Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Privacy Databases Security United States

Mass. Data Security Law Says "Thou Shalt Encrypt" 510

Posted by timothy
from the some-serious-micromanagement dept.
emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"
This discussion has been archived. No new comments can be posted.

Mass. Data Security Law Says "Thou Shalt Encrypt"

Comments Filter:
  • by hansraj (458504) on Sunday April 25, 2010 @01:33PM (#31976534)

    It would have been very difficult for us to figure out how much the fine would be if you lost the records of 1000 people.

    It would have been nicer though if you gave us another example. How much would the fine have been for losing records of 2000 people?

  • ROT13 (Score:1, Funny)

    by Anonymous Coward on Sunday April 25, 2010 @01:43PM (#31976634)

    Time for ROT13! "It was encrypted..." /didn't RTFA

  • by noidentity (188756) on Sunday April 25, 2010 @01:52PM (#31976730)
    I'm glad I don't live in Massachusetts, because I have my full name, social security number, driver license number, and financial account numbers stored unencrypted in my house (and I don't have $5000 in the financial account to cover the fine). Phew.
  • rot26 (Score:3, Funny)

    by houghi (78078) on Sunday April 25, 2010 @01:57PM (#31976796)

    Does rot26 count as encryption?

  • by EvanED (569694) <evaned@ g m ail.com> on Sunday April 25, 2010 @01:59PM (#31976828)

    You mean Slashdot posted an incorrect and sensationalist summary? Say it ain't so!

  • by Anonymous Coward on Sunday April 25, 2010 @02:20PM (#31977052)

    I'm sure you could get a discount for large quantities.

  • by NicknamesAreStupid (1040118) on Sunday April 25, 2010 @03:11PM (#31977506)
    Are you sure a government came up with it?
  • by takev (214836) on Sunday April 25, 2010 @03:49PM (#31977852)
    If it is something Alice and Bob are likely to do it is encryption.
  • by maxwell demon (590494) on Sunday April 25, 2010 @03:56PM (#31977916) Journal

    Does rot13 encryption suffice?

  • by phoenix321 (734987) * on Sunday April 25, 2010 @04:07PM (#31978010)

    On the other hand, disgruntled admins now have not only their old rm / -f weapon of mass destruction, but the ultimate superweapon of doom.

    Corporate risk management will now become a nightmare, when 2.5 million names in a database equal 12.5 billion USD in damages if leaked. All these names fit in a 128mb USB stick. Uncompressed. A LZMA2 7z file will probably be around 30mb. 12.5 billion USD in damages caused in 0.5 seconds over a T1 by one admin gone rogue.

    I fully expect admins now to have tenure for life. They will probably never be fired anymore, only taken behind the barn and shot.

  • Re:rot26 (Score:3, Funny)

    by grcumb (781340) on Sunday April 25, 2010 @05:09PM (#31978482) Homepage Journal

    Does rot26 count as encryption?

    Xor( Xor( NO ) )

  • by narcberry (1328009) on Sunday April 25, 2010 @05:17PM (#31978538) Journal

    Just do it twice to be sure.

  • amen! (Score:3, Funny)

    by Weezul (52464) on Sunday April 25, 2010 @06:36PM (#31979112)

    Yes, a completely reasonable law, that just outlawed facebook. :) sounds like progress to me!

  • by SkydiverFL (310021) on Monday April 26, 2010 @05:17AM (#31982186) Homepage

    Hmmm... just a thought... NOT a recommendation...

    Since "personal information" is the "first name and last name" IN COMBINATION WITH any of the other items, could you just denormalize the tables to get around this? Stick the SSN or CC info in a second or third table. Since that data is not stored WITH (same table) the name of the card holder or account owner, then... well... you see where this is going.

    I guess it call comes down to what the meaning of "is" is. ;-)

  • by flajann (658201) <flajann@@@linuxbloke...com> on Friday April 30, 2010 @09:01AM (#32043666) Homepage Journal

    The Dunning–Kruger effect is a cognitive bias in which "people reach erroneous conclusions and make unfortunate choices but their incompetence robs them of the metacognitive ability to realize it."[1] The unskilled therefore suffer from illusory superiority, rating their own ability as above average, much higher than in actuality; by contrast, the highly skilled underrate their abilities, suffering from illusory inferiority. This leads to a perverse result where less competent people will rate their own ability higher than more competent people. It also explains why actual competence may weaken self-confidence because competent individuals falsely assume that others have an equivalent understanding. "Thus, the miscalibration of the incompetent stems from an error about the self, whereas the miscalibration of the highly competent stems from an error about others."[1] “ In the modern world the stupid are cocksure while the intelligent are full of doubt. ” — Bertrand Russell[2][3]

    Interesting reference. However, you hardly know anything about me, so perhaps you have fallen prey to the Dunning-Kruger effect yourself. :-)

    But while we're on the subject, let me continue.

    • I've been in the computer field for over 30 years. I got my start with the Apple ][, back in 1978, when I was 16. A couple of years later, I was writing an OS from scratch for the Micronova and Nova 4X computers (Data General). It was wicked cool stuff. And I was only 18.
    • My entire computer career shot off from there. I have never had formal education in Computer Science, and yet I've done just about everything you can imagine.
    • I know what I'm good at, as is demonstrated by what I've accomplished. I even have a software patent, though many here would decry such a beast -- as do I, in part. But hey, I got paid good money for it, so I went with it.

    Slash me to pieces for tooting my own horn. Actually, I only mentioned to "guru" bit in passing, as a short-hand for stating that I kinda know something about databases in high-demand environments, without having to spend an entire paragraph doing the same. If you want to pick it to death, go straight ahead and do so. Sheesh.

    However, despite all of that, I do find the Dunning-Kruger reference interesting. I have been back and forth many times with assuming everyone has my level of understanding, and thinking I'm a stupid idiot despite evidence to the contrary. These days, I simply call an ace an ace. I know what I can do, I know what I am capable of, so why be shy about it? Do I know everything? No. I would never claim such. However, If I do know something, what's wrong with just being honest about it? Why is it some get offended at this? I put in the Blood, Sweat, Tears, and Years getting to where I am. Should I not be proud of that? What does modesty buy me?

    I've had bloody enough of beating myself into the ground for this or that, and I refuse to do it anymore. I am an empiricist; I go by observations. And I have observed many others referring to myself as "guru", "genius", "brilliant", and what not. Quite frankly, I don't think all of those monikers are deserved. But then, I should give myself credit for what I have accomplished.

    So sorry you are peeved. Actually, I'm not sorry that you are. That's your problem. Not mine.

If it happens once, it's a bug. If it happens twice, it's a feature. If it happens more than twice, it's a design philosophy.

Working...