Mass. Data Security Law Says "Thou Shalt Encrypt" 510
emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"
Phone book (Score:3, Interesting)
I hope the phone company has deep pockets, because the phone book is full of first and last names and, last time I checked, it was totally unencrypted!
Re:This'll get shot down (Score:3, Interesting)
!Micro-management (Score:5, Interesting)
I think the /. article sub-header "some-serious-micromanagement dept" is incorrect. "Micromanagement" would be to specify a particular technical approach. The law [mass.gov](220kB PDF) doesn't even mention https. So, I think the legislation's level of detail appropriate: "just do it." The author of the FA seems to think this'll sell a lot of SQL Server upgrades, and if SQL Server is what someone is running to persist data, I suppose so.
What would be the point of encrypting the database (Score:1, Interesting)
Wouldn't it be rather pointless to encrypt any of the data that's kept in a database when said data is meant to be available to the software that's accessing that data? The software has to get the decryption key from somewhere, and without the use of special hardware any key that's available to your software would also be available to any hackers who know where the key is kept. Worse yet, it would rule out any software that doesn't incorporate such security, most likely ruling out open source databases.
Probably only applicable to Mass due to interstate (Score:2, Interesting)
This will ultimately probably only end up affect Mass businesses or people with presence in Mass directly. Otherwise this kind of requirement has the potential to impact interstate commerce which states expressly do not have the authority to legislate.
I'm all for requirements to protect data, however it is usually not a good idea to legislate how to accomplish that. When that happens then the industry's ability to innovate is legislated away.
Storage of encryption key? (Score:4, Interesting)
Any specifics for encryption key storage? How bout another column in the DB? That seems a likely implementation, very convenient and all that. Or we could just hardcode it to something memorable "password".
Any specifics for encryption scheme? I've heard ROT-13 is fast, but XOR is faster.
Looks like an example of a smart regulation (Score:4, Interesting)
I'm glad to hear that at least one state is starting to implement a reasonable law. Between corporations too cheap to pay for systems that implement even a hint of real security, and perhaps a few lazy developers, we have a mess on our hands. I don't really understand the "yikes" exclamations in TFA. At least now there are some consequences for being so sloppy with your and my data.
My approach to coding web apps is that we are playing theater in the round -- playing to at least three audiences at once. In any pool of users, you have Group-1) probably 98% of users in various states of computer illiteracy for whom you need a very well thought-out UI that gets them through the app with no errors (and good recovery *when* they make errors, you have Group-2) 2% users that have a clue and want things really streamlined, and you have Group-3) a half-dozen bunches of malicious crackers.
All three groups are always present, and you cannot ignore any of them. Ignore Group-1, and you'll pretty much have no audience. Ignore Group-2, and you drive off the 'experts' to whom much of Group-1 looks for advice, and you'll consequently lose not only Group-2 but also a lot of Group-1. Ignore Group-3 and you'll get cracked and mess up a lot pf people's lives by losing their data, and/or you'll get embarrassed.
Unfortunately, too many buyers and devs of software ignore Group-3 because of costs, and the "it'll never happen to us" attitude. They need this kind of stick to nudge them towards doing the right thing.
I come from a very libertarian perspective, and I hate excess regulation, but I'm smart enough to know that the magic Market alone does not fix everything; it needs some smart regulation to prevent excesses or omissions, and appears to this is an example of such good regulation (presuming that they haven't screwed up the details).
Re:Definition of PII from the text of the law (Score:5, Interesting)
So this doesn't apply to places like slashdot and facebook.
Or, indeed, to 95%+ of small ecommerce businesses. As a consultant, I've always recommended to my clients that they hand off processing credit cards (for example) to one of the services that'll do it securely without them ever seeing the card number, in order to avoid any responsibility for looking after the data.
Re:THIS IS A FARCE (Score:1, Interesting)
You sure that's accurate? I've always questioned that but never had a secondary HD controller board to try it out. I suppose the test would be, remove the control board and microwave the drive, reattach board and test...
I guess it would matter manufacturer to manufacturer as the shielding of the drive housing would determine the effectiveness of this.
Re:THIS IS A FARCE (Score:3, Interesting)
Here's a kicker - this law apparently does not apply to the politicians themselves. From the FAQ at http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf [mass.gov]
Does 201 CMR 17.00 apply to municipalities?
No. 201 CMR 17.01 specifically excludes from the definition of “person” any “agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.” Consequently, the regulation does not apply to municipalities.
So it seems if your little business gets its 100-member customer db hacked, you're out half a million dollars; if the State of Massachusetts gets its DMV records hacked, they pay you zilch... or am I reading this wrong?
Re:I couldn't disagree more (Score:4, Interesting)
I'm sorry, but I strongly disagree with your position on almost every count.
Firstly, your point about different territories with different rules is fundamentally flawed. Many places — all of Europe, for example — already have stronger data protection laws than most of the US. This causes no earth-shattering problem with compliance. Large companies keep the data they can't legally export within their European offices. Smaller companies just outsource things like payment collection to services that guarantee any personal data will be processed securely and not transferred outside of EU borders. They were going to outsource it anyway, so the only people who lose out are services that want to handle sensitive information but can't make the same guarantees as others about security, whose flawed business model just became obsolete.
While I don't disagree with your post, I wonder just how many large European businesses you've worked for. I'm a consultant in this field, and have quite a few clients who are multinational. While a minority make efforts to stay in compliance with such data privacy laws, such as by keeping PII in the country of origin, a vast majority have no idea where their PII is stored or transmitted. They think data privacy doesn't really apply to them because they don't keep credit cards, and they don't understand the nature of Safe Harbor agreements or what, exactly, is covered therein.
Data privacy is important, and probably needs to be legislated at some level, but don't go telling people that simply because it's the law here, companies actually comply with it.