Mass. Data Security Law Says "Thou Shalt Encrypt" 510
emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"
Definition of PII from the text of the law (Score:5, Informative)
"""
Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
"""
So this doesn't apply to places like slashdot and facebook. Only places that should be securing your data in the first place.
Not really (Score:5, Informative)
Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose
Summary and article fail.
Sorry to disappoint all the SQL consultants out there, but the law (as passed) says NOTHING about requiring encryption of data at rest.
Earlier versions of the bill had the requirement for at-rest encryption, but that was lobbied out.
The only time it mentions encryption is for data in-flight over public networks, wireless access, and laptops/"other portable devices".
Everything else states "reasonable security precautions" (aka: access control/passwords).
But don't take my word for it read it [mass.gov] yourself. (it's only 4 pages)
(3)Encryption of all transmitted records and files containing personal information that will
travel across public networks, and encryption of all data containing personal information to be
transmitted wirelessly.
[...]
(5) Encryption of all personal information stored on laptops or other portable devices;
- Mass CMR1700 (the only occurrences of the word "encrypt")
Re:Phone book (Score:5, Informative)
A little googling finds the text of the law [mass.gov]:
Personal information, a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public.
So it looks like phone companies are safe.
Re:Doesn't sound so bad (Score:5, Informative)
Re:Doesn't sound so bad (Score:3, Informative)
Install Truecrypt; set up on system drive.
It's fairly shockingly idiot proof for a free and supposedly strong encryption solution.
Or Bitlocker if you have Ultimate, maybe.
Or VileFault [nsa.org] if you must use a Mac.
Re:What's so scary about this? (Score:4, Informative)
No, this law is not "too much". Slashdot makes it look like "too much" because the article summary is incomplete and misleading.
This law only applies to certain databases that should have been encrypted anyway.
What about IPSec? (Score:3, Informative)
Even if you're using IPSec?
Re:This'll get shot down (Score:3, Informative)
The thing is, I'm not a resident of MA and MA has no rights to enforce any laws where I live, as I'm outside their jurisdiction.
Last time I checked, if I do happen to do business with a MA resident, MA still has 0 rights regarding any such business as it would be interstate commerce, which is solely controlled by the federal gov per the Constitution.
However, I do agree that companies need to be held to stricter standards regarding personal information and probably should be handled by the feds sooner than later.
Re:Phone book (Score:1, Informative)
Thanks for looking up the text. It sounds a lot more reasonable now. I make fake data files for educational purposes. For a while it sounds like if I had "John, Smith, Boston, MA" that would be one breach since I am sure there is a John Smith in Boston.
TFA got a very important detail wrong (Score:5, Informative)
Incorrect. The author either did not do any research at all, or got the definition of PII horribly wrong as far as this law is concerned. The directive that sets the standard based on the law [mass.gov] states:
It is abundantly clear that a person's first and last name alone does not constitute PII, SSN, financial account number or some other not so public information is also required.
Read the law yourself, four pages pdf (Score:3, Informative)
Re:Doesn't sound so bad (Score:3, Informative)
Do you mean an OS upgrade? Since your encrypted volume is separate and backed
up I fail to see the hardship.
The OS corrupting your data - due to a virus or bug - is more pain because you may not
notice the corruption until recovering from backups means losing some of the latest data.
Re:Doesn't sound so bad (Score:4, Informative)
> People email orders to her.
> Not payment information, just name and delivery address+order.
^^^^^^
> But a name and address is personally identifiable. Does that mean she h
No it does not. Read the text of the law, it will relieve your anxiety!
Re:Doesn't sound so bad (Score:3, Informative)
It's one thing for anyone who's core business is on-line selling, let alone a corporation. But don't think like them. Suppose you run a local used bookstore that's willing to ship books to customers out of the area, or are a musician who is happy to supplement performance income by selling that self-recorded CD? You handle the orders with paypal, but have you really encrypted that customer list you used to keep in a notebook but is now in Excel? Have you even thought of it?
Does that customer list include the customer's social security numbers? How about their drivers license numbers? No, obviously not, and if your bookstore collects that information, you should be on the hook.
What about their credit card information? Now, you're into the PII stuff, and you should encrypt it. Or don't store it - what are you doing with it anyway? You handle orders through Paypal, as you said, which means that you should never be seeing their credit card information.
