×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mass. Data Security Law Says "Thou Shalt Encrypt"

timothy posted more than 3 years ago | from the some-serious-micromanagement dept.

Privacy 510

emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

510 comments

Doesn't sound so bad (5, Insightful)

rwa2 (4391) | more than 3 years ago | (#31976470)

That's pretty much already corporate policy at the last two major places I've worked for a few years now. It would be nice if the government starts treating that data the same way.

In fact, it would also be nice to mandate encryption and signatures for email so there will be no more unsolicited spam. And finally it would be great if no one was allowed to open up a line of credit without my cryptographic signature so I wouldn't have to protect my SSN, birthdate, and mother's maiden name like it was some sort of safety deposit box combination.

Re:Doesn't sound so bad (1)

Erikderzweite (1146485) | more than 3 years ago | (#31976520)

Second that. Sound surprisingly reasonable. Hope that more states and countries follow.

!Micro-management (5, Interesting)

cmholm (69081) | more than 3 years ago | (#31976718)

I think the /. article sub-header "some-serious-micromanagement dept" is incorrect. "Micromanagement" would be to specify a particular technical approach. The law [mass.gov](220kB PDF) doesn't even mention https. So, I think the legislation's level of detail appropriate: "just do it." The author of the FA seems to think this'll sell a lot of SQL Server upgrades, and if SQL Server is what someone is running to persist data, I suppose so.

Re:Doesn't sound so bad (0, Offtopic)

avilliers (1158273) | more than 3 years ago | (#31976630)

It is reasonable in principle, and a significant new burden that a lot of small businesses won't be able to handle and will mess with a lot of the ways the internet has empowered the small-time crowds..

It's one thing for anyone who's core business is on-line selling, let alone a corporation. But don't think like them. Suppose you run a local used bookstore that's willing to ship books to customers out of the area, or are a musician who is happy to supplement performance income by selling that self-recorded CD? You handle the orders with paypal, but have you really encrypted that customer list you used to keep in a notebook but is now in Excel? Have you even thought of it?

In addition, it applies to anyone who *sells* to a MA resident. If other states follow suit, but don't do things exactly the same, could you imagine trying to keep up? You'll have to do best practices (including written security policies) to have a fighting chance of avoiding fines.

To be fair, there usually are exemptions for small businesses; I didn't see one skimming the story, but my examples may be irrelevant. Hopefully they are.

Re:Doesn't sound so bad (5, Informative)

TheRaven64 (641858) | more than 3 years ago | (#31976712)

You know, all of the use cases you describe can be supported by ticking the 'encrypt' checkbox that Windows NT has had since version 4, or by storing commercial data on an encrypted partition, which pretty much all modern(ish) operating systems support. It's really not hard, and is probably the minimum that a small business should be doing anyway.

Re:Doesn't sound so bad (1)

sirsnork (530512) | more than 3 years ago | (#31976726)

Until you have to reinstall your OS. Then it can become all manner of hard to get that data back

Re:Doesn't sound so bad (1)

EvanED (569694) | more than 3 years ago | (#31976782)

You can back up your keys, you know.

EFS is deeply, destructively flawed. (1)

Futurepower(R) (558542) | more than 3 years ago | (#31977152)

That's a mistake. The built-in Windows Encrypting File System (EFS) is safe only if you are connected with a domain. Anyone using a workstation not connected with a domain will lose ALL encrypted data if Windows is re-installed on the workstation. Having a backup of the keys is not enough.

EFS is just one example of deep flaws in software from Microsoft that don't get much publicity, in my opinion.

Re:Doesn't sound so bad (1)

TheRaven64 (641858) | more than 3 years ago | (#31976884)

If you have any data that is important to your business and isn't backed up, then I have no sympathy for you when (and it is 'when', not 'if') you lose it.

Re:Doesn't sound so bad (1)

lukas84 (912874) | more than 3 years ago | (#31977046)

SMBs have troubles getting backups right, what makes you think that encrypting their backup will help matters?

Re:Doesn't sound so bad (2, Informative)

sustik (90111) | more than 3 years ago | (#31977116)

Do you mean an OS upgrade? Since your encrypted volume is separate and backed
up I fail to see the hardship.

The OS corrupting your data - due to a virus or bug - is more pain because you may not
notice the corruption until recovering from backups means losing some of the latest data.

Re:Doesn't sound so bad (1)

CarpetShark (865376) | more than 3 years ago | (#31977122)

You know, all of the use cases you describe can be supported by ticking the 'encrypt' checkbox that Windows NT has had since version 4

Except that:

a) Windows encryption is known to be flawed, and using a known-bad encrpytion system for this sort of thing probably counts as negligence.
b) Windows encrpytion has back doors, and... see above.
c) Anyone implementing encrpytion at the flick of a switch without properly planning for it will very likely regret it when it comes to file recovery, backup use, etc.

