Data Breach Could Test Massachusetts Law

← Back to Stories (view on slashdot.org)

Data Breach Could Test Massachusetts Law

Posted by CmdrTaco on Tuesday December 21, 2010 @11:12AM from the keeping-the-secrets dept.

Gunkerty Jeb writes "The Massachusetts Attorney General has been notified that financial data on 1,800 residents was exposed in a database breach linked to the CitySights NY sightseeing firm. Could this be the test case for enforcement of the State's nine month-old data privacy law? The leak of financial information on more than 100,000 customers of the CitySights sightseeing tour company could prove to be an early test of the nation's strongest data privacy law."

73 comments

Min score:

Reason:

Sort:

Internal Termoil. by tc3driver · 2010-12-21 11:25 · Score: 2

This one has me torn... On one hand I would like to see companies held accountable for the damage that a breach can cause to an end consumer... the other side of me knows that you can only deter so much, if someone really wants in, they will gain access one way or another...

--
42 69 6C 6C 20 47 61 74 65 73 20 69 73 20 61 20 77 68 6F 72 65 21
1. Re:Internal Termoil. by psithurism · 2010-12-21 11:31 · Score: 2
  
  They are not necessarily in trouble for being breached. It appears the breach highlighted the fact that they were not compliant with the law. The customer records should have been encrypted and the extent of data retained seems excessive.
  Though, we don't know whether they are in violation of the law.
2. Re:Internal Termoil. by cappp · 2010-12-21 11:37 · Score: 2
  
  TFA claims all files need to be encrypted but the law doesn't. I pasted the text a couple of replies down..there's nothing in there about encrypting records if they're not on portable media, being broadcast wirelessly, or travelling across public networks.
3. Re:Internal Termoil. by icebike · 2010-12-21 11:57 · Score: 1
  
  Why should a sightseeing company have anything more than a credit card on file?
  
  --
  Sig Battery depleted. Reverting to safe mode.
4. Re:Internal Termoil. by Anonymous Coward · 2010-12-21 13:07 · Score: 0
  
  The Department of Homeland Security requires smaller businesses to keep full profiles on all aircraft passengers for a minimum of one year.
5. Re:Internal Termoil. by Ritchie70 · 2010-12-21 13:10 · Score: 2
  
  Yes, this has been a major point at work - we're a retailer with locations in Mass, and many of our in-store systems date from the 1980's, so there's no encryption. The law says encryption is required when the data is in transit, including being on portable devices, not when it's sitting in a database.
  
  --
  The preferred solution is to not have a problem.
6. Re:Internal Termoil. by icebike · 2010-12-21 13:22 · Score: 1
  
  Certainly nothing more than you need to book a flight which does not include any financial data.
  You are making this up. What was stolen was simply credit card numbers.
  
  --
  Sig Battery depleted. Reverting to safe mode.
7. Re:Internal Termoil. by psithurism · 2010-12-21 15:03 · Score: 1
  
  Why should a sightseeing company have anything more than a credit card on file?
  Maybe they should make a law against that!
8. Re:Internal Termoil. by hey! · 2010-12-21 16:38 · Score: 1
  
  Because they *can*. As far back as the landmark 1972 HEW report on Computers Records and the Rights of Citizens, the dangerous tendency to automatically file everything in computerized record keeping systems was obvious. The marginal cost of storing a record was lower than it had ever been before. Why not file everything you can get your hands on? You might find a use for it later. Well, it turns out there's all kinds of really bad things that can happen, especially if that information gives access to somebody else's credit. It didn't take a fortune teller to figure that out. People who bothered to think about this problem back in the *Nixon* administration realized how serious a problem knee-jerk record retention was.
  Now back in the early 90s, I designed a set of payment processing business procedures with CPA friend of mine, and we had a big fight with the VP of marketing who had visions of telemarketing operators pulling up credit card numbers from caller ID. Of course that gave those same operators the ability to pull up any customer's credit card information just by typing their name. Anybody who has access to a backup tape could do some serious damage, and if he had half a brain he probably wouldn't get caught for a long time. So we simply refused to do it, citing standard accounting anti-fraud procedures. And nobody was going to order us to do differently, because we made it clear that wouldn't happen without a document trail that would make the responsibility for the decision crystal clear if anything went wrong.
  What happened since then is that standards of financial responsibility have fallen dramatically in the rush to make a quick buck in ecommerce. It has nothing to do with some brave new world of technology and everything to do with laziness and greed. People have always done it, and it's always been sloppy. Customers are to blame too. They love the convenience of not having to fish out their credit card and type it in every time they buy something, until they get their identity stolen.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
9. Re:Internal Termoil. by icebike · 2010-12-21 17:29 · Score: 1
  
