Massachusetts recently passed a sweeping new data security law that will have a profound impact on the way the United States, and perhaps the rest of the world, manages and develops data-centric applications. Oddly, most people in the business don’t seem to know about it.
Google “Massachusetts data security law, 201 CMR 17.00” and you’ll find plenty of facts about the new law. I also encourage you to read InformationWeek’s "States' Rights Come to Security Forefront: Massachusetts' new data protection law reaches beyond its borders. Are you ready?" It’s one of the best summaries I’ve seen. But even it falls short of helping you understand the profound impact of this law.
Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it’s persisted. Sending PII over HTTP instead of HTTPS? That’s a big no no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You’ll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted that’s $5,000,000. Yikes.
Perhaps just as much fun is the fact that to be compliant with the law your company will also need to maintain a Written Information Security Plan (WISP) and file it with the state of Massachusetts. The WISP must address and outline your business’s “technical, administrative, and physical safeguards” that are in place to protect the data. If you lost a laptop without a WISP being filed with Massachusetts, you’re potentially on the hook for a cool million even if the data was encrypted. Yikes again.
To Continue Reading: Click Here
----------------------------------------------
Source: sqlmag.com
By: Brian Moran
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment