Mass. Data Security Law Says "Thou Shalt Encrypt"

emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"

Doesn't sound so bad

[rwa2]

That's pretty much already corporate policy at the last two major places I've worked for a few years now. It would be nice if the government starts treating that data the same way.

In fact, it would also be nice to mandate encryption and signatures for email so there will be no more unsolicited spam. And finally it would be great if no one was allowed to open up a line of credit without my cryptographic signature so I wouldn't have to protect my SSN, birthdate, and mother's maiden name like it was some sort of safety deposit box combination.

Re:Doesn't sound so bad

[TheRaven64]

You know, all of the use cases you describe can be supported by ticking the 'encrypt' checkbox that Windows NT has had since version 4, or by storing commercial data on an encrypted partition, which pretty much all modern(ish) operating systems support. It's really not hard, and is probably the minimum that a small business should be doing anyway.

Definition of PII from the text of the law

[kgo]

"""
Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
"""

So this doesn't apply to places like slashdot and facebook. Only places that should be securing your data in the first place.

Not really

Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose

Summary and article fail.

Sorry to disappoint all the SQL consultants out there, but the law (as passed) says NOTHING about requiring encryption of data at rest.
Earlier versions of the bill had the requirement for at-rest encryption, but that was lobbied out.
The only time it mentions encryption is for data in-flight over public networks, wireless access, and laptops/"other portable devices".
Everything else states "reasonable security precautions" (aka: access control/passwords).

But don't take my word for it read it yourself. (it's only 4 pages)

(3)Encryption of all transmitted records and files containing personal information that will
travel across public networks, and encryption of all data containing personal information to be
transmitted wirelessly.
[...]
(5) Encryption of all personal information stored on laptops or other portable devices;

- Mass CMR1700 (the only occurrences of the word "encrypt")

Re:Phone book

A little googling finds the text of the law:

Personal information, a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public.

So it looks like phone companies are safe.

!Micro-management

[cmholm]

I think the /. article sub-header "some-serious-micromanagement dept" is incorrect. "Micromanagement" would be to specify a particular technical approach. The law(220kB PDF) doesn't even mention https. So, I think the legislation's level of detail appropriate: "just do it." The author of the FA seems to think this'll sell a lot of SQL Server upgrades, and if SQL Server is what someone is running to persist data, I suppose so.

Re:!Micro-management

[maxwell+demon]

Does rot13 encryption suffice?

THIS IS A FARCE

[Lord+Ender]

Encryption in transit is great. Encryption of backup tapes is great. Encryption of end-user systems which store the data is great.

But encryption of live servers and databases is a farce. Encryption without key management is itself a farce, and a servers which require keys to operate necessarily lack key management. Furthermore, server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.

The only case in which server encryption would do a bit of good is if the datacenter has no physical security, and every time a system boots, someone has to walk over to it and type a 20+ character random password.

Yes, I work in IT security. Yes, I think encryption is great, but NOT ON SERVERS.

Re:THIS IS A FARCE

[flajann]

Encryption in transit is great. Encryption of backup tapes is great. Encryption of end-user systems which store the data is great.

But encryption of live servers and databases is a farce. Encryption without key management is itself a farce, and a servers which require keys to operate necessarily lack key management. Furthermore, server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.

The only case in which server encryption would do a bit of good is if the datacenter has no physical security, and every time a system boots, someone has to walk over to it and type a 20+ character random password.

Yes, I work in IT security. Yes, I think encryption is great, but NOT ON SERVERS.

Agreed. I'm a MySQL guru (among other things), and I can't see keeping names and email addresses encrypted in the database on the server. Credit card numbers and other sensitive foreign account numbers? Absolutely. But what they are asking for is a joke. And what? The entire world would have to change how it stores things on its servers just to appease Massachusetts? Gee, if every territory starts lubbing its own rules about how the world should handle data of its residents/citizens, you can just kiss the Internet good-bye.

What this all means though is that the small startup/merchant/mom-and-pop Internet operations will find it more and more expensive to swim in these waters infested with little fiefdoms everywhere with delusions of hegemony.

Then again, it's always dangerous when politicians -- especially local ones -- try to legislate anything on the global Internet. Some years back some idiot New Hampshire legislature tried to impose a tax on -- are you sitting down? -- email. Can you believe it?