  Of course that gave those same operators the ability to pull up any customer's credit card information just by typing their name. A
  What happened since then is that standards of financial responsibility have fallen dramatically in the rush to make a quick buck in ecommerce.
  Actually the opposite has happened.
  Storing credit card numbers in your database has so many Visa/Mastercard requirements and restrictions these days that many companies simply choose not to do it at all, and ask for a cc each time you need to purchase.
  Unless your software encrypts the data, forget it. Some small businesses lie and do it anyway, but its very foolish and dangerous.
  
  --
  Sig Battery depleted. Reverting to safe mode.
10. Re:Internal Termoil. by AltairDusk · 2010-12-22 02:17 · Score: 1
  
  Even if the law did I would hope it would specify the levels/types of encryption acceptable if only to avoid "Yes your honor, we were completely compliant with the law. All of our customer data was encrypted in ROT26 format".
Violation of Payment Card Industry regulations? by PatPending · 2010-12-21 11:28 · Score: 3, Interesting

Related story: Sightseeing Firm Overlooks Security, 110k Credit Card Numbers Stolen (emphasis added)

The database contained a variety of customer financial data, including the customer's name, address, e-mail address, credit card number, as well as the expiration date and card verification value (CVV2) data. If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention, which prohibit retailers from permanently storing the CVV2 data along with other card data, because it makes it far easier to generate fraudulent transactions when combined with the card data.

Twin America said it has filed a complaint with the FBI's Internet Crime Complaint Center and hired Kroll, Inc. to investigate the incident. It has also notified individuals affected by the breach and patch discovered vulnerabilities on its Web server, deployed an application layer firewall, limited access to its Web based administrative panel and changed and hardened administrative passwords throughout its organization.

--
What one fool can do, another can. (Ancient Simian Proverb)
1. Re:Violation of Payment Card Industry regulations? by Anonymous Coward · 2010-12-21 11:38 · Score: 1
  
  If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention
  PCI compliance is not law. Industry standards are not enforceable.
2. Re:Violation of Payment Card Industry regulations? by MichaelKristopeit314 · 2010-12-21 11:41 · Score: 1, Interesting
  
  if amazon.com doesn't store card data, then how am i allowed to make purchases using existing saved card data?
3. Re:Violation of Payment Card Industry regulations? by PatPending · 2010-12-21 11:52 · Score: 4, Informative
  Not law but:
  Penalties for Non-compliance
  25. Are there fines associated with non-compliance of the PCI Data Security Standards?
  Yes. Visa, MasterCard, and Discover Network may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant.
  26. Are there fines if cardholder data is compromised?
  Yes. If cardholder data that you are responsible for is compromised, you may be subject to the following liabilities and fines associated with non-compliance:
  
  Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies).
  All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.
  Cost of re-issuing cards associated with the compromise.
  Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).
  Source: https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25
  --
  What one fool can do, another can. (Ancient Simian Proverb)
4. Re:Violation of Payment Card Industry regulations? by PatPending · 2010-12-21 11:55 · Score: 4, Informative
  
  The credit card merchant services provides a hash value that is subsequently used. You may store the expiration date and last four digits.
  
  --
  What one fool can do, another can. (Ancient Simian Proverb)
5. Re:Violation of Payment Card Industry regulations? by terraformer · 2010-12-21 11:55 · Score: 2
  
  if amazon.com doesn't store card data, then how am i allowed to make purchases using existing saved card data?
  They store data that is useless to others. They don't need to store the card's data, only data about their first transaction with you.
  
