Slashdot Mirror
Mass. Data Security Law Says "Thou Shalt Encrypt"
emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"
That's pretty much already corporate policy at the last two major places I've worked for a few years now. It would be nice if the government starts treating that data the same way.
In fact, it would also be nice to mandate encryption and signatures for email so there will be no more unsolicited spam. And finally it would be great if no one was allowed to open up a line of credit without my cryptographic signature so I wouldn't have to protect my SSN, birthdate, and mother's maiden name like it was some sort of safety deposit box combination.
Now maybe if they actually enforce it businesses will get the idea that they should protect the data.
Best Slashdot Co
It would have been very difficult for us to figure out how much the fine would be if you lost the records of 1000 people.
It would have been nicer though if you gave us another example. How much would the fine have been for losing records of 2000 people?
What is so scary about this?
With a high cost of PII, there is now an economic incentive for companies to actually give a rats ass. It's the same kind of incentive that is used to make sure companies don't just dump toxic chemicals in kindergarten sandboxes.
I hope the phone company has deep pockets, because the phone book is full of first and last names and, last time I checked, it was totally unencrypted!
This seens pretty sensible. Given how many people are hurt by these things, this seems like a reasonable standard for future industry practice, and the fines hammer home the idea to the companies that "oops, sorry!" isn't the level of seriousness these things should be given. I imagine most of the time these breaches are against the privacy promises the companies make anyhow.
The only downside is that the fine is kind of daunting for people who would like to enter a relevant market, although .. perhaps it's analogous to car manufacturers being liable for poor design of their products - when they fail, it can be a big deal.
For every problem, there is at least one solution that is simple, neat, and wrong.
"""
Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
"""
So this doesn't apply to places like slashdot and facebook. Only places that should be securing your data in the first place.
Can you construct some sort of rudimentary lathe?
Sounds awesome to me. This should have been made law in every state/country a long time ago. Now if they would just make it law that all companies must provide an easy and thorough means for any individual to expunge their details from company records (I'm looking at you Facebook) then I might finally be able to stop that little bit of throwing up in my throat I get every time a company asks for my email address.
Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose
Summary and article fail.
Sorry to disappoint all the SQL consultants out there, but the law (as passed) says NOTHING about requiring encryption of data at rest.
Earlier versions of the bill had the requirement for at-rest encryption, but that was lobbied out.
The only time it mentions encryption is for data in-flight over public networks, wireless access, and laptops/"other portable devices".
Everything else states "reasonable security precautions" (aka: access control/passwords).
But don't take my word for it read it yourself. (it's only 4 pages)
(3)Encryption of all transmitted records and files containing personal information that will
travel across public networks, and encryption of all data containing personal information to be
transmitted wirelessly.
[...]
(5) Encryption of all personal information stored on laptops or other portable devices;
- Mass CMR1700 (the only occurrences of the word "encrypt")
It's scarier to contemplate that such information is so often exposed as a matter of routine carelessness.
On the other hand, it's not clear what to do about the classic perimeter problem. Sooner or later, somewhere, the encrypted data has to be processed or presented in plaintext. The key and the data have to be brought together. Now we've converted the problem of securing the data to the problem of securing the key - probably many keys in practice - and the systems on which those keys reside - probably many systems.
Parity: What to do when the weekend comes.
I think the /. article sub-header "some-serious-micromanagement dept" is incorrect. "Micromanagement" would be to specify a particular technical approach. The law(220kB PDF) doesn't even mention https. So, I think the legislation's level of detail appropriate: "just do it." The author of the FA seems to think this'll sell a lot of SQL Server upgrades, and if SQL Server is what someone is running to persist data, I suppose so.
Luke, help me take this mask off
Any specifics for encryption key storage? How bout another column in the DB? That seems a likely implementation, very convenient and all that. Or we could just hardcode it to something memorable "password".
Any specifics for encryption scheme? I've heard ROT-13 is fast, but XOR is faster.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
I'm glad to hear that at least one state is starting to implement a reasonable law. Between corporations too cheap to pay for systems that implement even a hint of real security, and perhaps a few lazy developers, we have a mess on our hands. I don't really understand the "yikes" exclamations in TFA. At least now there are some consequences for being so sloppy with your and my data.
