I would have to agree with the fear-mongering assessment. It's also unlikely that Massachusetts law will be enforceable on any business/institution which does not do business directly within Massachusetts. So even if MSU has a personal name + SSN or credit care number, say, for a student who came from Massachusetts, there would be no reasonable way to apply Massachusetts law to MSU. It would be a different story if MSU had a branch campus in Massachusetts, of course. Doug On Thu, Apr 29, 2010 at 01:11:22PM -0400, Ryan Simmons wrote: > Perhaps they are just fear-mongering in those articles. > > > > I just noticed that in the discussions area of the information week article > it was mentioned that the definition of 'personally identifiable > information' in the Massachusetts law was a person's name in addition to > other private information (such as social security number, drivers license > number, credit card number, etc). The law is posted at > http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf. > > > > I checked out the information in the pdf file, and 'private information' is > defined as follows: > > > > Personal information, a Massachusetts resident's first name and last name or > first initial and last name in combination with any one or more of the > following data elements that relate to such resident: (a) Social Security > number; (b) driver's license number or state-issued identification card > number; or (c) financial account number, or credit or debit card number, > with or without any required security code, access code, personal > identification number or password, that would permit access to a resident's > financial account; provided, however, that "Personal information" shall not > include information that is lawfully obtained from publicly available > information, or from federal, state or local government records lawfully > made available to the general public. > > > > > > From: Ryan Simmons [mailto:[log in to unmask]] > Sent: Thursday, April 29, 2010 12:38 PM > To: [log in to unmask] > Subject: [MSUNAG] Data Protection Laws requiring name encryption > > > > The following article was brought to my attention yesterday: > > http://www.sqlmag.com/print/sql-server/A-New-Law-that-Will-Change-the-Way-Yo > u-Build-Database-Applications.aspx > > > > It references the following article: > > http://www.informationweek.com/news/security/government/showArticle.jhtml?ar > ticleID=224400426 > <http://www.informationweek.com/news/security/government/showArticle.jhtml?a > rticleID=224400426&queryText=massachusetts%20cmr> > &queryText=massachusetts%20cmr > > > > These articles describe a new data protection law for the state of > Massachusetts - any "personally identifiable information" (such as first and > last name) for any resident of the state of Massachusetts must be encrypted > in your database and "over the wire". Fines may be levied in the order of > $5000 per instance. Organizations based outside the state of Massachusetts > (having information about residents of the state of Massachusetts in their > databases) are affected as well. > > > > __________ Information from ESET NOD32 Antivirus, version of virus signature > database 5072 (20100429) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > __________ Information from ESET NOD32 Antivirus, version of virus signature > database 5072 (20100429) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > -- Doug Nelson, Network Architect | [log in to unmask] Academic Technology Services | Ph: (517) 353-2980 Michigan State University | http://www.msu.edu/~nelson/