Re:Doesn't sound so bad (1)

mgkimsal2 (200677) | more than 3 years ago | (#31976714)

"Covered businesses range from neighborhood dry cleaners to Fortune 100 companies, but the law stipulates that the program be appropriate to the size and resources of the business."

It seems like they really do mean just about everyone. Within a year we'll start seeing stories about how part-time small business people doing exactly what you described are the new source of major data breaches, because their Excel files and whatnot are being stolen via trojans and viruses. And the data security industry will push for more laws and expensive software to remedy the situation. Just a cynical hunch...

Would having a password on a spreadsheet file constitute enough 'security'?

Re:Doesn't sound so bad (2, Informative)

FuckingNickName (1362625) | more than 3 years ago | (#31976736)

Install Truecrypt; set up on system drive.

It's fairly shockingly idiot proof for a free and supposedly strong encryption solution.

Or Bitlocker if you have Ultimate, maybe.

Or VileFault [nsa.org] if you must use a Mac.

Re:Doesn't sound so bad (1)

ThePhilips (752041) | more than 3 years ago | (#31977054)

And on Linux I'm pretty sure one can run encryption over the imported NAS volume.

As the requirement relates only to the "PII" (Pentium 2?!), that's not a such huge amount of information in the end.

Even the integration of performance oriented SQL back end with data security oriented one is nothing new.

Re:Doesn't sound so bad (3, Insightful)

jhoegl (638955) | more than 3 years ago | (#31976750)

So.... Encryption is a big headache for small businesses?

There are free encryption tools out there. The "headache" would probably be for IT, because Encryption means if you didnt back it up you lost it. If you forgot the PW, you lost it, if that person leaves and doesnt give you the PW, you can sue them, but you lost it.

One thing I have noted in my "small business" IT jobs, if you dont take IT seriously and stick them in a windowless room in the basement like you would a janitor, you will not succeed in your business. A small business treated me like I was a lost revenue instead of like a member of the company, they lost me and they regret it to this day. But this company is a medical billing business, where HIPAA was a daily worry. I figured it out.

Kind of went off on a tangent there, but the point is small businesses have it better than large companies. Its not hard to encrypt, its hard to keep track and train how to use.

Re:Doesn't sound so bad (0, Flamebait)

Bing Tsher E (943915) | more than 3 years ago | (#31976928)

One thing I have noted in my "small business" IT jobs, if you dont take IT seriously and stick them in a windowless room in the basement like you would a janitor, you will not succeed in your business.

But basically, that's what IT is. You're file clerks at best. Data janitors is another way to describe it.

But I see some resentment there. Didn't get the prestige you thought you deserved? How did you make sure they regretted it? Can you tell us, and any future employees what you did?

Re:Doesn't sound so bad (1)

tepples (727027) | more than 3 years ago | (#31977042)

There are free encryption tools out there.

The last time I checked, SSL certificates that chain back to a CA in all the major browsers weren't free.

Re:Doesn't sound so bad (2, Insightful)

maxume (22995) | more than 3 years ago | (#31976802)

Yeah, it's way less damaging when your personal information is stolen from a small business.

Re:Doesn't sound so bad (1, Offtopic)

HungryHobo (1314109) | more than 3 years ago | (#31976918)

Ya this seems like a massive headache for small buisnesses.

One example I can think of: I know a woman who sells cakes and has her own website.

People email orders to her.
Not payment information, just name and delivery address+order.

But a name and address is personally identifiable. Does that mean she has to get some kind of encrypted mailserver of her own?
How about if she replies to them?
That's sending that name and address in the clear.(just like how it was sent to her of course)

And how about social network sites?
There's plenty of personally identifiable information posted on there which by the very nature of the sites is fairly open but does that mean that myspace has to switch everything to HTTPs and store all that info on your public profile in an encrypted database???

This is well meaning and sounds nice but this sounds a lot like one of the ham-fisted attemps at regulation that clueless lawmakers are famous for.

Re:Doesn't sound so bad (3, Informative)

sustik (90111) | more than 3 years ago | (#31977168)

> People email orders to her.
> Not payment information, just name and delivery address+order.
    ^^^^^^
> But a name and address is personally identifiable. Does that mean she h

No it does not. Read the text of the law, it will relieve your anxiety!

Re:Doesn't sound so bad (1, Offtopic)

tomhudson (43916) | more than 3 years ago | (#31976768)

Stupid law. It means, for example, that you can no longer keep an email in unencrypted form.

Hey. on the other hand - maybe this will help kill off facebook.

