 |
 |
Perhaps they are just fear-mongering in those articles. I just noticed that in the discussions area of the information week article it was mentioned that the definition of 'personally identifiable information' in the Massachusetts law was a person's name in addition to other private information (such as social security number, drivers license number, credit card number, etc). The law is posted at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf. I checked out the information in the pdf file, and 'private information' is defined as follows: Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "Personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. From: Ryan Simmons [mailto:[log in to unmask]] Sent: Thursday, April 29, 2010 12:38 PM To: [log in to unmask] Subject: [MSUNAG] Data Protection Laws requiring name encryption The following article was brought to my attention yesterday: http://www.sqlmag.com/print/sql-server/A-New-Law-that-Will-Change-the-Way-Yo u-Build-Database-Applications.aspx It references the following article: http://www.informationweek.com/news/security/government/showArticle.jhtml?ar ticleID=224400426 <http://www.informationweek.com/news/security/government/showArticle.jhtml?a rticleID=224400426&queryText=massachusetts%20cmr> &queryText=massachusetts%20cmr These articles describe a new data protection law for the state of Massachusetts - any "personally identifiable information" (such as first and last name) for any resident of the state of Massachusetts must be encrypted in your database and "over the wire". Fines may be levied in the order of $5000 per instance. Organizations based outside the state of Massachusetts (having information about residents of the state of Massachusetts in their databases) are affected as well. __________ Information from ESET NOD32 Antivirus, version of virus signature database 5072 (20100429) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 5072 (20100429) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com