A New Law Could Change the Way You Build Database Applications
April 22, 2010 01:04 PM SQL Server Magazine by Brian Moran
Massachusetts recently passed a sweeping new data security law that will have a profound impact on the way the United States, and perhaps the rest of the world, manages
and develops data-centric applications. Oddly, most people in the business don’t seem to know about it.
Google “Massachusetts data security law, 201 CMR 17.00” and you’ll find plenty of facts about the new law. I also encourage you to read
InformationWeek’s "States' Rights Come to Security Forefront: Massachusetts' new data protection law reaches beyond its borders. Are you ready?" It’s one of the best
summaries I’ve seen. But even it falls short of helping you understand the profound impact of this law.
Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to
encrypt that data on the wire and as it’s persisted. Sending PII over HTTP instead of HTTPS? That’s a big no no. Storing the name of a customer in SQL Server without the data being
encrypted? No way, Jose. You’ll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being
encrypted that’s $5,000,000. Yikes.
Perhaps just as much fun is the fact that to be compliant with the law your company will also need to maintain a Written Information Security Plan (WISP) and file it
with the state of Massachusetts. The WISP must address and outline your business’s “technical, administrative, and physical safeguards” that are in place to protect the data. If you
lost a laptop without a WISP being filed with Massachusetts, you’re potentially on the hook for a cool million even if the data was encrypted. Yikes again.
If I didn’t know better, I’d think the security czar of Massachusetts (or whatever the title is of the person who wrote this law) was a SQL Server sales
executive because the law could sell a heck of a lot of SQL Server 2008 Enterprise Edition upgrades to get Transparent Data Encryption and other useful Enterprise Edition–only features in the
OS and database stack.
By the way, this law doesn’t affect just businesses in MA. It also affects businesses that have PII for Massachusetts residents. Do you know if the application
you’re building for a company in Virginia might ever store Massachusetts resident data? Unless you’re sure that it never, ever will, you better be compliant with Massachusetts data
security law, 201 CMR 17.00. What if you’re sure and then one of your employees moves from Virginia to Massachusetts? Well, now you probably have PII for a MA resident. Yikes again. This law
changes pretty much everything we need to do and think about with respect to building database applications.
I could wax eloquently on about the potential battle of states’ rights versus federal oversight and the potential for a Supreme Court challenge based on the
Commerce Clause, but, this is an article for geeks, so I won’t go there. Instead, I’ll simply say once again: yikes.
Please check out msdn.microsoft.com/en-us/library/cc278098.aspx for a nice review of SQL Server 2008 Enterprise Edition security features
compared and contrasted to other ways to encrypt data on a Microsoft data stack.