addresses, and phone numbers, but no personal information listed in the law.

Second, what's the very next farking sentence in the definition?

provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

See that? Government agencies are not excluded from the law... rather, information lawfully obtained from government agencies are not personal information, which means that people who use it - like you - are not violating the law.

The shocking part is the amount of effort you went to to find the text, the FAQ, and the compliance checklist, plus creating two Slashdot posts about it, and yet you never actually read any of it.

Re:"Standard practice"... if you're an asshole

How would your example be covered by the law:
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

Personal information, [is defined as] a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public.

so basically you'd be in the clear. Names and addresses are in the phone book / government public records. If your list contained the names and SSN of the members, then you'd be violating the law, which is still slightly silly as SSN *are not* supposed to be personal identifiers, but that's the world we've wound up with.

Microsoft FUD

[sjames]

Yes, this really *IS* Microsoft FUD. Note how they fail to mention that it's social security, credit card info, etc that has to be encrypted, not their NAME or address for example. Also note how at the end of TFA they suggest you follow a link for your indoctrination on the encryption features of SQL Server 2008.

Once you realize that it's just the usual credit card and banking related info that must be handled securely, you realize that the law is quite reasonable (though perhaps unenforceable outside of MA).

This seems practical and pragmatic

[NicknamesAreStupid]

Are you sure a government came up with it?

Re:"Standard practice"... if you're an asshole

Again, back to the law:

Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account...

Creating the list you describe is perfectly legal on any computer. Only if you include SSN, DLN, or financial information and send it to someone are you in violation of the law.

How about we link to someone who's not an MS shill

[Rix]

Like this?

It doesn't say JUST the name.

[sesummers]

I just read the law. It defines personal information as: ...a Massachusetts resident's first name and last name or first initial and last name IN COMBINATION WITH any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number... [capitalization mine, for emphasis.] IOW, a customer database is fine- it doesn't have to be encrypted, unless you also store the customers' Social security numbers, drivers license numbers, or credit card data. Without any of that stuff, you're just storing data you could have obtained from scanning a phone book.

I couldn't disagree more

[Anonymous+Brave+Guy]

I'm sorry, but I strongly disagree with your position on almost every count.

Firstly, your point about different territories with different rules is fundamentally flawed. Many places — all of Europe, for example — already have stronger data protection laws than most of the US. This causes no earth-shattering problem with compliance. Large companies keep the data they can't legally export within their European offices. Smaller companies just outsource things like payment collection to services that guarantee any personal data will be processed securely and not transferred outside of EU borders. They were going to outsource it anyway, so the only people who lose out are services that want to handle sensitive information but can't make the same guarantees as others about security, whose flawed business model just became obsolete.

Secondly, I think you (and several other DB admins and such in this Slashdot discussion) are far, far too casual about this subject. In my country, we have had a string of mismanagement or outright leaks of sensitive personal data in recent months. The number of people who have wound up losing money or suffering long-term hassle just to set their records straight is absurd, and rising every day. A $5,000 fine per leak is nothing compared to the hassle and indirect costs of someone suffering identity theft, even if they get everything put right in the end and recover their direct losses. To one side, it's several months of hell to get your identity back. To the other, it's a mere business expense, a footnote on page 172 of the annual financial statement.

In my not so humble opinion, both business and governments need to learn this lesson, and I have absolutely nothing against sending a business to the wall if it collects personal information but fails to secure it properly. We have allowed more-or-less unrestricted collection of personal data for a few years, easily long enough for the industry to gets its act together. The result has just been organisations hoarding personal information about people for reasons that are entirely self-serving, pretty much all of whom could just die and make the world a better place anyway, and the string of screw-ups I mentioned before from many organisations that do have a legitimate reason to hold that sort of data.

It is time for organisations that think this is OK to be taught otherwise, and frankly these fines are on the light side. I would have preferred an additional statutory duty of care with unlimited liability to cover the cost of putting right any damage done to an individual following a leak. Go ahead and reevaluate your security protocols and whether it is really impossible to do these things or just inconvenient/expensive, when the other side of the inequality you're testing looks like an 8 on its side instead of a $10 per person class action settlement.

Re:I couldn't disagree more

[Corbets]

I'm sorry, but I strongly disagree with your position on almost every count.

Firstly, your point about different territories with different rules is fundamentally flawed. Many places — all of Europe, for example — already have stronger data protection laws than most of the US. This causes no earth-shattering problem with compliance. Large companies keep the data they can't legally export within their European offices. Smaller companies just outsource things like payment collection to services that guarantee any personal data will be processed securely and not transferred outside of EU borders. They were going to outsource it anyway, so the only people who lose out are services that want to handle sensitive information but can't make the same guarantees as others about security, whose flawed business model just became obsolete.

While I don't disagree with your post, I wonder just how many large European businesses you've worked for. I'm a consultant in this field, and have quite a few clients who are multinational. While a minority make efforts to stay in compliance with such data privacy laws, such as by keeping PII in the country of origin, a vast majority have no idea where their PII is stored or transmitted. They think data privacy doesn't really apply to them because they don't keep credit cards, and they don't understand the nature of Safe Harbor agreements or what, exactly, is covered therein.

Data privacy is important, and probably needs to be legislated at some level, but don't go telling people that simply because it's the law here, companies actually comply with it.

Re:I couldn't disagree more

[apparently]

think the GP's problem, and mine as well, is that the type of information that they're demanding be secured is simply stupid. Yes, encrypt account numbers. Yes, encrypt passwords. No (reasonable) person is disagreeing with that. But names? Addresses? This is all publicly accessible information.

