Massachusetts recently passed a radical data security law that could drastically change how database Web applications are built in any state.
According to a story by Brian Moran in SQL Server Magazine, the Massachusetts law deals with sending any personally identifiable information about any Massachusetts resident.
“Sending PII over HTTP instead of HTTPS? That’s a big no no,” Moran said. “Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You’ll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted that’s $5,000,000. Yikes.”
The law also specifies that companies will need to file a Written Information Security Plan with the state of Massachusetts.
“The WISP must address and outline your business’s ‘technical, administrative, and physical safeguards’ that are in place to protect the data. If you lost a laptop without a WISP being filed with Massachusetts, you’re potentially on the hook for a cool million even if the data was encrypted. Yikes again,” Moran said.
The law doesn’t just effect Massachusetts businesses, but any company that stores personally identifiable information about Mass. residents.
You can read the law for yourself here (PDF).