  --
  Who are you? The new #2 Who is #1? You are #617565. I am not a number, I am a free man! Muhahaha.
6. Re:Violation of Payment Card Industry regulations? by icebike · 2010-12-21 11:58 · Score: 1
  
  Ok, So that was the Attorney General of Visa that the story mentions?
  
  --
  Sig Battery depleted. Reverting to safe mode.
7. Re:Violation of Payment Card Industry regulations? by Anonymous Coward · 2010-12-21 12:03 · Score: 2, Informative
  
  You can store card data, but not the CVV2 info. There are requirements about how that data is stored, but CVV2 cannot be stored. Ever. Even encrypted. That's the point. And you don't have to have the CVV2 to process transactions, it just helps prove it isn't a fraudulent transaction. This is to help make the physical card (or whoever holds it) the only source of this information. That's the theory anyway. It rarely works that way in practice, of course.
8. Re:Violation of Payment Card Industry regulations? by Anonymous Coward · 2010-12-21 12:14 · Score: 0
  
  But whoever stole the data is guilty of breaking the law (computer access laws, fraud, among others), which is why they reported it to the FBI.
9. Re:Violation of Payment Card Industry regulations? by MichaelKristopeit317 · 2010-12-21 12:17 · Score: 2, Insightful
  
  so the credit card merchant services provider is then storing the full card information? someone MUST be. if the hash is interchangeable with the card number, then the hash IS the card number for all intents and purposes.
10. Re:Violation of Payment Card Industry regulations? by MichaelKristopeit316 · 2010-12-21 12:18 · Score: 0
  
  if the data can be used to initiate future transactions, it is not useless.
11. Re:Violation of Payment Card Industry regulations? by terraformer · 2010-12-21 12:22 · Score: 1
  
  if the data can be used to initiate future transactions, it is not useless.
  If it can only be used to initiate future transaction with the original vendor, it is of limited utility to criminals. It also makes the liability for fraud limited to the vendor who got hacked, which is a nice market based mechanism for those who have crappy security to fix their problems.
  
  --
  Who are you? The new #2 Who is #1? You are #617565. I am not a number, I am a free man! Muhahaha.
12. Re:Violation of Payment Card Industry regulations? by MichaelKristopeit316 · 2010-12-21 12:23 · Score: 0
  
  i completely understand as i build such systems for a living... i'm simply pointing out that the largest retailers online place ease of ordering above security and store enough information required to process a new transaction.
13. Re:Violation of Payment Card Industry regulations? by terraformer · 2010-12-21 12:23 · Score: 1
  
  so the credit card merchant services provider is then storing the full card information? someone MUST be. if the hash is interchangeable with the card number, then the hash IS the card number for all intents and purposes.
  It's not interchangeable. It is limited to this vendor.
  
  --
  Who are you? The new #2 Who is #1? You are #617565. I am not a number, I am a free man! Muhahaha.
14. Re:Violation of Payment Card Industry regulations? by Anonymous Coward · 2010-12-21 12:54 · Score: 0
  
  In the calculus of personally identifying information data loss, the industry standard is somewhere between $190-220 per customer exposure. At 110k users that's about 20.9m worth of liability they've just been hit with. I hope other companies look at this as a warning, since this is not the first but one of a series since TJ Max.
15. Re:Violation of Payment Card Industry regulations? by Anonymous Coward · 2010-12-21 12:58 · Score: 1
  
  dude, how many slashdot accounts do you have...?
  http://slashdot.org/~MichaelKristopeit313
  http://slashdot.org/~MichaelKristopeit314
  http://slashdot.org/~MichaelKristopeit315
  http://slashdot.org/~MichaelKristopeit316
  http://slashdot.org/~MichaelKristopeit317
  "you're completely pathetic."
  you've got way too much free time, man...
16. Re:Violation of Payment Card Industry regulations? by MichaelKristopeit313 · 2010-12-21 13:09 · Score: 0
  
  i don't have any more than i CAN have.
  why do you cower? what are you afraid of?
  you're completely pathetic.
17. Re:Violation of Payment Card Industry regulations? by Anonymous Coward · 2010-12-21 13:47 · Score: 0
  