Finally, how about their addresses? You need their mailing address and email so that you know where to ship and can contact them for receipts and information regarding upcoming sales, right? Well, don't worry... under the new law, those aren't PII. You have no worries.
Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
(a) Social Security number;
(b) driver's license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account;
provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
See? It's really not quite as bad as it seems.
Warning: Microsoft EFS can cause data loss. (Score:5, Informative)
TrueCrypt [truecrypt.org] is reliable, reputable, fast, free, open source, and works on Windows, Mac OS X, and Linux. The TrueCrypt documentation is very good, but not perfect. TrueCrypt can make an encrypted drive letter or encrypt and entire partition, even the boot partition.
Only open source encryption should be accepted, since the U.S. government has decided it can force executives of corporations to work in secret to help gather data from or about users. If software is not open source, there may be hidden methods of decryption.
Re:Probably only applicable to Mass due to interst (Score:5, Informative)
This will ultimately probably only end up affect Mass businesses or people with presence in Mass directly. Otherwise this kind of requirement has the potential to impact interstate commerce which states expressly do not have the authority to legislate.
Nope, this is only affecting in-state commerce with Massachusetts residents. And the states are absolutely allowed to pass laws that affect out-of-state businesses when they do business in the state. The only constitutional prohibitions on that are when the law is protectionist - imposes additional cost on out-of-state businesses that in-state business don't have to pay. Here, because the law applies equally to in-staters and out-of-staters, it isn't protectionist and isn't unconstitutional.
No, they don't (Score:5, Informative)
The FAQ for the law: http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf [mass.gov]
Please note, this FAQ contains personally identifiable information - First and last names, job titles, address of employment, phone and fax number, of Governor Deval L. Patrick, Lieutenant Governor Timothyt P. Murray, Secretary of Housing and Economic Development Gregory Bialecki, and Undersecretary Barbara Anthony. It was obtained by http - NOT https, as required by the law.
The only reason THEY can get away with it is because ... guess what ... government agencies are excluded. "Do as I say, not as I do."
Cripes, dude. You link to the full text of the law, but apparently never read past the URL.
First, that is NOT personally identifiable information. As has been said in many posts, and as is listed in your links:
[Definition of] Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
(a) Social Security number;
(b) driver's license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account;
See? You found names, job titles, addresses, and phone numbers, but no personal information listed in the law.
Second, what's the very next farking sentence in the definition?
provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
See that? Government agencies are not excluded from the law... rather, information lawfully obtained from government agencies are not personal information, which means that people who use it - like you - are not violating the law.
The shocking part is the amount of effort you went to to find the text, the FAQ, and the compliance checklist, plus creating two Slashdot posts about it, and yet you never actually read any of it.
Re:"Standard practice"... if you're an asshole (Score:4, Informative)
How would your example be covered by the law:
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
Personal information, [is defined as] a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public.
so basically you'd be in the clear. Names and addresses are in the phone book / government public records. If your list contained the names and SSN of the members, then you'd be violating the law, which is still slightly silly as SSN *are not* supposed to be personal identifiers, but that's the world we've wound up with.
Microsoft FUD (Score:4, Informative)
Yes, this really *IS* Microsoft FUD. Note how they fail to mention that it's social security, credit card info, etc that has to be encrypted, not their NAME or address for example. Also note how at the end of TFA they suggest you follow a link for your indoctrination on the encryption features of SQL Server 2008.
Once you realize that it's just the usual credit card and banking related info that must be handled securely, you realize that the law is quite reasonable (though perhaps unenforceable outside of MA).
Re:Doesn't sound so bad (Score:5, Informative)
They are more likely storing your name and phone number so they can call you when your trousers are ready for pickup. Since that's Personally Identifiable Information, they will apparently have to encrypt that.
No, it isn't, and no, they won't. PII is defined in the law. You've read the law, right? It does not include your phone number, or even your address. It's your social security number, driver's license number, credit card number, or bank account number. And your dry cleaner shouldn't be keeping that information.
That could be quite a burden on small businesses like dry cleaners, and plumbers whose wives make up the invoices and send them out at the end of the month.
First, plumbers may have husbands who send out invoices for them.
Second, if those small plumbing businesses are storing customers' social security numbers, drivers license numbers, credit card numbers, or bank account numbers, then they damn well should be encrypting that data.
Re:THIS IS A FARCE (Score:5, Informative)
But encryption of live servers and databases is a farce. Encryption without key management is itself a farce, and a servers which require keys to operate necessarily lack key management. Furthermore, server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.