My approach to coding web apps is that we are playing theater in the round -- playing to at least three audiences at once. In any pool of users, you have Group-1) probably 98% of users in various states of computer illiteracy for whom you need a very well thought-out UI that gets them through the app with no errors (and good recovery *when* they make errors, you have Group-2) 2% users that have a clue and want things really streamlined, and you have Group-3) a half-dozen bunches of malicious crackers.
All three groups are always present, and you cannot ignore any of them. Ignore Group-1, and you'll pretty much have no audience. Ignore Group-2, and you drive off the 'experts' to whom much of Group-1 looks for advice, and you'll consequently lose not only Group-2 but also a lot of Group-1. Ignore Group-3 and you'll get cracked and mess up a lot pf people's lives by losing their data, and/or you'll get embarrassed.
Unfortunately, too many buyers and devs of software ignore Group-3 because of costs, and the "it'll never happen to us" attitude. They need this kind of stick to nudge them towards doing the right thing.
I come from a very libertarian perspective, and I hate excess regulation, but I'm smart enough to know that the magic Market alone does not fix everything; it needs some smart regulation to prevent excesses or omissions, and appears to this is an example of such good regulation (presuming that they haven't screwed up the details).
Incorrect. The author either did not do any research at all, or got the definition of PII horribly wrong as far as this law is concerned. The directive that sets the standard based on the law states:
It is abundantly clear that a person's first and last name alone does not constitute PII, SSN, financial account number or some other not so public information is also required.
Encryption in transit is great. Encryption of backup tapes is great. Encryption of end-user systems which store the data is great.
But encryption of live servers and databases is a farce. Encryption without key management is itself a farce, and a servers which require keys to operate necessarily lack key management. Furthermore, server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.
The only case in which server encryption would do a bit of good is if the datacenter has no physical security, and every time a system boots, someone has to walk over to it and type a 20+ character random password.
Yes, I work in IT security. Yes, I think encryption is great, but NOT ON SERVERS.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
See this comment from 2005: EFS & stand-alone computers? Can you make it work?
TrueCrypt is reliable, reputable, fast, free, open source, and works on Windows, Mac OS X, and Linux. The TrueCrypt documentation is very good, but not perfect. TrueCrypt can make an encrypted drive letter or encrypt and entire partition, even the boot partition.
Only open source encryption should be accepted, since the U.S. government has decided it can force executives of corporations to work in secret to help gather data from or about users. If software is not open source, there may be hidden methods of decryption.
This will ultimately probably only end up affect Mass businesses or people with presence in Mass directly. Otherwise this kind of requirement has the potential to impact interstate commerce which states expressly do not have the authority to legislate.
Nope, this is only affecting in-state commerce with Massachusetts residents. And the states are absolutely allowed to pass laws that affect out-of-state businesses when they do business in the state. The only constitutional prohibitions on that are when the law is protectionist - imposes additional cost on out-of-state businesses that in-state business don't have to pay. Here, because the law applies equally to in-staters and out-of-staters, it isn't protectionist and isn't unconstitutional.
The FAQ for the law: http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf
Please note, this FAQ contains personally identifiable information - First and last names, job titles, address of employment, phone and fax number, of Governor Deval L. Patrick, Lieutenant Governor Timothyt P. Murray, Secretary of Housing and Economic Development Gregory Bialecki, and Undersecretary Barbara Anthony. It was obtained by http - NOT https, as required by the law.
The only reason THEY can get away with it is because ... guess what ... government agencies are excluded. "Do as I say, not as I do."
Cripes, dude. You link to the full text of the law, but apparently never read past the URL.
First, that is NOT personally identifiable information. As has been said in many posts, and as is listed in your links:
[Definition of] Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
(a) Social Security number;
(b) driver's license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account;
See? You found names, job titles, addresses, and phone numbers, but no personal information listed in the law.
