A New Massachusetts Law Could Radically Change How You Build Database Applications

by Developer.com Staff

A new Massachusetts law could radically change how you build Web applications. It levels heavy fines for not encrypting personally identifiable information about Massachusetts residents.

Massachusetts recently passed a radical data security law that could drastically change how database Web applications are built in any state.

According to a story by Brian Moran in SQL Server Magazine, the Massachusetts law deals with sending any personally identifiable information about any Massachusetts resident.

"Sending PII over HTTP instead of HTTPS? That's a big no no," Moran said. "Storing the name of a customer in SQL Server without the data being encrypted?  No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted that's $5,000,000. Yikes."

The law also specifies that companies will need to file a Written Information Security Plan with the state of Massachusetts.

"The WISP must address and outline your business's 'technical, administrative, and physical safeguards' that are in place to protect the data. If you lost a laptop without a WISP being filed with Massachusetts, you’re potentially on the hook for a cool million even if the data was encrypted. Yikes again," Moran said.

The law doesn't just effect Massachusetts businesses, but any company that stores personally identifiable information about Mass. residents.

You can read the law for yourself here (PDF).

This article was originally published on Monday Apr 26th 2010
Mobile Site | Full Site