I would have to agree with the fear-mongering assessment. It's also
unlikely that Massachusetts law will be enforceable on any
business/institution which does not do business directly within
Massachusetts. So even if MSU has a personal name + SSN or credit care
number, say, for a student who came from Massachusetts, there would be
no reasonable way to apply Massachusetts law to MSU. It would be a
different story if MSU had a branch campus in Massachusetts, of course.
Doug
On Thu, Apr 29, 2010 at 01:11:22PM -0400, Ryan Simmons wrote:
> Perhaps they are just fear-mongering in those articles.
>
>
>
> I just noticed that in the discussions area of the information week article
> it was mentioned that the definition of 'personally identifiable
> information' in the Massachusetts law was a person's name in addition to
> other private information (such as social security number, drivers license
> number, credit card number, etc). The law is posted at
> http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.
>
>
>
> I checked out the information in the pdf file, and 'private information' is
> defined as follows:
>
>
>
> Personal information, a Massachusetts resident's first name and last name or
> first initial and last name in combination with any one or more of the
> following data elements that relate to such resident: (a) Social Security
> number; (b) driver's license number or state-issued identification card
> number; or (c) financial account number, or credit or debit card number,
> with or without any required security code, access code, personal
> identification number or password, that would permit access to a resident's
> financial account; provided, however, that "Personal information" shall not
> include information that is lawfully obtained from publicly available
> information, or from federal, state or local government records lawfully
> made available to the general public.
>
>
>
>
>
> From: Ryan Simmons [mailto:[log in to unmask]]
> Sent: Thursday, April 29, 2010 12:38 PM
> To: [log in to unmask]
> Subject: [MSUNAG] Data Protection Laws requiring name encryption
>
>
>
> The following article was brought to my attention yesterday:
>
> http://www.sqlmag.com/print/sql-server/A-New-Law-that-Will-Change-the-Way-Yo
> u-Build-Database-Applications.aspx
>
>
>
> It references the following article:
>
> http://www.informationweek.com/news/security/government/showArticle.jhtml?ar
> ticleID=224400426
> <http://www.informationweek.com/news/security/government/showArticle.jhtml?a
> rticleID=224400426&queryText=massachusetts%20cmr>
> &queryText=massachusetts%20cmr
>
>
>
> These articles describe a new data protection law for the state of
> Massachusetts - any "personally identifiable information" (such as first and
> last name) for any resident of the state of Massachusetts must be encrypted
> in your database and "over the wire". Fines may be levied in the order of
> $5000 per instance. Organizations based outside the state of Massachusetts
> (having information about residents of the state of Massachusetts in their
> databases) are affected as well.
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus signature
> database 5072 (20100429) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus signature
> database 5072 (20100429) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
--
Doug Nelson, Network Architect | [log in to unmask]
Academic Technology Services | Ph: (517) 353-2980
Michigan State University | http://www.msu.edu/~nelson/
|