  I see your name is Michael. Still, I shall call you "Dick."
18. Re:Violation of Payment Card Industry regulations? by pthreadunixman · 2010-12-21 16:29 · Score: 1
  
  Didn't you hear? All security problems can be solved with hash functions.
19. Re:Violation of Payment Card Industry regulations? by MichaelKristopeit319 · 2010-12-21 17:43 · Score: 0
  
  yeah, same guy taught me how to encode passwords with javascript before sending them to the server. SUPER secure.
20. Re:Violation of Payment Card Industry regulations? by Rakishi · 2010-12-21 18:20 · Score: 1
  
  It's useless unless you're able to hack into amazon's servers and initiate charges using hashed information. In which case the information is still useless since you've got much better access from the hack anyways.
  So yes, your own inability to understand what's going doesn't change reality.
21. Re:Violation of Payment Card Industry regulations? by Anonymous Coward · 2010-12-22 02:28 · Score: 0
  
  I really hope your job isn't customer facing...
22. Re:Violation of Payment Card Industry regulations? by locallyunscene · 2010-12-22 03:04 · Score: 1
  
  All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.
  I wonder what "losses" covers exactly. Retailers are generally the only ones that lose out in credit card fraud and I doubt this money is going to them.
23. Re:Violation of Payment Card Industry regulations? by MichaelKristopeit321 · 2010-12-22 04:52 · Score: 0
  
  ur mum's face's inability to understand what's going doesn't change reality.
  perhaps you're not familiar with man in the middle attacks... or perhaps you just hypocritically ignore the potential they provide.
  you're an idiot.
24. Re:Violation of Payment Card Industry regulations? by MichaelKristopeit330 · 2010-12-22 05:39 · Score: 1
  
  you want to shield everyone from THE TRUTH?
  why do you cower? what are you afraid of?
  you're completely pathetic.
25. Re:Violation of Payment Card Industry regulations? by Rakishi · 2010-12-22 09:52 · Score: 1
  
  If you're able to do a man in the middle attack between amazon's servers and the credit card companies servers than it doesn't really matter if you have the hashed number or not. In every other case they're useless.
  So once again you've shown your incompetence. Thank you for making it easy.
26. Re:Violation of Payment Card Industry regulations? by MichaelKristopeit321 · 2010-12-22 10:21 · Score: 0
  
  ur mum's face've shown your incompetence.
  of course it doesn't matter if i HAVE the hashed numbers... the exploit exists in the hash numbers REMAINING STORED ON AMAZON'S SERVERS AND BEING USED BETWEEN AMAZON'S SERVERS AND THE PAYMENT PROCESSOR IN LIEU OF AN ACTUAL CARD NUMBER.
  you're an idiot.
27. Re:Violation of Payment Card Industry regulations? by PatPending · 2010-12-22 12:14 · Score: 1
  
  It's my understanding that once a merchant receives an authorization number for a given transaction, the issuing credit card company is out the money, not the merchant, in this case (i.e., stolen information).
  
  --
  What one fool can do, another can. (Ancient Simian Proverb)
28. Re:Violation of Payment Card Industry regulations? by locallyunscene · 2010-12-23 05:12 · Score: 1
  
  Nope, I've worked for several online retailers. The credit card issues a chargeback stating the transaction was fraudulent. Retailers are on the hook to verify their transactions are legal.
  
  Credit Card Companies have a very sweet deal.
29. Re:Violation of Payment Card Industry regulations? by PatPending · 2010-12-23 14:22 · Score: 1
  
  An authorization number is just that -- the issuer of the credit card has hereby authorized the transaction.
  If the issuer knew the credit card was invalid (for whatever reason(s)), it would never have issued the authorization number in the first place.
  Furthermore, an authorization number is not retroactive.
  So we must agree to disagree.
  