Re:THIS IS A FARCE

[eihab]

But encryption of live servers and databases is a farce. Encryption without key management is itself a farce, and a servers which require keys to operate necessarily lack key management. Furthermore, server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.

I'm not a lawyer and I didn't read the entire law that was passed (grain of salt, etc.), but from my layman interpretation nothing in here says that you have to encrypt data on your live servers.

The penalties are assigned based on breaches, that is, if someone hacks into your server and steals Massachusetts residents' records, you owe $5k for each non-encrypted record that was stolen (as well as notify the person and the state). Also if you have employees taking un-encrypted data off site on laptops that get stolen, similar penalties apply if the laptop was stolen.

Make sure your servers are secure, up to date, and fire walled, encrypt roaming laptops and you'll be fine.

If my understanding is correct, I think this is a great law. If more states implement it, we won't have companies leaving sensitive data on laptops that get stolen because of a careless contractor/employee.

The damages to a company would be so real and enormous that they will have to implement stringent security protocols, or one breach can very possibly take them out of business.

Re:THIS IS A FARCE

[LarryWest42]

Ask the author of the article where he got that notion from.

That phrase does not appear in the law nor in Massachusetts FAQ.

Nor does anything like it, except in reference to

1. public networks
2. wireless
3. laptops & portable devices

Re:Storage of encryption key?

[takev]

If it is something Alice and Bob are likely to do it is encryption.

I couldn't disagree more

[Anonymous+Brave+Guy]

I'm sorry, but I strongly disagree with your position on almost every count.

Firstly, your point about different territories with different rules is fundamentally flawed. Many places — all of Europe, for example — already have stronger data protection laws than most of the US. This causes no earth-shattering problem with compliance. Large companies keep the data they can't legally export within their European offices. Smaller companies just outsource things like payment collection to services that guarantee any personal data will be processed securely and not transferred outside of EU borders. They were going to outsource it anyway, so the only people who lose out are services that want to handle sensitive information but can't make the same guarantees as others about security, whose flawed business model just became obsolete.

Secondly, I think you (and several other DB admins and such in this Slashdot discussion) are far, far too casual about this subject. In my country, we have had a string of mismanagement or outright leaks of sensitive personal data in recent months. The number of people who have wound up losing money or suffering long-term hassle just to set their records straight is absurd, and rising every day. A $5,000 fine per leak is nothing compared to the hassle and indirect costs of someone suffering identity theft, even if they get everything put right in the end and recover their direct losses. To one side, it's several months of hell to get your identity back. To the other, it's a mere business expense, a footnote on page 172 of the annual financial statement.

In my not so humble opinion, both business and governments need to learn this lesson, and I have absolutely nothing against sending a business to the wall if it collects personal information but fails to secure it properly. We have allowed more-or-less unrestricted collection of personal data for a few years, easily long enough for the industry to gets its act together. The result has just been organisations hoarding personal information about people for reasons that are entirely self-serving, pretty much all of whom could just die and make the world a better place anyway, and the string of screw-ups I mentioned before from many organisations that do have a legitimate reason to hold that sort of data.

It is time for organisations that think this is OK to be taught otherwise, and frankly these fines are on the light side. I would have preferred an additional statutory duty of care with unlimited liability to cover the cost of putting right any damage done to an individual following a leak. Go ahead and reevaluate your security protocols and whether it is really impossible to do these things or just inconvenient/expensive, when the other side of the inequality you're testing looks like an 8 on its side instead of a $10 per person class action settlement.

Read the law: no broad mandate

[LarryWest42]

eihab seems to have it right.

IANAL, either, but I did read the whole law and there is no broad encryption mandate as the SQL Mag author claimed.

The encryption-related sections of the law that I can find (17.04 (3) & (5)) actually mandate:

• “(3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.”
• “(5) Encryption of all personal information stored on laptops or other portable devices;”.

In other words, if you send data over public networks, or wirelessly, or store it on laptops, you should encrypt it. Excuse me for not getting excited about this.

Law: 201 CMR 17.00 reg

FAQ: 201 CMR 17 faqs

The whole thing seems pretty sensible overall.