Second, what's the very next farking sentence in the definition?
provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
See that? Government agencies are not excluded from the law... rather, information lawfully obtained from government agencies are not personal information, which means that people who use it - like you - are not violating the law.
The shocking part is the amount of effort you went to to find the text, the FAQ, and the compliance checklist, plus creating two Slashdot posts about it, and yet you never actually read any of it.
How would your example be covered by the law:
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
Personal information, [is defined as] a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public.
so basically you'd be in the clear. Names and addresses are in the phone book / government public records. If your list contained the names and SSN of the members, then you'd be violating the law, which is still slightly silly as SSN *are not* supposed to be personal identifiers, but that's the world we've wound up with.
Yes, this really *IS* Microsoft FUD. Note how they fail to mention that it's social security, credit card info, etc that has to be encrypted, not their NAME or address for example. Also note how at the end of TFA they suggest you follow a link for your indoctrination on the encryption features of SQL Server 2008.
Once you realize that it's just the usual credit card and banking related info that must be handled securely, you realize that the law is quite reasonable (though perhaps unenforceable outside of MA).
Are you sure a government came up with it?
Like this?
I just read the law. It defines personal information as: ...a Massachusetts resident's first name and last name or first initial and last name IN COMBINATION WITH any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number...
[capitalization mine, for emphasis.]
IOW, a customer database is fine- it doesn't have to be encrypted, unless you also store the customers' Social security numbers, drivers license numbers, or credit card data. Without any of that stuff, you're just storing data you could have obtained from scanning a phone book.
I'm sorry, but I strongly disagree with your position on almost every count.
Firstly, your point about different territories with different rules is fundamentally flawed. Many places — all of Europe, for example — already have stronger data protection laws than most of the US. This causes no earth-shattering problem with compliance. Large companies keep the data they can't legally export within their European offices. Smaller companies just outsource things like payment collection to services that guarantee any personal data will be processed securely and not transferred outside of EU borders. They were going to outsource it anyway, so the only people who lose out are services that want to handle sensitive information but can't make the same guarantees as others about security, whose flawed business model just became obsolete.
Secondly, I think you (and several other DB admins and such in this Slashdot discussion) are far, far too casual about this subject. In my country, we have had a string of mismanagement or outright leaks of sensitive personal data in recent months. The number of people who have wound up losing money or suffering long-term hassle just to set their records straight is absurd, and rising every day. A $5,000 fine per leak is nothing compared to the hassle and indirect costs of someone suffering identity theft, even if they get everything put right in the end and recover their direct losses. To one side, it's several months of hell to get your identity back. To the other, it's a mere business expense, a footnote on page 172 of the annual financial statement.
In my not so humble opinion, both business and governments need to learn this lesson, and I have absolutely nothing against sending a business to the wall if it collects personal information but fails to secure it properly. We have allowed more-or-less unrestricted collection of personal data for a few years, easily long enough for the industry to gets its act together. The result has just been organisations hoarding personal information about people for reasons that are entirely self-serving, pretty much all of whom could just die and make the world a better place anyway, and the string of screw-ups I mentioned before from many organisations that do have a legitimate reason to hold that sort of data.
It is time for organisations that think this is OK to be taught otherwise, and frankly these fines are on the light side. I would have preferred an additional statutory duty of care with unlimited liability to cover the cost of putting right any damage done to an individual following a leak. Go ahead and reevaluate your security protocols and whether it is really impossible to do these things or just inconvenient/expensive, when the other side of the inequality you're testing looks like an 8 on its side instead of a $10 per person class action settlement.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
eihab seems to have it right.
IANAL, either, but I did read the whole law and there is no broad encryption mandate as the SQL Mag author claimed.
The encryption-related sections of the law that I can find (17.04 (3) & (5)) actually mandate:
In other words, if you send data over public networks, or wirelessly, or store it on laptops, you should encrypt it. Excuse me for not getting excited about this.
Law: 201 CMR 17.00 reg
FAQ: 201 CMR 17 faqs
The whole thing seems pretty sensible overall.