  --
  What one fool can do, another can. (Ancient Simian Proverb)
30. Re:Violation of Payment Card Industry regulations? by Kakari · 2011-01-04 15:16 · Score: 1
  
  Oh how I wish your view prevailed, but the fact is that while the card was valid at the time the purchase was fraudulent and the purchaser effectively stole from the merchant. The payment processor (who bundles transactions up to Visa/MC/Amex/etc. networks) will pull the payment from the merchant's account without notice (see http://www.natwest.com/global/legal/business/worldpay.ashx under section 8. Chargebacks and specifically 8.5)
  
  8. CHARGEBACKS 1. 8.1 In certain circumstances, Card Issuers, Card Schemes and/or Other Financial Institutions refuse to Settle a Transaction or require repayment from Us in respect of a Transaction previously Settled and/or Remitted, notwithstanding that Authorisation may have been obtained from the Card Issuer and/or Other Financial Institution (such circumstances being a " Chargeback").
  and
  
  # 8.5 Where a Chargeback occurs, We shall immediately be entitled to debit Your Merchant Bank Account and/or make a deduction from any Remittance in accordance with clause 7.3.1 and/or invoice You in accordance with clause 7.3.2 to recover: 1. 8.5.1 the full amount of the relevant Chargeback; and 2. 8.5.2 any other costs, expenses, liabilities or Fines which We may incur as a result of or in connection with such Chargeback (" Chargeback Costs"). # 8.6 A Chargeback represents an immediate liability from You to Us and where the full amount of any Chargeback and/or any Chargeback Costs is not debited by Us from Your Merchant Bank Account or deducted from any Remittance or invoiced as referred to in clause 8.5, then We shall be entitled to otherwise recover from You by any means the full amount of such Chargeback and Chargeback Costs (or the balance thereof, as the case may be). # 8.7 We shall not be obliged to investigate the validity of any Chargeback by any Card Issuer, Card Scheme or Other Financial Institution, whose decision shall be final and binding in respect of any Chargeback.
  It sucks and merchants get the shaft and as locallyunscene said, "Credit Card Companies have a very sweet deal."
31. Re:Violation of Payment Card Industry regulations? by PatPending · 2011-01-04 18:36 · Score: 1
  
  A Chargeback is an entirely different subject. (We routinely handle them every so often.)
  
  --
  What one fool can do, another can. (Ancient Simian Proverb)
Test the Law by cappp · 2010-12-21 11:29 · Score: 2

I'm not so sure it's a test of the law at all. At least there's no way to know without more details about how the breach occured. The law can be found here (pdf). TFA states the breach occured because of an SQL injection - but nothing beyond that.

In the interests of stimulating a little chatter, the law calls for

(1) Secure user authentication protocols including:
(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
(2) Secure access control measures that:

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.
1. Re:Test the Law by JSG · 2010-12-21 11:38 · Score: 1
  
  So, 4,6,7 and 8 would seem to apply. That should give the lawyers plenty to play with.
2. Re:Test the Law by Anonymous Coward · 2010-12-21 11:42 · Score: 2, Interesting
  
  I work for a MA company that deals with personal data for several fortune 100 companies. (posting AC for obvious reasons)
  The Law is a joke. The rules are so vague that no matter what precautions are taken you could be found in violation. Who defines "reasonable?" What is adequate "encryption?"
  
  This law is just another example of rushed "Think of the children" (for children read anyone) laws that get passed these days.
3. Re:Test the Law by cappp · 2010-12-21 11:42 · Score: 2
  
  Note the use of the qualifier "reasonable"...the get out clause in every law ever written.
4. Re:Test the Law by mssymrvn · 2010-12-21 16:30 · Score: 1
  
  The other big can of worms is the application of MA commonwealth law to a business *in another state*. MA likes to write laws like this all the time. But the reality is that MA has no jurisdiction outside of its borders. Or shouldn't - though we'll see how stupid the courts are on this one if it comes to trial.
yet. by psithurism · 2010-12-21 11:32 · Score: 1

yet. As the investigators are refusing comment.
I'm not. by Anonymous Coward · 2010-12-21 11:33 · Score: 3, Insightful

. the other side of me knows that you can only deter so much, if someone really wants in, they will gain access one way or another...
Tough shit. If a company is going to store that information, then they need to protect it. There's absolutely no reason what so ever for a sightseeing company to store credit card information. None. Customer comes back next year, well get the card number again - the card could be expired anyway.
And companies who keep it on file for things like automatic renewals at magazines - fucking Scientific American does this whether you like it or not when you subscribe online - then they must protect that data. Someone breaks in? Too fucking bad. It's their fault - no excuses.
1. Re:I'm not. by TaoPhoenix · 2010-12-21 13:04 · Score: 1
  
  AC is right, yet he's modded flamebait.
  