Re:Doesn't sound so bad (1)

tepples (727027) | more than 3 years ago | (#31977018)

In fact, it would also be nice to mandate encryption and signatures for email so there will be no more unsolicited spam.

Spammers would just sign their ads. And besides, how would Joe User enter the strongly connected part of the PGP web of trust without flying to a Major City(tm) for a key signing party?

Re:Doesn't sound so bad (1)

maxume (22995) | more than 3 years ago | (#31977194)

Bacon. Kevin Bacon. Six degrees of Kevin Bacon.

More seriously, if you don't have some sort of use for the ability to put your email into 3 bins: 'unknown signature', 'known signature' and 'known bad signature', you aren't thinking about it very much.

And if it is easy to repudiate keys, then your ISP or bank can sign your key. Geography solved.

About fucking time. (4, Insightful)

wiredog (43288) | more than 3 years ago | (#31976506)

Now maybe if they actually enforce it businesses will get the idea that they should protect the data.

Thanks for the math! (3, Funny)

hansraj (458504) | more than 3 years ago | (#31976534)

It would have been very difficult for us to figure out how much the fine would be if you lost the records of 1000 people.

It would have been nicer though if you gave us another example. How much would the fine have been for losing records of 2000 people?

Re:Thanks for the math! (2, Funny)

Anonymous Coward | more than 3 years ago | (#31977052)

I'm sure you could get a discount for large quantities.

What's so scary about this? (4, Insightful)

MartinSchou (1360093) | more than 3 years ago | (#31976540)

What is so scary about this?

With a high cost of PII, there is now an economic incentive for companies to actually give a rats ass. It's the same kind of incentive that is used to make sure companies don't just dump toxic chemicals in kindergarten sandboxes.

Re:What's so scary about this? (3, Insightful)

El Lobo (994537) | more than 3 years ago | (#31976668)

It IS scary because extremes are always bad. Yes, it sounds politically correct here on /., privacy, bla bla bla, but when you just are going to extremes like the need of encrypting *public* and easily available information like, say the name of a person, which is also available (with even more details) in your favorite telephone directory, you are not being "good". You're being ridiculous.

I understand the need of encrypting credit card numbers, etc, but too much is too much.

In Sweden it is illegal to publish any information about who the owner of a vehicle is, for example. Yet, it is perfectly legal to send a SMS to the traffic authorities to get the same info. Go figure.

Re:What's so scary about this? (4, Informative)

Anonymous Coward | more than 3 years ago | (#31976826)

No, this law is not "too much". Slashdot makes it look like "too much" because the article summary is incomplete and misleading.

This law only applies to certain databases that should have been encrypted anyway.

Re:What's so scary about this? (1)

splogic (1797526) | more than 3 years ago | (#31976890)

I second that! All this security stuff sounds "cool" and "hacker-like", but the fact of the matter is the entire purpose of security is distrust. A society based on distrust will eventually destroy itself, due to accumulation of power. We must have an open-source society. We're headed in exactly the wrong direction right now, except for OSS.

Re:What's so scary about this? (1)

Mashiara (5631) | more than 3 years ago | (#31976950)

1. The cost of the SMS is cost enough that nosy people won't go on a massive trawl of the data (since if it was legal to publish said info someone would set up a crowdsourced database).

2. When the vehicle changes owner the traffick authority knows about it, you probably don't (and since your incentive to publsih someones info is to "name and shame" someone else is now in the receiving end of hate intended to the previous owner of registration number X)

3. They want to protect their revenue stream (see crowdsourced db from point 1)

Re:What's so scary about this? (1)

nedlohs (1335013) | more than 3 years ago | (#31977158)

It's not scary because it doesn't say that. Which of these items are you classifying as "*public* and easily available":

* SSN
* State ID number
* Bank account number
* Credit card number

All the law is saying if you have that type of data and the person's name - then you better damn well encrypt it.

This'll get shot down (1)

fotbr (855184) | more than 3 years ago | (#31976546)

If you're a company that doesn't do business within the boundaries of the state, they'll have a damned hard time justifying why you're beholden to their laws.

Re:This'll get shot down (1)

wmbetts (1306001) | more than 3 years ago | (#31976582)

The spam laws aren't shot down. It's basically the same thing. If I have a company in Texas and someone in Mass buys something I have to protect their data or face fines. If I send UCE to someone in say California and I'm sending it from Texas I can face fine in California.

Re:This'll get shot down (1)

fotbr (855184) | more than 3 years ago | (#31976962)

But if you're in California, and a resident of Mass buys something from you while they're on vacation in CA, and you store any PII in your sales database, why the hell would you be subject to MA law?

