If your database has Mass. residents, you need a security plan per Massachusetts
sqlmag.comThe title itself is a little FUD-ish.
According to this link: http://www.leapfile.com/MA-201-CMR-17 , it only applies to the following subset of data:
--snip-- According to the definitions in 201 CMR 17.02, personal information is a Massachusetts resident’s first name or first initial and last name IN COMBINATION with any one of more of the following data related to the person: social security number, driver’s license number or state-issued identification card number, financial account number, credit or debit card number with or without any required security or access code or password that would permit access to financial information. --snip--
Well - that's enough to make it relevant whenever there's a card transaction... that's going to affect a lot of people.
This however "and perhaps the rest of the world" is complete FUD - noone outside of US cares about US state laws (unless you have some branch there of course - but then you already know you have a lot more paperwork to do).
For more sensitive information, such as those elements listed, it's more common sense that you'd encrypt that data and have a security policy, regardless of what state in which the people in your database reside.
The title of this article so broad it implies that if you simply had a contact database (with no sensitive information) containing Mass residents that you'd have to file a security policy and encrypt every piece of information.
There's no need to store any of those things in your database in order to allow card transactions.
Unless I misunderstood this, it affects you even if you only transfer the information to a 3rd party:
17.04: Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information...
Also many online shops allow you to save the info in case you want to reuse it in the future.
If you're not storing the information, presumably you don't need to encrypt the data that you're not storing. You do need to encrypt it while transferring it (i.e. use https instead of http), but if you don't do this already, shame on you!
Similarly, if you're storing credit card numbers in plaintext in a database, shame on you! That's worse than storing plain-text passwords.
I think the worst parts of this law are the "you have to file with the Massachusetts government" aspects. The technical stuff is basically common-sense data security that everyone should already be doing.
This is not my field, but don't you have to store card card numbers in order to do things like issue refunds?
Correct that, partial refunds.
Ummm, what's the legal theory that allows a US state to regulate out of state commerce like this?
On the other hand, I wouldn't want to be a web company based in Massachusetts and this might have more than a small effect on the Boston area's attractiveness to many startups.
--article snip-- I could wax eloquently on about the potential battle of states’ rights versus federal oversight and the potential for a Supreme Court challenge based on the Commerce Clause, but, this is an article for geeks, so I won’t go there. Instead, I’ll simply say once again: yikes. --snip--
It seems silly to state legalities are out of scope when you're talking about a law, even if (or, especially if!) you're not writing for lawyers.
The big thing with regulation of commerce is that a state can't do it in a way that favors in-state merchants over out-of-state merchants. This law appears to treat in-state and out-of-state merchants equally, so might be OK as for as regulation of interstate commerce law is concerned. (And it might not--this is a tricky area of law).
It would be the US Constitution, where it gives all rights that are not explicitly enumerated to the states.
True, but the commerce clause is enumerated in the constitution.
"... or to the people." Let's not forget that. (Not that it's terribly relevant to your point.)
After reading the law, I'm either missing the part where data has to be encrypted in all databases or (more likely) the article is misleading. As I read it, the data in question has to be encrypted during transmission (SSL, no big deal) or while stored on a portable device. Nowhere did I get the sense that a web application must maintain encrypted database records at all times.
I do like the idea of encrypting user names across the wire, but "to maintain a Written Information Security Plan (WISP) and file it with the state of Massachusetts" goes way too far, imho. I am not a lawyer nor a database geek, so perhaps your take will differ...
UPDATE: "Massachusetts does not require that written information security programs be filed at this time, just that they exist," according to a second article, http://www.informationweek.com/news/security/government/show... . That is alot better.
For reference, the law's URL, which was cited in slantyyz's reference, was out of date. Here is the current link; http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
There is absolutely no need to "file" the WISP with the state. The WISP is an internal document that state officials would likely look for in the event of a data security incident (i.e., a breach or report of lost data such as a missing laptop).