I was linked an article this morning by a coworker to SQLMag’s article on the new Massachusetts data security law. The link to the article can be found here:
The author seems like a nice enough guy, but apparently didn’t spend the time doing his homework to find out about what the law really says. By the end of his article, it sounds like he’s a salesman for Microsoft SQL Server 2008. To calm the hysteria, here are a few facts gleaned from the law itself, and a few other sources. The law can be found here:
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
In the article, the author claims that storing first name and last name in a database unencrypted constitutes Personally Identifiable Information or PII, and goes on to claim, “If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted that’s $5,000,000. Yikes.” This is untrue. To quote from the law itself (emphasis mine):
Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
He also makes the mistake of implying regardless of what you are doing, that the scope of the law is universal. In fact, the scope is fairly narrow:
The regulation applies to those engaged in commerce. More specifically, the regulation applies to those who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment. The regulation does not apply, however, to natural persons who are not in commerce.
Not doing this kind of basic fact checking is irresponsible for a fairly major publication; this is not a personal blog (like mine). I have contacted the author, and I hope he will amend his article, or write a new one in which he corrects these inaccuracies I dug up with ten minutes of Googling.
Yes, you are correct on both points. I would not consider the scope of the law “fairly narrow”, however. Any person or business that “receives, stores, maintains, processes, or otherwise has access to personal information” belonging to a MA resident “in connection with the provision of goods or services or in connection with employment” is required to comply with the new regs. Therefore, any business entity, regardless of size (even a sole proprietor), when handling MA residents’ PI, no matter how much or how often, now has a rigorous set of requirements to adhere to. This means if, for example, you accept checks, hire employees or subcontractors (you then need social security numbers), or handle credit card info of MA residents, it’s time to familiarize oneself with the regs.
Another piece if misinformation in the above referenced article – the author states that businesses must provide MA authorities with a copy of their Written Information Security Plan (WISP). That is incorrect. The WISP is an internal management document that is retained by the company. In the event of a data security incident, (which is required to be reported when/if discovered) regulatory authorities would likely look for the WISP among other things to demonstrate a good faith effort to comply with the regs. Representatives from the Attorney General’s have consistently stated that they will be looking for a “good faith effort” regarding compliance in the event of a breach and that they want to work with companies to mitigate damages and notify consumers. Does that mean that the $5000 per incident fine will be waived – dunno. By the way, they have yet to clarify whether that is $5000 per breach event or record breached…
Thanks for the information and clarifications. I couldn’t agree more, and your points on receiving checks/payments and subcontractors are great ones to raise. I’m still hoping the author clarifies the somewhat hysteric tone to the original article, especially in light of WISPs and the “per record or per breach” clarification that is necessary.
Just to follow up, you’ll notice the link to the original article now goes to a 404 – missing page. I never heard back from the author. It seems SQLMag has zero credibility – rather than issuing a clarification or retraction of their awful article, they’re just deleting it and hoping people forget. Consider this when reading anything they publish.