Re:This'll get shot down (2, Interesting)

zarthrag (650912) | more than 3 years ago | (#31976600)

That's already started to go south with online sales tax. Simply doing business with a resident of the state is enough of an opening to allow the state to preserve the rights of their citizens. The only way to circumvent that would probably be to not do business there (i.e. void where prohibited.) Though, I must say, this is a GOOD thing.

Re:This'll get shot down (2, Informative)

Gr8Apes (679165) | more than 3 years ago | (#31976874)

The thing is, I'm not a resident of MA and MA has no rights to enforce any laws where I live, as I'm outside their jurisdiction.

Last time I checked, if I do happen to do business with a MA resident, MA still has 0 rights regarding any such business as it would be interstate commerce, which is solely controlled by the federal gov per the Constitution.

However, I do agree that companies need to be held to stricter standards regarding personal information and probably should be handled by the feds sooner than later.

Re:This'll get shot down (1)

rmushkatblat (1690080) | more than 3 years ago | (#31976602)

Yeah, basically.

I can't see too many companies coming to Massachusetts because of this, though I can definitely see some leaving.

Phone book (3, Interesting)

kjart (941720) | more than 3 years ago | (#31976554)

I hope the phone company has deep pockets, because the phone book is full of first and last names and, last time I checked, it was totally unencrypted!

Re:Phone book (5, Informative)

Anonymous Coward | more than 3 years ago | (#31976694)

A little googling finds the text of the law [mass.gov]:

Personal information, a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public.

So it looks like phone companies are safe.

Re:Phone book (2, Funny)

EvanED (569694) | more than 3 years ago | (#31976828)

You mean Slashdot posted an incorrect and sensationalist summary? Say it ain't so!

Re:Phone book (1, Informative)

Anonymous Coward | more than 3 years ago | (#31976984)

Thanks for looking up the text. It sounds a lot more reasonable now. I make fake data files for educational purposes. For a while it sounds like if I had "John, Smith, Boston, MA" that would be one breach since I am sure there is a John Smith in Boston.

"rather scary" (0)

Anonymous Coward | more than 3 years ago | (#31976556)

It's "rather scary" that this emeraldd guy is going to have to actually start doing the job he should have been doing all along?

Sounds mostly reasonable to me... (1)

Fraggy_the_undead (758495) | more than 3 years ago | (#31976570)

...in fact, as far as I'm concerned it's about time that someone legislated how companies I have to deal with protect my personal information.
This "Written Information Security Plan"-Thing (yes, I read TFA) sounds like an unnecessary and useless PITA though...

A pain to implement, but.. (3, Insightful)

Improv (2467) | more than 3 years ago | (#31976572)

This seens pretty sensible. Given how many people are hurt by these things, this seems like a reasonable standard for future industry practice, and the fines hammer home the idea to the companies that "oops, sorry!" isn't the level of seriousness these things should be given. I imagine most of the time these breaches are against the privacy promises the companies make anyhow.

The only downside is that the fine is kind of daunting for people who would like to enter a relevant market, although .. perhaps it's analogous to car manufacturers being liable for poor design of their products - when they fail, it can be a big deal.

Awaiting the professionalism... (0)

scamper_22 (1073470) | more than 3 years ago | (#31976588)

Now I await the professionalization of the software field.

Who in the company is going to oversee such rules and regulations? Hmm, perhaps all software projects must be handled by a certified software engineer. They can make sure the software is up to standards... and will have to take out liability insurance like other professionals.

And of course, they must be US citizens to comply with US law.

I'm smelling job protection like doctors and lawyers.
Oh I can dream can't I?

Re:Awaiting the professionalism... (0)

Bing Tsher E (943915) | more than 3 years ago | (#31977010)

And of course, MD5 signatures formally registered with the government for any binaries allowed to touch this critical secure data. Which leads, of course, to the necessity that any software at all allowed in a business has to come from an accredited established business who have full staff assigned to massage that special branch of the bureaucracy that oversees said MD5 registry.

Indeed, it sounds more and more like Open Source will just plain be out of the question. Except for instances where it's strictly controlled and throttled by top heavy organizations, aka Big Businesses.

Excellent. Most excellent indeed!

Definition of PII from the text of the law (5, Informative)

kgo (1741558) | more than 3 years ago | (#31976592)

"""
Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
"""

So this doesn't apply to places like slashdot and facebook. Only places that should be securing your data in the first place.

Re:Definition of PII from the text of the law (1)

TheSpoom (715771) | more than 3 years ago | (#31976690)

Given the exception at the end, I would guess that it also means you don't have to encrypt the names, just the account numbers, which is what any e-commerce package worth its salt (pun not intended) does anyway.

