

If your database has Mass. residents, you need a security plan per Massachusetts - AnneTheAgile
http://www.sqlmag.com/print/sql-server/A-New-Law-that-Will-Change-the-Way-You-Build-Database-Applications.aspx

======
slantyyz
The title itself is a little FUD-ish.

According to this link: <http://www.leapfile.com/MA-201-CMR-17> , it only
applies to the following subset of data:

\--snip-- According to the definitions in 201 CMR 17.02, personal information
is a Massachusetts resident’s first name or first initial and last name IN
COMBINATION with any one of more of the following data related to the person:
social security number, driver’s license number or state-issued identification
card number, financial account number, credit or debit card number with or
without any required security or access code or password that would permit
access to financial information. \--snip--

~~~
viraptor
Well - that's enough to make it relevant whenever there's a card
transaction... that's going to affect a lot of people.

This however "and perhaps the rest of the world" is complete FUD - noone
outside of US cares about US state laws (unless you have some branch there of
course - but then you already know you have a lot more paperwork to do).

~~~
bobbyi
There's no need to store any of those things in your database in order to
allow card transactions.

~~~
viraptor
Unless I misunderstood this, it affects you even if you only transfer the
information to a 3rd party:

 _17.04: Every person that owns or licenses personal information about a
resident of the Commonwealth and electronically stores or transmits such
information..._

Also many online shops allow you to save the info in case you want to reuse it
in the future.

~~~
nostrademons
If you're not storing the information, presumably you don't need to encrypt
the data that you're not storing. You do need to encrypt it while transferring
it (i.e. use https instead of http), but if you don't do this already, shame
on you!

Similarly, if you're storing credit card numbers in plaintext in a database,
shame on you! That's worse than storing plain-text passwords.

I think the worst parts of this law are the "you have to file with the
Massachusetts government" aspects. The technical stuff is basically common-
sense data security that everyone should already be doing.

------
hga
Ummm, what's the legal theory that allows a US state to regulate out of state
commerce like this?

On the other hand, I wouldn't want to be a web company based in Massachusetts
and this might have more than a small effect on the Boston area's
attractiveness to many startups.

~~~
dangrossman
It would be the US Constitution, where it gives all rights that are not
explicitly enumerated to the states.

~~~
tomjen3
True, but the commerce clause is enumerated in the constitution.

------
m104
After reading the law, I'm either missing the part where data has to be
encrypted in all databases or (more likely) the article is misleading. As I
read it, the data in question has to be encrypted during transmission (SSL, no
big deal) or while stored on a portable device. Nowhere did I get the sense
that a web application must maintain encrypted database records at all times.

------
AnneTheAgile
I do like the idea of encrypting user names across the wire, but "to maintain
a Written Information Security Plan (WISP) and file it with the state of
Massachusetts" goes way too far, imho. I am not a lawyer nor a database geek,
so perhaps your take will differ...

UPDATE: "Massachusetts does not require that written information security
programs be filed at this time, just that they exist," according to a second
article,
[http://www.informationweek.com/news/security/government/show...](http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=224400426)
. That is alot better.

~~~
AnneTheAgile
For reference, the law's URL, which was cited in slantyyz's reference, was out
of date. Here is the current link;
<http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf>

