Mass. Data Security Law Says "Thou Shalt Encrypt" 510
emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"
Thanks for the math! (Score:3, Funny)
It would have been very difficult for us to figure out how much the fine would be if you lost the records of 1000 people.
It would have been nicer though if you gave us another example. How much would the fine have been for losing records of 2000 people?
ROT13 (Score:1, Funny)
Time for ROT13! "It was encrypted..." /didn't RTFA
Re:Definition of PII from the text of the law (Score:2, Funny)
Comment removed (Score:3, Funny)
Re:Phone book (Score:2, Funny)
You mean Slashdot posted an incorrect and sensationalist summary? Say it ain't so!
Re:Thanks for the math! (Score:2, Funny)
I'm sure you could get a discount for large quantities.
This seems practical and pragmatic (Score:5, Funny)
Re:Storage of encryption key? (Score:5, Funny)
Re:!Micro-management (Score:5, Funny)
Does rot13 encryption suffice?
Re:Doesn't sound so bad (Score:5, Funny)
On the other hand, disgruntled admins now have not only their old rm / -f weapon of mass destruction, but the ultimate superweapon of doom.
Corporate risk management will now become a nightmare, when 2.5 million names in a database equal 12.5 billion USD in damages if leaked. All these names fit in a 128mb USB stick. Uncompressed. A LZMA2 7z file will probably be around 30mb. 12.5 billion USD in damages caused in 0.5 seconds over a T1 by one admin gone rogue.
I fully expect admins now to have tenure for life. They will probably never be fired anymore, only taken behind the barn and shot.
Re:rot26 (Score:3, Funny)
Does rot26 count as encryption?
Xor( Xor( NO ) )
Re:!Micro-management (Score:5, Funny)
Just do it twice to be sure.
amen! (Score:3, Funny)
Yes, a completely reasonable law, that just outlawed facebook. :) sounds like progress to me!
Denormalize Work Around (Score:2, Funny)
Hmmm... just a thought... NOT a recommendation...
Since "personal information" is the "first name and last name" IN COMBINATION WITH any of the other items, could you just denormalize the tables to get around this? Stick the SSN or CC info in a second or third table. Since that data is not stored WITH (same table) the name of the card holder or account owner, then... well... you see where this is going.
I guess it call comes down to what the meaning of "is" is. ;-)
Dunning–Kruger effect (Score:3, Funny)
The Dunning–Kruger effect is a cognitive bias in which "people reach erroneous conclusions and make unfortunate choices but their incompetence robs them of the metacognitive ability to realize it."[1] The unskilled therefore suffer from illusory superiority, rating their own ability as above average, much higher than in actuality; by contrast, the highly skilled underrate their abilities, suffering from illusory inferiority. This leads to a perverse result where less competent people will rate their own ability higher than more competent people. It also explains why actual competence may weaken self-confidence because competent individuals falsely assume that others have an equivalent understanding. "Thus, the miscalibration of the incompetent stems from an error about the self, whereas the miscalibration of the highly competent stems from an error about others."[1] “ In the modern world the stupid are cocksure while the intelligent are full of doubt. ” — Bertrand Russell[2][3]
Interesting reference. However, you hardly know anything about me, so perhaps you have fallen prey to the Dunning-Kruger effect yourself. :-)
But while we're on the subject, let me continue.
Slash me to pieces for tooting my own horn. Actually, I only mentioned to "guru" bit in passing, as a short-hand for stating that I kinda know something about databases in high-demand environments, without having to spend an entire paragraph doing the same. If you want to pick it to death, go straight ahead and do so. Sheesh.
However, despite all of that, I do find the Dunning-Kruger reference interesting. I have been back and forth many times with assuming everyone has my level of understanding, and thinking I'm a stupid idiot despite evidence to the contrary. These days, I simply call an ace an ace. I know what I can do, I know what I am capable of, so why be shy about it? Do I know everything? No. I would never claim such. However, If I do know something, what's wrong with just being honest about it? Why is it some get offended at this? I put in the Blood, Sweat, Tears, and Years getting to where I am. Should I not be proud of that? What does modesty buy me?
I've had bloody enough of beating myself into the ground for this or that, and I refuse to do it anymore. I am an empiricist; I go by observations. And I have observed many others referring to myself as "guru", "genius", "brilliant", and what not. Quite frankly, I don't think all of those monikers are deserved. But then, I should give myself credit for what I have accomplished.
So sorry you are peeved. Actually, I'm not sorry that you are. That's your problem. Not mine.