“A computer is like an Old Testament god, with a lot of rules and no mercy”

Thursday, April 29

If You Don't Know About This...

...You might want to look into it.
Google “Massachusetts data security law, 201 CMR 17.00” and you’ll find plenty of facts about the new law. I also encourage you to read InformationWeek’s "States' Rights Come to Security Forefront: Massachusetts' new data protection law reaches beyond its borders. Are you ready?" It’s one of the best summaries I’ve seen. But even it falls short of helping you understand the profound impact of this law.

Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it’s persisted. Sending PII over HTTP instead of HTTPS? That’s a big no no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You’ll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted that’s $5,000,000. Yikes.

So if you or your company carries any PII for ANY Massachussetts resident, you may want to check into your encryption for your databases (and of course websites). Also, be sure to read further down for information concerning laptops in MA. Ouch!


Anonymous said...

I do not believe they can reach into other states and legislate. If so I have a few laws that Tennessee might want to put in place for DC, CA...