Re:Definition of PII from the text of the law (1)

larry bagina (561269) | more than 3 years ago | (#31977074)

when I worked at a business doing e-commerce, we stored name, email, telephone, and address. No cc numbers, no ssns, no driver's license, no bank account numbers. Storing that shit is just plain stupid.

Re:Definition of PII from the text of the law (2, Funny)

noidentity (188756) | more than 3 years ago | (#31976730)

I'm glad I don't live in Massachusetts, because I have my full name, social security number, driver license number, and financial account numbers stored unencrypted in my house (and I don't have $5000 in the financial account to cover the fine). Phew.

It's about time (4, Insightful)

barius (1224526) | more than 3 years ago | (#31976612)

Sounds awesome to me. This should have been made law in every state/country a long time ago. Now if they would just make it law that all companies must provide an easy and thorough means for any individual to expunge their details from company records (I'm looking at you Facebook) then I might finally be able to stop that little bit of throwing up in my throat I get every time a company asks for my email address.

Not really (5, Informative)

Anonymous Coward | more than 3 years ago | (#31976638)

Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose

Summary and article fail.

Sorry to disappoint all the SQL consultants out there, but the law (as passed) says NOTHING about requiring encryption of data at rest.
Earlier versions of the bill had the requirement for at-rest encryption, but that was lobbied out.
The only time it mentions encryption is for data in-flight over public networks, wireless access, and laptops/"other portable devices".
Everything else states "reasonable security precautions" (aka: access control/passwords).

But don't take my word for it read it [mass.gov] yourself. (it's only 4 pages)

(3)Encryption of all transmitted records and files containing personal information that will
travel across public networks, and encryption of all data containing personal information to be
transmitted wirelessly.
[...]
(5) Encryption of all personal information stored on laptops or other portable devices;

- Mass CMR1700 (the only occurrences of the word "encrypt")

What would be the point of encrypting the database (1, Interesting)

Anonymous Coward | more than 3 years ago | (#31976766)

Wouldn't it be rather pointless to encrypt any of the data that's kept in a database when said data is meant to be available to the software that's accessing that data? The software has to get the decryption key from somewhere, and without the use of special hardware any key that's available to your software would also be available to any hackers who know where the key is kept. Worse yet, it would rule out any software that doesn't incorporate such security, most likely ruling out open source databases.

Re:What would be the point of encrypting the datab (1)

rastilin (752802) | more than 3 years ago | (#31977066)

Well even if the key is just coded into your application, it still means they have to decompile it (C#, C++, C), or just parse it (PHP, Python(non-frozen)). If you kept the key inside an innocuously named file inside your application's structure, with unclear variable names; that would still be a big jump in security.

Why would it rule out open source databases? As long as you do the encryption inside your application, even sqlite is plenty secure.

Re:What would be the point of encrypting the datab (1)

kgo (1741558) | more than 3 years ago | (#31977202)

Well you would have the administrator manually mount the encrypted db after a reboot and type the passphrase at that time, not hardcode it in the app. It doesn't help when someone cracks the running system. It does help when they steal the server or the database files. You pretty much get the same benefits as full drive encryption.

Re:Not really (0)

Anonymous Coward | more than 3 years ago | (#31977134)

That's right. Also while a "WISP" is required, it need not be filed anywhere.

Who does this apply to? (0)

mgkimsal2 (200677) | more than 3 years ago | (#31976648)

What constitutes a 'business'? And how does this affect companies that might be using any one of the myriad of forums or blogging software in addition to their core "enterprise" software? Pretty much every blog or forum software out there keeps PII in plaintext format, and they're in use by many large companies.

From the article:

"Covered businesses range from neighborhood dry cleaners to Fortune 100 companies, but the law stipulates that the program be appropriate to the size and resources of the business."

So, they really do mean pretty much all businesses - anyone conducting any business online, it seems. Should I start turning in every business that doesn't SSL encrypt their 'contact us' forms? After all, someone from MA might use that form.

Re:Who does this apply to? (1)

guruevi (827432) | more than 3 years ago | (#31977112)

When was the last time you left your SSN, credit card number or a copy of your birth certificate with a random forum? PII is not your name/e-mail address. It's Personal Identifying Information. Your address nor your name makes you you (identifies you) in the business world. Walk into any car dealership and ask them to sell you a car just based on what you tell them your name and address is. What does qualify you to buy a car is the numbers connected to your bank accounts and your credit.

Politicians... (0, Redundant)

CondeZer0 (158969) | more than 3 years ago | (#31976650)

Politicians should stay the fuck away from shit they don't understand!

Which I guess in practice means they should stay the fuck away from pretty much everything.

Re:Politicians... (1, Flamebait)

Improv (2467) | more than 3 years ago | (#31976778)

Libertarians should stay the fuck away from shit they don't understand!

Which I guess in practice means they should stay the fuck away from pretty much everything.

ok (0)

Anonymous Coward | more than 3 years ago | (#31976676)

puttin the db on an encrypted volume is doable. https is a minor PITA.
Or filter out all internet traffic from massachussets, which is what they deserve for passing stupid data protection laws.
The only data protection law should be>> you cause distress to a user by losing, selling his data, or by changing EULAs, you pay all present damage, potential damage and a fee, or close door the day after a complaint was filed.
Let then businesses sort out if the data they process needs encryption and at what level. If one player plays an online game with his friggin name, should I encrypt traffic... watch his ping soar.... BS

Re:ok (1)

retchdog (1319261) | more than 3 years ago | (#31976852)

And then when they do "cause distress" to a user who sues for massive damages, people like you are going to cry and whine about tort reform and frivolous lawsuits.

It's just more efficient to set up "best practices" in a sufficiently general way so that the standards can be met freely; welcome to reality. It's either this; the status quo; or a massive "coffee burn"-type lawsuit.

Scarier not to (4, Insightful)

starfishsystems (834319) | more than 3 years ago | (#31976696)

It's scarier to contemplate that such information is so often exposed as a matter of routine carelessness.

On the other hand, it's not clear what to do about the classic perimeter problem. Sooner or later, somewhere, the encrypted data has to be processed or presented in plaintext. The key and the data have to be brought together. Now we've converted the problem of securing the data to the problem of securing the key - probably many keys in practice - and the systems on which those keys reside - probably many systems.

Re:Scarier not to (1)

Kohath (38547) | more than 3 years ago | (#31976864)

It's scarier to contemplate that such information is so often exposed as a matter of routine carelessness.

Yeah, the last 10 security breaches each caused the end of the world. It's super scary.

Re:Scarier not to (0)

Anonymous Coward | more than 3 years ago | (#31977196)

This would change the window from "compromise any system on the network" to "compromise the application and machine machine processing the sensitive information."

It reduces the complexity of securing the data to just securing that one endpoint rather than every system on the network.

Except when.... (1)

ericdano (113424) | more than 3 years ago | (#31976772)

Good plan....except when the state or local governments fail to do it.....then what? Going to fine themselves?

It's a good idea in theory...except....enforcing it might be hard.

Look at californias hands free cell phone law. I can count, daily, two digit numbers of people who are not following it....and where is the enforcement???

Probably only applicable to Mass due to interstate (1, Interesting)

linuxtelephony (141049) | more than 3 years ago | (#31976794)

This will ultimately probably only end up affect Mass businesses or people with presence in Mass directly. Otherwise this kind of requirement has the potential to impact interstate commerce which states expressly do not have the authority to legislate.

I'm all for requirements to protect data, however it is usually not a good idea to legislate how to accomplish that. When that happens then the industry's ability to innovate is legislated away.

Storage of encryption key? (3, Interesting)

vlm (69642) | more than 3 years ago | (#31976812)

Any specifics for encryption key storage? How bout another column in the DB? That seems a likely implementation, very convenient and all that. Or we could just hardcode it to something memorable "password".

Any specifics for encryption scheme? I've heard ROT-13 is fast, but XOR is faster.

Re:Storage of encryption key? (1)

tepples (727027) | more than 3 years ago | (#31977128)

Any specifics for encryption key storage?

Use industry best practices in good faith. Statutes in anglophone countries leave these technicalities up to the jury for a reason.

What about email (1)

surmak (1238244) | more than 3 years ago | (#31976818)

So, if a Mass. residents sends me (or my business) an email, what does that mean?

The message will generally contain the sender's name and email address. It is sent in the clear over SMTP, and will generally be stored as plain text on the server as either flat files or perhaps some database until the message is picked up via IMAP, POP or some proprietary protocol. It is then likely to be stored, indefinitely, in plain text on the client machine.

It looks to me like someone did not think this through. (Unfortunately it is not news when a government regulates technology w/o understanding it.)

Re:What about email (1)

surmak (1238244) | more than 3 years ago | (#31976882)

I stand corrected. As another post indicates, this only applies to SSN, credit card numbers or state-issued IDs (driver's licenses.)

Actually, this does not sound too bad. The article, on the other hand looks like a piece of FUD to get users to update their MSSQL software

Re:What about email (1)

Jedi Alec (258881) | more than 3 years ago | (#31976914)

Personal information, a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident's financial account; provided, however, that
"Personal information" shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public.

(blatantly copy-pasted from a post earlier in the thread).

So a combination of name and e-mail address does not apply unless more information is in there.

It looks to me like someone did not read this through. (Unfortunately it is not news when a slashdotian responds to an article without actually reading it.)

