Check out this new law that went into effect March 1:


http://www.sqlmag.com/print/sql-serv...lications.aspx

It will affect anyone maintaining a database that has people from
Massachusetts.

Eugene

On 2010-04-26 12:49:36 -0400, eppick77 <eppick77 (AT) yahoo (DOT) com> said:

It
I've just updated our systems to not allow people from Massachusetts to
purchase anything.

Interesting article though. I now have to contact to legal people and
see if this is something we really do have to consider. I had not
heard of it before.

--
Kevin Powick

On Apr 26, 11:49*am, eppick77 <eppic... (AT) yahoo (DOT) com> wrote:
Sheesh. What a pain. It looks like this is really a law, right? Does
anyone know if we really need to be concerned about this in case
anyone from MA registers on our web site and gives us their address,
for example? It sounds like it would be illegal for us to store that
information in the usual way one would store info in an MV database
(in the clear). Really? Come on Massachusetts, please repeal this law
quickly. --dawn

> Eugene

On Apr 26, 2:26*pm, dawn <dawnwolth... (AT) gmail (DOT) com> wrote:
Dawn,

What is also troubling is that in researching this new law I came
across a comment that 40 states have laws regarding this type of stuff
to varying degrees.. Do we have to check each and every state?

Eugene

On Apr 26, 3:32*pm, eppick77 <eppic... (AT) yahoo (DOT) com> wrote:

What may be even more troubling is whether or not your MV product has
built-in support for the necessary level or protection and
compliance. It looks like QM and jBASE do but, AFAIK, D3 certainly
does not.

--
Kevin Powick

It sounds like the state laws that "require" sales tax. Other state
residents can (and do) ignore those states "requiring" out-of-state concerns
to charge and pay sales tax. They just tell them to go jump in the lake, and
because of states' sovereignty, there's nothing more than legal bluster they
can do about it.

I suspect the same for this state "law." One state cannot impose law on
another.

Ed
"eppick77" <eppick77 (AT) yahoo (DOT) com> wrote

The link provided by Eugene makes an overly broad assertion of the
implications of this law. This is not as scary everyone makes it out
to be: this is just about specific "personal information." If you are
in the Health Care industry, you are already familiar with HIPAA and
hopefully compliant. If your company takes credit cards, you should
already be encrypting that data. It does *not* apply to everyone with
a just a name, address, and phone number of a MA resident.

From http://www.rapid7.com/solutions/comp...201-CMR-17.jsp

For the purpose of being compliant with the new Massachusetts data
privacy law, PI is defined as a resident's first name and last name or
first initial and last name in combination with any one or more of the
following data elements that relate to the resident:
* Social Security number;
* driver's license number or Massachusetts identification card
number;
* financial account number, or credit or debit card number, with
or without any required security code, access code, personal
identification number or password that would permit access to a
resident's financial account; or
* a biometric indicator.

So what's the big deal? If you store SSN, credit card, or bank account
info you should already be encrypting that data (it is likely that
your credit card processing agreement already includes a statement
affirming that you are already doing this). With a simple trigger
(even in D3, Kevin) you can easily encrypt specific fields or write
all PI type info to a special file and encrypt the entire record, then
check for authorized users before decrypting and displaying.

More from that same web site:

....the computer security provisions in the regulation use a risk-based
approach that comply to the extent that it is technically feasible,
meaning that reasonable means must be used to accomplish a required
result if there is a reasonable technology is available.

The key concepts here being "reasonable means" and "reasonable
technology" as appropriate to your self-assessed risk exposure.

/Scott Ballinger
Pareto Corporation
Edmonds WA USA
206 713 6006

On 26 Apr, 09:49, eppick77 <eppic... (AT) yahoo (DOT) com> wrote:
Eugene,

Reality V14.0 delivers a seemless data encryption at rest methodology
which would allow you to encrypt any information held within it's
database. Not only that but you also get utilities to securely manage
the keys and its fully integrated into Reality's security model.

