A New Law Could Change the Way You Build Database Applications

M

M Skabialka

Normally I wouldn't post a URL for an article not specifically for Access,
but I know there are programmers out there with employee or customer
databases in Access:

Massachusetts recently passed a sweeping new data security law that will
have a profound impact on the way the United States, and perhaps the rest of
the world, manages and develops data-centric applications
..
Here are the basics of the new law. If you have personally identifiable
information (PII) about a Massachusetts resident, such as a first and last
name, then you have to encrypt that data on the wire and as it's persisted.
Sending PII over HTTP instead of HTTPS? That's a big no no. Storing the name
of a customer in SQL Server without the data being encrypted? No way, Jose.
You'll get a fine of $5,000 per breach or lost record. If you have a
database that contains 1,000 names of Massachusetts residents and lose it
without the data being encrypted that's $5,000,000.

More here:
http://www.sqlmag.com/article/sql-s...-the-Way-You-Build-Database-Applications.aspx
 
P

Paul Shapiro

That's pretty scary for anyone doing data management, but some of the
comments submitted for that article ease my concern a bit. I did NOT read
the law, so I'm just reporting a few comments. They sound as reputable as
the original article to me, but that's not much of a legal opinion. The
original article was written by Brian Moran, a SQL Server expert but as far
as I know, not a lawyer.

1. A person's first and last name alone do NOT constitute Personally
Identifiable Information (PII). The definition of "personal information" is
a MA resident's first name and last or first initial and last name in
combination with SS#, DL#, state issued ID, finanical account number(s) /
info that one could use to gain access to a residents finanical account.
Just the first + last name is not considered PI as it is publicly available
information. Someone else said that Connecticut considers passport numbers,
alien registration numbers and health insurance ID to be PII with similar
requirements for protection.

2. Mass Law doesn't require encryption at rest everywhere - only portable
devices and laptops. It also requires encrypted transmissions of the
specified data that will travel across PUBLIC networks and all data across
wireless networks. Mass law does raise the bar, but encryption of every
database is not a requirement.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top