If your database has Mass. residents, you need a security plan per Massachusetts (opens in new tab)

(sqlmag.com)

25 pointsAnneTheAgile16y ago18 comments

18 comments

The title itself is a little FUD-ish.

According to this link: http://www.leapfile.com/MA-201-CMR-17 , it only applies to the following subset of data:

--snip-- According to the definitions in 201 CMR 17.02, personal information is a Massachusetts resident’s first name or first initial and last name IN COMBINATION with any one of more of the following data related to the person: social security number, driver’s license number or state-issued identification card number, financial account number, credit or debit card number with or without any required security or access code or password that would permit access to financial information. --snip--

viraptor16y ago

Well - that's enough to make it relevant whenever there's a card transaction... that's going to affect a lot of people.

This however "and perhaps the rest of the world" is complete FUD - noone outside of US cares about US state laws (unless you have some branch there of course - but then you already know you have a lot more paperwork to do).

slantyyz16y ago

For more sensitive information, such as those elements listed, it's more common sense that you'd encrypt that data and have a security policy, regardless of what state in which the people in your database reside.

The title of this article so broad it implies that if you simply had a contact database (with no sensitive information) containing Mass residents that you'd have to file a security policy and encrypt every piece of information.

bobbyi16y ago

There's no need to store any of those things in your database in order to allow card transactions.

2 more replies

hga16y ago

Ummm, what's the legal theory that allows a US state to regulate out of state commerce like this?

On the other hand, I wouldn't want to be a web company based in Massachusetts and this might have more than a small effect on the Boston area's attractiveness to many startups.

andrewf16y ago

--article snip-- I could wax eloquently on about the potential battle of states’ rights versus federal oversight and the potential for a Supreme Court challenge based on the Commerce Clause, but, this is an article for geeks, so I won’t go there. Instead, I’ll simply say once again: yikes. --snip--

It seems silly to state legalities are out of scope when you're talking about a law, even if (or, especially if!) you're not writing for lawyers.

tzs16y ago

The big thing with regulation of commerce is that a state can't do it in a way that favors in-state merchants over out-of-state merchants. This law appears to treat in-state and out-of-state merchants equally, so might be OK as for as regulation of interstate commerce law is concerned. (And it might not--this is a tricky area of law).

dangrossman16y ago

It would be the US Constitution, where it gives all rights that are not explicitly enumerated to the states.

tomjen316y ago

True, but the commerce clause is enumerated in the constitution.

ggchappell16y ago

"... or to the people." Let's not forget that. (Not that it's terribly relevant to your point.)

m10416y ago

After reading the law, I'm either missing the part where data has to be encrypted in all databases or (more likely) the article is misleading. As I read it, the data in question has to be encrypted during transmission (SSL, no big deal) or while stored on a portable device. Nowhere did I get the sense that a web application must maintain encrypted database records at all times.

AnneTheAgileOP16y ago

I do like the idea of encrypting user names across the wire, but "to maintain a Written Information Security Plan (WISP) and file it with the state of Massachusetts" goes way too far, imho. I am not a lawyer nor a database geek, so perhaps your take will differ...

UPDATE: "Massachusetts does not require that written information security programs be filed at this time, just that they exist," according to a second article, http://www.informationweek.com/news/security/government/show... . That is alot better.

AnneTheAgileOP16y ago

For reference, the law's URL, which was cited in slantyyz's reference, was out of date. Here is the current link; http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

attylynn16y ago

There is absolutely no need to "file" the WISP with the state. The WISP is an internal document that state officials would likely look for in the event of a data security incident (i.e., a breach or report of lost data such as a missing laptop).

j / k navigate · click thread line to collapse

18 comments

slantyyz16y ago

The title itself is a little FUD-ish.

According to this link: http://www.leapfile.com/MA-201-CMR-17 , it only applies to the following subset of data:

viraptor16y ago

Well - that's enough to make it relevant whenever there's a card transaction... that's going to affect a lot of people.

slantyyz16y ago

bobbyi16y ago

There's no need to store any of those things in your database in order to allow card transactions.

2 more replies

hga16y ago

Ummm, what's the legal theory that allows a US state to regulate out of state commerce like this?

On the other hand, I wouldn't want to be a web company based in Massachusetts and this might have more than a small effect on the Boston area's attractiveness to many startups.

andrewf16y ago

It seems silly to state legalities are out of scope when you're talking about a law, even if (or, especially if!) you're not writing for lawyers.

tzs16y ago

dangrossman16y ago

It would be the US Constitution, where it gives all rights that are not explicitly enumerated to the states.

tomjen316y ago

True, but the commerce clause is enumerated in the constitution.

ggchappell16y ago

"... or to the people." Let's not forget that. (Not that it's terribly relevant to your point.)

m10416y ago

AnneTheAgileOP16y ago

For reference, the law's URL, which was cited in slantyyz's reference, was out of date. Here is the current link; http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

attylynn16y ago

j / k navigate · click thread line to collapse