I'm not a lawyer and I didn't read the entire law that was passed (grain of salt, etc.), but from my layman interpretation nothing in here says that you have to encrypt data on your live servers.
The penalties are assigned based on breaches, that is, if someone hacks into your server and steals Massachusetts residents' records, you owe $5k for each non-encrypted record that was stolen (as well as notify the person and the state). Also if you have employees taking un-encrypted data off site on laptops that get stolen, similar penalties apply if the laptop was stolen.
Make sure your servers are secure, up to date, and fire walled, encrypt roaming laptops and you'll be fine.
If my understanding is correct, I think this is a great law. If more states implement it, we won't have companies leaving sensitive data on laptops that get stolen because of a careless contractor/employee.
The damages to a company would be so real and enormous that they will have to implement stringent security protocols, or one breach can very possibly take them out of business.
Re:"Standard practice"... if you're an asshole (Score:2, Informative)
Again, back to the law:
Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account...
Creating the list you describe is perfectly legal on any computer. Only if you include SSN, DLN, or financial information and send it to someone are you in violation of the law.
How about we link to someone who's not an MS shill (Score:4, Informative)
Like this [informationweek.com]?
Mandatory Digital Signatures on Email (Score:1, Informative)
Your post advocates a
( ) technical (x) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(x) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
It doesn't say JUST the name. (Score:3, Informative)
Re:THIS IS A FARCE (Score:2, Informative)
There is one other case where disk encryption on a server could be useful, though it is not widely applicable: if you have a need to be able to rapidly destroy data, say in the event of a physical security breach. Having data stored on encrypted storage devices can mean that to render the data on the drives unrecoverable only requires wiping the header region of the encrypted block device. That, in turn, means wiping at most a few KB instead of several GB, and thus the difference between many passes in mere seconds and hours for a single pass.
Having said that, this is probably primarily of significance to military, intelligence, and criminal organizations. Few others are likely to be faced with the need to destroy large volumes of data on very short notice.
(If you care about why, this is because most/all disk encryption systems use a randomly-generated master key to encrypt the data on the disk. A copy of that master key is then stored in a header, encrypted with the password or passwords known by the user. No plaintext copy of the master key exists, so to access the data you have to provide the user-known password and use it to decrypt the master key. Changing the password can then be done simply by re-encrypting the master password, rather than by re-encrypting the entire drive. If the encrypted copy of the master key is destroyed, then it doesn't matter how many people you torture to get the password, it's still useless for decrypting the data on the disk.)
Maybe EFS is fixed now. (Score:3, Informative)
For a discussion of the issues, read page 5 of this PDF file from Elcomsoft, which I just found: Advantages and disadvantages of EFS [elcomsoft.com].
Elcomsoft is a famous [wikipedia.org] Russian company. Quote from Wikipedia: "On July 16, 2001, Dmitry Sklyarov, a Russian citizen employed by ElcomSoft who was at the time visiting the United States for DEF CON, was arrested and jailed for allegedly violating the United States DMCA law by writing ElcomSoft's Advanced eBook Processor software. A landmark court case ensued, setting precedents and attracting much public attention and protest. On December 17, 2002, ElcomSoft was found not guilty of all four charges under the DMCA."
The problems with EFS were acknowledged by Microsoft employees. People have discussed losing data on Microsoft professional discussion boards. Elcomsoft sells software designed to recover data lost because of the poor design of EFS.
Read the law: no broad mandate (Score:5, Informative)
eihab seems to have it right.
IANAL, either, but I did read the whole law and there is no broad encryption mandate as the SQL Mag author claimed.
The encryption-related sections of the law that I can find (17.04 (3) & (5)) actually mandate:
In other words, if you send data over public networks, or wirelessly, or store it on laptops, you should encrypt it. Excuse me for not getting excited about this.
Law: 201 CMR 17.00 reg [mass.gov]
FAQ: 201 CMR 17 faqs [mass.gov]
The whole thing seems pretty sensible overall.
Re:Doesn't sound so bad (Score:4, Informative)
Stupid law. It means, for example, that you can no longer keep an email in unencrypted form.
This is why you should never ask Slashdotters for legal advice. Not only are they not lawyers, they overestimate their psychic abilities, and are willing to interpret a law based on a third-hand summary.
Neither TFA (actually a blog by somebody who's using this kerfuffle to encourage people to move to Microsoft SQL server) or the original Information Week article are specific as to who this law applies to. I found the text of the law online:
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf [mass.gov]
Remarkably readable for legislation. It applies to anybody who "receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment." So your email is OK.
Despite what TFA says, I don't see anything that would require anybody to encrypt their databases. The encrypted transmission requirement is there, but it isn't as if SSL is rocket science. But the biggest misinformation in TFA is what has to be protected. Somebody's first and last name isn't sensitive unless it's transmitted or stored "in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number". It then goes on to say that any information that's in the public record is not sensitive and does not need to be protected.
All in all, a pretty reasonable law that merely mandates practices that are already standard at many companies — including Facebook.
Re:THIS IS A FARCE (Score:2, Informative)
i put metal in the microwave ALL THE TIME.
and my microwave still works perfectly fine.
i microwave frozen orange juice containers with metal end caps to soften them up to speed up the making of orange juice
as long as there is enough OTHER substance in the microwave at the same time to absorb the reflected waves, you can put metal in the microwave without a problem.
Re:THIS IS A FARCE (Score:3, Informative)
Update to my above post - apparently the government's security is covered by different-but-similar pieces of legislation, and not being a US resident I'm not about to go wading through it to find out where they've hidden the inevitable loopholes.
Re:Wrong, wrong, wrong (Score:3, Informative)
Agreed. I just read 201 CMR 17.00 (it's 4 pages,and really not that scary: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf [mass.gov] )
Two really important points; encryption on disk means if it's on a portable device such as a laptop, not on a server in a secure location. Encryption in transfer means if it's going over a public network (such as the Internet) - in theory, it wouldn't even cover traffic within a corporate LAN.
Re:THIS IS A FARCE (Score:5, Informative)
Ask the author of the article where he got that notion from.
That phrase does not appear in the law [mass.gov] nor in Massachusetts FAQ [mass.gov].
Nor does anything like it, except in reference to
Re:Doesn't sound so bad (Score:3, Informative)
> Actually, I read the article that was referenced in the summary, and the article that was
> referenced in that article. Neither one said anything like what you just posted.
As usual on most topics, the articles are more or less complete bullshit. The text of the law (all 4 pages of it) is at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf [mass.gov] and the definition you want is on page 2 under "Personal information" in the alphabetical list of definitions.
What I find scary, really, is that any time I see an article on a topic I know something about it's pretty bogus. Do I really have any indication that the press does better on topics I _don't_ know about? :(
Re:I couldn't disagree more (Score:1, Informative)
Many places — all of Europe, for example — already have stronger data protection laws than most of the US. This causes no earth-shattering problem with compliance.
Excuse me, but this is not correct. I'm a data service provider/developer in the EU, and we do NOT have any laws mandating that we keep user data on a server encrypted. That would be highly ridiculous; it would mean we'd basically have to encrypt *everything*, which would raise the hardware cost to a point where we could no longer compete with non-EU services - for example the US (with the exception of Massachusetts, of course).
I'm all for encryption where it's necessary and useful, but knee-jerk legislation like that will not increase actual security in any way. If my server gets hacked - whether or not the disks are encrypted - if our services can read the sensitive data, so can the attacker, and no amount of encryption is going to change that.
You're rightfully concerned about old disks getting resold on eBay (or wherever). Doing something as careless as that is, in fact, a crime in the EU (and I think in the US, too).
Secondly, I think you (and several other DB admins and such in this Slashdot discussion) are far, far too casual about this subject. In my country, we have had a string of mismanagement or outright leaks of sensitive personal data in recent months.
Hell, NO! We're not being cavalier about this, we're just shocked that something like what we're currently reading could actually become a law. Make the people who actually are careless pay for their idiocy, and use that to set an example, but don't impose idiotic restraints on the rest of the industry.
CJ
Re:About fucking time. (Score:3, Informative)
Actually, that's already been upheld in federal courts. States DO have the right to collect taxes for cross-state purchases for their residents, and CAN regulate business transactions with their residents. This is a nominal extension of that power, and quite likely completely legal. Enforcing it directly outside their boarders (ex. inspecting corporations, or mandating standards)? Likely no, but this regulation does not do that. This is a fine levied on data breech, and that CAN be collected across state lines.
Re:I couldn't disagree more (Score:3, Informative)
You don't understand the law. The law defines Personal information as: "a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number"