  --
  My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Encryption not much use against SQL injection by JSG · 2010-12-21 11:36 · Score: 2

The linked article mentions only that the law requires that data be held encrypted. That is not much use in this case where a SQL attack was used.
Does anyone know whether the law requires a certain standard for the front ends to the data. I'm pretty sure that PCI DSS - as another applicable standard - defines no such thing either.
1. Re:Encryption not much use against SQL injection by Anonymous Coward · 2010-12-21 11:54 · Score: 0
  
  Does anyone know whether the law requires a certain standard for the front ends to the data.
  
  The law is (intentionally?) vague.
  It basically says "best practices".
2. Re:Encryption not much use against SQL injection by VTI9600 · 2010-12-21 12:59 · Score: 1
  
  Protecting against SQL injection attacks is much easier than making sure that all storage devices and network connections are encrypted. To use the Hitchhikers' Guide to the Galaxy analogy, encryption is like a towel. If your data is encrypted then people (sometimes rightfully) assume you've already got everything else you need to protect your customer's data from the crackers of the universe. These guys, however, clearly had none of the above.
3. Re:Encryption not much use against SQL injection by VTI9600 · 2010-12-21 13:04 · Score: 1
  
  Most laws of this nature are indeed left intentionally vague...as they should be. This is so as to not put an onerous burden on companies trying to implement good security practices, not to favor one specific security vendor over another, and to maintain the flexibility needed for vendors to adapt to changes in technology.
So... by Evets · 2010-12-21 11:39 · Score: 2

What is the penalty for violating the law?
1. Re:So... by Anonymous Coward · 2010-12-21 11:55 · Score: 0
  
  Only Death. But it's by old age so I'm not sure if that's much of a penalty.
2. Re:So... by Monkeedude1212 · 2010-12-21 11:59 · Score: 2
  
  What happens if you are hit by a bus and don't serve your penalty?
3. Re:So... by healyp · 2010-12-21 12:27 · Score: 1
  
  What happens if you are hit by a bus and don't serve your penalty?
  Then your next of kin must die of old age instead.
4. Re:So... by Anonymous Coward · 2010-12-21 12:28 · Score: 0
  
  C'mon, this is Massachusetts--one is burned at the stake!
5. Re:So... by Anonymous Coward · 2010-12-21 13:58 · Score: 0
  
  You get to hear, "STOP RIGHT THERE, CRIMINAL SCUM!" for the next 20 years?
6. Re:So... by Evets · 2010-12-21 14:03 · Score: 1
  
  To answer my own question
  
  It contains no specific penalties for non-compliance with the law, but could open the door to lawsuits or legal actions by the state’s attorney general.
  Source
  
  I don't think you can call a law "tough" when there are no penalties.
7. Re:So... by inerlogic · 2010-12-22 06:54 · Score: 1
  
  a lifetime senate seat....
  
  oh wait, that's just for murders...
Re:Lesson learned: don't use MySQL by igreaterthanu · 2010-12-21 14:02 · Score: 1

Buffer overflows and SQL injections are the ban of open source software.
But if I pay Oracle though, it's magically secure right?

--
I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
How are businesses supposed to comply? by chrismcb · 2010-12-21 14:55 · Score: 1

How is a business supposed to comply with something like this? Are you supposed to follow the laws published in every corner of the country? [quote]Among other things, 201 CMR 17.00 requires organizations that store personal information on Massachusetts' residents to encrypt personal information at rest - in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted[/quote] I'm not exactly sure what qualifies as "personal information" but I would assume that includes name and address. Which makes it illegal to use anything but https. I would guess a LOT of companies are not in compliance with this law.
Re:Lesson learned: don't use MySQL by AltairDusk · 2010-12-22 02:30 · Score: 1

SQL syntax works on Oracle too... Shove that user input straight into an Oracle query and you'll find SQL injection is alive and well on all SQL databases where input is not sanitized properly.