Re:What about email (1)

russotto (537200) | more than 3 years ago | (#31977036)

It looks to me like someone did not read this through. (Unfortunately it is not news when a slashdotian responds to an article without actually reading it.)

Slashdot isn't solely at fault here. The article referenced makes the same error:

Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted that's $5,000,000. Yikes.

What about IPSec? (2, Informative)

loufoque (1400831) | more than 3 years ago | (#31976834)

Sending PII over HTTP instead of HTTPS? That's a big no no.

Even if you're using IPSec?

It is about time (1)

WindBourne (631190) | more than 3 years ago | (#31976858)

I am not wild about regs, but the problem is that companies really do not care. Worse, when the have real issues in which they lose your data, they do NOTHING about it. Take the example of Toyota. They would have had a recall that cost them a 100 million had they done it correctly the first time. Did they recall? Nope. But what was the Fed's response? 16 million. Just like MS, Toyota, Chinese companies, and all the rest of these companies taking shortcuts PROVE that CRIME DOES PAY. Hopefully, Mass. hits one company hard in the next year and then all companies will change their tunes. Until then, we will see loads of horrible systems.

Re:It is about time (1)

h00manist (800926) | more than 3 years ago | (#31976916)

I am not wild about regs

Me neither, but you can't deny there are two big things that orient the behavior of companies and large groups of people. Profits, and laws.

I've read text SSN's out of college's for 30 years (1)

geohump (782273) | more than 3 years ago | (#31976868)

I've been able to read cleartext SSN's out of college's for the past 30 years without ANY authorization, so all I can say is that this is better late than never.

The only refinement I can think of that would improve it is that any MIS/IT/CIO Director who authorizes any form of non-encrypted storage of this type of information should also have to pay a personal fine of $500 per record.

Funny how when its your own money that's on the line your perspective changes.

About time (1)

Plekto (1018050) | more than 3 years ago | (#31976880)

Where I last worked, we routinely dealt with issues like this as well(legal field - chain of evidence and all). It's high time that the computer industry took security concerns as a serious matter. And, no, they really don't. I have a friend who worked in the field working with security for major fortune 500 companies and the state of the security was a complete joke. And the threats are a dozen times worse than the public imagines. Yet they do nothing until there's a problem.

Well, hitting them in their pocketbook? That's effective 100% of the time in getting their attention.

Slashdot DoS (1)

gmuslera (3436) | more than 3 years ago | (#31976894)

Attached file: [1000_Mass-_Citizens_names.txt]

Bah, wasn't that easy. So lets just close Facebook, which fine should be enough to pay USA debt.

Well, that means jobs (1)

h00manist (800926) | more than 3 years ago | (#31976896)

Don't know if it's better or worse, or I like it or not, but in any case, it means more work for techies. Lots of databases, middleware, disk systems, etc to upgrade to comply with the new laws. In fact there's likely to be a whole category of security and law compliance consulting...

It mandates anti-virus software (0)

Anonymous Coward | more than 3 years ago | (#31976908)

As one of the law's requirements, computers must include:

"(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis."

Do Linux systems generally include antivirus and antimalware software?

Looks like an example of a smart regulation (3, Interesting)

Presence1 (524732) | more than 3 years ago | (#31976920)

I'm glad to hear that at least one state is starting to implement a reasonable law. Between corporations too cheap to pay for systems that implement even a hint of real security, and perhaps a few lazy developers, we have a mess on our hands. I don't really understand the "yikes" exclamations in TFA. At least now there are some consequences for being so sloppy with your and my data.

My approach to coding web apps is that we are playing theater in the round -- playing to at least three audiences at once. In any pool of users, you have Group-1) probably 98% of users in various states of computer illiteracy for whom you need a very well thought-out UI that gets them through the app with no errors (and good recovery *when* they make errors, you have Group-2) 2% users that have a clue and want things really streamlined, and you have Group-3) a half-dozen bunches of malicious crackers.

All three groups are always present, and you cannot ignore any of them. Ignore Group-1, and you'll pretty much have no audience. Ignore Group-2, and you drive off the 'experts' to whom much of Group-1 looks for advice, and you'll consequently lose not only Group-2 but also a lot of Group-1. Ignore Group-3 and you'll get cracked and mess up a lot pf people's lives by losing their data, and/or you'll get embarrassed.

Unfortunately, too many buyers and devs of software ignore Group-3 because of costs, and the "it'll never happen to us" attitude. They need this kind of stick to nudge them towards doing the right thing.

I come from a very libertarian perspective, and I hate excess regulation, but I'm smart enough to know that the magic Market alone does not fix everything; it needs some smart regulation to prevent excesses or omissions, and appears to this is an example of such good regulation (presuming that they haven't screwed up the details).