Another benefit delivered with this is the ability to produce a
completely encrypted file-save or Fast-backup regardless of whether
the data itself is encrypted or not. This ensures that clients can
meet compliance when 'distributing' data, whether this just be to an
offsite storage location or to other clients/consumers of that data.

Regards
Mark Fuller

On Apr 28, 11:19*am, Mark Fuller <mark.ful... (AT) northgate-is (DOT) com> wrote:
Having read the statute in its entirety, I think that most of it is
quite reasonable and that we have a bit of a "tempest in a teapot"
going on here much as we did with HIPAA. Having actually read the
HIPAA statute and having to deal with it as I've been in the medical
industry, there are no criminal charges that may be brought under
HIPAA nor are there any here. There are no actionable items whereby an
individual may sue you in either of these. Both specify that you must
have some "plan" for how you handle security. I think it perfectly
reasonable that all firms have some sort of security plan and
protection of data.

The statute does not require encryption on a server, though, again,
this is not a bad idea; however, it is not mandated.

Looking at what is mandated:
1. You have to have a plan - this is good for everyone. Especially
those of us in Cloud Computing.
2. You have to maintain control over user access to the systems you
run. Nothing wrong with that.
3. If you offload personal identification to USB sticks, laptops or
things that have a tendency to go missing, you must encrypt it, but
only if it has things like SSN, credit card numbers or other identity
theft potential. Again, I don't have a problem with this.
4. If your system runs traffic over the public Internet conveying this
information, you must encrypt it on the wire. HTTPS, SSH, duh! Who
would not?

The state of MA has no jurisdiction in NC or any other state. There is
a state sovreignty issue. Some bureaucrat in MA sends me a letter
demanding compliance. File it in the dustbin.

It's the purpose of security consultants to use scare tactics to get
business for themselves. They made BILLIONS with myths about what
HIPAA supposedly required. My advice, take a deep breath, read the
statute, do what is reasonable.

My 25 cents (2 cents in 1975 dollars)

Bil

Speaking of NC, I heard that they're "requiring" Amazon.com to retrieve
their sales records for the last seven years, and forward it to NC. The
state will then go through all the sales reseipts, identify the customers,
and demand from them sales tax for their Amazon purchases. Amazon never
charged sales tax to NC residents, since they have no warehousing facilities
there, so they're saying "no thanks" to NC's "requirement."

Live free.

Ed

"Bill Crowell" <bcrowell (AT) pavuk (DOT) com> wrote

On Apr 28, 11:19 am, Mark Fuller <mark.ful... (AT) northgate-is (DOT) com> wrote:
Having read the statute in its entirety, I think that most of it is
quite reasonable and that we have a bit of a "tempest in a teapot"
going on here much as we did with HIPAA. Having actually read the
HIPAA statute and having to deal with it as I've been in the medical
industry, there are no criminal charges that may be brought under
HIPAA nor are there any here. There are no actionable items whereby an
individual may sue you in either of these. Both specify that you must
have some "plan" for how you handle security. I think it perfectly
reasonable that all firms have some sort of security plan and
protection of data.

The statute does not require encryption on a server, though, again,
this is not a bad idea; however, it is not mandated.

Looking at what is mandated:
1. You have to have a plan - this is good for everyone. Especially
those of us in Cloud Computing.
2. You have to maintain control over user access to the systems you
run. Nothing wrong with that.
3. If you offload personal identification to USB sticks, laptops or
things that have a tendency to go missing, you must encrypt it, but
only if it has things like SSN, credit card numbers or other identity
theft potential. Again, I don't have a problem with this.
4. If your system runs traffic over the public Internet conveying this
information, you must encrypt it on the wire. HTTPS, SSH, duh! Who
would not?

The state of MA has no jurisdiction in NC or any other state. There is
a state sovreignty issue. Some bureaucrat in MA sends me a letter
demanding compliance. File it in the dustbin.

It's the purpose of security consultants to use scare tactics to get
business for themselves. They made BILLIONS with myths about what
HIPAA supposedly required. My advice, take a deep breath, read the
statute, do what is reasonable.

My 25 cents (2 cents in 1975 dollars)

Bil