Molly Wood from Cnet.com coined one of my favorite phrases when she described the literal.net as people reading anything on the internet and then assuming it's true. I recently faced a literal.net moment when I started receiving a flurry of E-Mail's about concerns raised by this article at SQLmag.com. It's about a new Massachusetts Law that makes it a fine able offense to store even just a persons first and last name without encrypting it. I love it when people write stupid laws so I started digging in expecting to read some really hard to follow legal jargon I could easily misunderstand. So I started tracing back the article and others related to it. The first place I went is to the article that was referenced by SQLmag.com over at InformationWeek.com. After reading it I was still missing where I needed to encrypt even first and last name came from. So I went looking for the law itself with a quick google search.
What I found when I got there has to be one of the easiest to read laws I have ever seen. It's also much less scary once you have read it. Here are some key points I think will help you understand why I am saying this.
From the PDF of the law found here:
Let's start with the purpose of the regulation:
"This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met
by persons who own or license personal information about a resident of the Commonwealth of
Massachusetts. This regulation establishes minimum standards to be met in connection with
the safeguarding of personal information contained in both paper and electronic records. The
objectives of this regulation are to insure the security and confidentiality of customer
information in a manner fully consistent with industry standards; protect against anticipated
threats or hazards to the security or integrity of such information; and protect against
unauthorized access to or use of such information that may result in substantial harm or
inconvenience to any consumer. "
Sounds pretty normal and generally a great thing for consumers right? I thought so at least. I dug in to find out what "M.G.L. c. 93H" meant and found the really hard to read stuff I thought I would find with the first link. It sounds like this document is the explanation of how to comply with the law. So I kept reading and looking for where it said even a persons first and last name, assuming it is the only information you are keeping, needs to be encrypted. What I found was this in the definitions section:
"Personal information, a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public. "
So according to this extremely clear statement all of the usual suspects are covered and not just First and Last Name as the sqlmag.com article suggests. All of the rules of what is PI is listed here are consistent with the rules used by almost every industry and Government Agency in the US. So as per usual if you are storing information that a hacker can use to cost a person money you need to at least attempt to encrypt it and reasonably physically protect your assets that hold the data either electronic or paper.
The only thing that is different, though not burdensome, is that you must have a written security plan. If your company has or uses this type of data and doesn't have a plan already written then you should. It's the first thing most auditors will ask you for when doing an audit. It's also going to be in the first discover request if you get hacked and then sued by your customers.
sqlmag.com is a blog focused on, if not funded by, Microsoft SQL Server. Microsoft's latest release now offers what it calls transparent encryption. Sounds really useful in this case right? The Author even points this new feature out in the article.
What's the moral of this story? Before you start getting worried about new rules or laws and how they affect you take a little time to do your homework. With your friend and mine Google, or Yahoo, or even Bing, you could have done the research I did in less than 30 minutes. If I were running a business that this affected I would I would never trust a blogger, not even me, on the internet for Legal Advice unless he was a Lawyer blogging about the law. So run the question past my Legal Council before spending my development or system administration resources time implementing it. Your Legal Council is there to help you protect yourself from exactly this type of threat.
In case you missed it please do not believe that I am an expert in any way. Seek Legal Council if you store any data about your customers and some of the live in MA. They are truly the best source you have about this possible threat.
Wednesday, July 21, 2010 at 10:46PM