Not just electronic records? (0, Redundant)

joshtimmons (241649) | more than 3 years ago | (#31976964)

I just read the text of the law (IANAL) and it doesn't seem that this law is restricted to network transmissions and data storage - in fact it explicitly mentions paper records. How would one even go about encrypting paper? I'd think it would even affect newspapers which listed a reporter's name, or the name of somebody in the news. What if that newspaper was just left on a bench somewhere? Data breach.

Re:Not just electronic records? (0)

Anonymous Coward | more than 3 years ago | (#31977198)

Physically securing the data is the hardest part: locking file rooms, files off desks at night, etc.

Email encryption is a pain when your recipients are not tech savy and some of the commercially available "secure" email products are a joke, but with a reasonably thoughtful system design, not a lot of changes to the computer systems themselves are required (strong passwords, encrypted email, encrypted laptops, no unencrypted removable media).

Cellphones contain databases... (0, Redundant)

h00manist (800926) | more than 3 years ago | (#31977002)

I wonder what the fine will be for losing a cellphone with 300 phone numbers of your friends and family in MA.

They violate their own law when I access the law (-1, Troll)

tomhudson (43916) | more than 3 years ago | (#31977006)

The FAQ for the law: http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf [mass.gov]

Please note, this FAQ contains personally identifiable information - First and last names, job titles, address of employment, phone and fax number, of Governor Deval L. Patrick, Lieutenant Governor Timothyt P. Murray, Secretary of Housing and Economic Development Gregory Bialecki, and Undersecretary Barbara Anthony. It was obtained by http - NOT https, as required by the law.

The only reason THEY can get away with it is because ... guess what ... government agencies are excluded. "Do as I say, not as I do."

Check out their checklist: http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdfhttp://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf [mass.gov]

Example: "Have you stored your records and data containing PI in locked facilities, storage areas or containers?" - better not have a hardcopy of any records in an unlocked drawer,or take them home to work on.

Or this gem "A reasonably secure method of assigning/selecting passwords, or for use of unique identifier technologies (such as biometrics or token devices)?" Like biometrics can't be gotten around with some gummy bears, or sticky tape, or a picture.

"Have you identified the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices, that contain personal information?" - so much for using your smartphone for email and phone calls since you have an unencrypted phone book sitting in there (or evenif it's encrypted, it can be accessed at will without having to enter a password each time - and a 4-digit "unlock" is not considered an effective password under the law ... so sux 2 b u.

Re:They violate their own law when I access the la (1)

tomhudson (43916) | more than 3 years ago | (#31977098)

Botched links, sorry ...

Text of the law http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf [mass.gov]
FAQ: http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf [mass.gov]
Compliance checklist http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf [mass.gov]

They also require you to run antivirus software

Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

How about if you answer "I run BSD/VMS/linux, you ignorant clod"?

TFA got a very important detail wrong (4, Informative)

walmass (67905) | more than 3 years ago | (#31977012)

If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it’s persisted.

Incorrect. The author either did not do any research at all, or got the definition of PII horribly wrong as far as this law is concerned. The directive that sets the standard based on the law [mass.gov] states:

Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

It is abundantly clear that a person's first and last name alone does not constitute PII, SSN, financial account number or some other not so public information is also required.

Interestate Commerce (2, Insightful)

aitikin (909209) | more than 3 years ago | (#31977016)

I think this is a great idea, however I bet that some idiot will not find out about this law, not follow it, lose the data for say, 50 people, get fined and then fight it (because it's cheaper than the fine), and then find it in front of a US court which will idiotically deem it unconstitutional because it interferes with interstate commerce.

[Congress has power] To regulate Commerce with foreign Nations, and among the several States, and with the Indian tribes;

~Article I, section 8, clause 3, United States Constitution.

"Standard practice"... if you're an asshole (1, Troll)

Anal Surprise (178723) | more than 3 years ago | (#31977082)

It's a little irritating to read all the comments about how this is really easy, standard industry practice, etc. Please give me a fucking break.

Suppose you're running a church newsletter. You're not computer-literate. You want to send a newsletter. You write out the names of church members and their mailing addresses on a sheet of paper, and accidentally leave it at the copy shop. This is legal.

Now, you do the same thing on a computer that you keep locked in your church. You use it to print out labels, you put the labels on envelopes, and you put the envelopes in the mail. Is it really reasonable that you've broken the law here? Most of this information is available in public databases anyway. You don't know "encryption" from your asshole. Your computer runs Windows 98, and there's no network.

To my mind, if "creating a list on paper" is legal, "creating a list in a computer" should be too. If you want to hit %%loss or misuse%% of personal information, write a law that does that. Penalize a lack of security, don't legislate what security is, because every situation is not the same.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...