You don't understand the law. The law defines Personal information as: "a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number"

Maybe EFS is fixed now.

[Futurepower(R)]

Possibly EFS was fixed in Windows 7. Before that, part of the encryption key was the Windows user password and a key generated specifically for that installation of Windows.

For a discussion of the issues, read page 5 of this PDF file from Elcomsoft, which I just found: Advantages and disadvantages of EFS.

Elcomsoft is a famous Russian company. Quote from Wikipedia: "On July 16, 2001, Dmitry Sklyarov, a Russian citizen employed by ElcomSoft who was at the time visiting the United States for DEF CON, was arrested and jailed for allegedly violating the United States DMCA law by writing ElcomSoft's Advanced eBook Processor software. A landmark court case ensued, setting precedents and attracting much public attention and protest. On December 17, 2002, ElcomSoft was found not guilty of all four charges under the DMCA."

The problems with EFS were acknowledged by Microsoft employees. People have discussed losing data on Microsoft professional discussion boards. Elcomsoft sells software designed to recover data lost because of the poor design of EFS.

Read the law: no broad mandate

[LarryWest42]

eihab seems to have it right.

IANAL, either, but I did read the whole law and there is no broad encryption mandate as the SQL Mag author claimed.

The encryption-related sections of the law that I can find (17.04 (3) & (5)) actually mandate:

• “(3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.”
• “(5) Encryption of all personal information stored on laptops or other portable devices;”.

In other words, if you send data over public networks, or wirelessly, or store it on laptops, you should encrypt it. Excuse me for not getting excited about this.

Law: 201 CMR 17.00 reg

FAQ: 201 CMR 17 faqs

The whole thing seems pretty sensible overall.

amen!

[Weezul]

Yes, a completely reasonable law, that just outlawed facebook. :) sounds like progress to me!

Re:Wrong, wrong, wrong

[Xugumad]

Agreed. I just read 201 CMR 17.00 (it's 4 pages,and really not that scary: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf )

Two really important points; encryption on disk means if it's on a portable device such as a laptop, not on a server in a secure location. Encryption in transfer means if it's going over a public network (such as the Internet) - in theory, it wouldn't even cover traffic within a corporate LAN.
 

Denormalize Work Around

[SkydiverFL]

Hmmm... just a thought... NOT a recommendation...

Since "personal information" is the "first name and last name" IN COMBINATION WITH any of the other items, could you just denormalize the tables to get around this? Stick the SSN or CC info in a second or third table. Since that data is not stored WITH (same table) the name of the card holder or account owner, then... well... you see where this is going.

I guess it call comes down to what the meaning of "is" is. ;-)

Dunning–Kruger effect

[flajann]

The Dunning–Kruger effect is a cognitive bias in which "people reach erroneous conclusions and make unfortunate choices but their incompetence robs them of the metacognitive ability to realize it."[1] The unskilled therefore suffer from illusory superiority, rating their own ability as above average, much higher than in actuality; by contrast, the highly skilled underrate their abilities, suffering from illusory inferiority. This leads to a perverse result where less competent people will rate their own ability higher than more competent people. It also explains why actual competence may weaken self-confidence because competent individuals falsely assume that others have an equivalent understanding. "Thus, the miscalibration of the incompetent stems from an error about the self, whereas the miscalibration of the highly competent stems from an error about others."[1] “ In the modern world the stupid are cocksure while the intelligent are full of doubt. ” — Bertrand Russell[2][3]

Interesting reference. However, you hardly know anything about me, so perhaps you have fallen prey to the Dunning-Kruger effect yourself. :-)

But while we're on the subject, let me continue.

• I've been in the computer field for over 30 years. I got my start with the Apple ][, back in 1978, when I was 16. A couple of years later, I was writing an OS from scratch for the Micronova and Nova 4X computers (Data General). It was wicked cool stuff. And I was only 18.
• My entire computer career shot off from there. I have never had formal education in Computer Science, and yet I've done just about everything you can imagine.
• I know what I'm good at, as is demonstrated by what I've accomplished. I even have a software patent, though many here would decry such a beast -- as do I, in part. But hey, I got paid good money for it, so I went with it.

Slash me to pieces for tooting my own horn. Actually, I only mentioned to "guru" bit in passing, as a short-hand for stating that I kinda know something about databases in high-demand environments, without having to spend an entire paragraph doing the same. If you want to pick it to death, go straight ahead and do so. Sheesh.

However, despite all of that, I do find the Dunning-Kruger reference interesting. I have been back and forth many times with assuming everyone has my level of understanding, and thinking I'm a stupid idiot despite evidence to the contrary. These days, I simply call an ace an ace. I know what I can do, I know what I am capable of, so why be shy about it? Do I know everything? No. I would never claim such. However, If I do know something, what's wrong with just being honest about it? Why is it some get offended at this? I put in the Blood, Sweat, Tears, and Years getting to where I am. Should I not be proud of that? What does modesty buy me?

I've had bloody enough of beating myself into the ground for this or that, and I refuse to do it anymore. I am an empiricist; I go by observations. And I have observed many others referring to myself as "guru", "genius", "brilliant", and what not. Quite frankly, I don't think all of those monikers are deserved. But then, I should give myself credit for what I have accomplished.

So sorry you are peeved. Actually, I'm not sorry that you are. That's your problem. Not mine.