When All Else Fails

A New Law Could Change the Way You Build Database Applications

by Brian Moran, SQLServer

Massachusetts recently passed a sweeping new data security law that will have a profound impact on the way the United States, and perhaps the rest of the world, manages and develops data-centric applications. Oddly, most people in the business don’t seem to know about it.

Google “Massachusetts data security law, 201 CMR 17.00” and you’ll find plenty of facts about the new law. I also encourage you to read InformationWeek’s “States’ Rights Come to Security Forefront: Massachusetts’ new data protection law reaches beyond its borders. Are you ready?” It’s one of the best summaries I’ve seen. But even it falls short of helping you understand the profound impact of this law.

Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it’s persisted. Sending PII over HTTP instead of HTTPS? That’s a big no no. Storing the name of a customer in SQL Server without the data being encrypted?  No way, Jose. You’ll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted that’s $5,000,000. Yikes.

Perhaps just as much fun is the fact that to be compliant with the law your company will also need to maintain a Written Information Security Plan (WISP) and file it with the state of Massachusetts. The WISP must address and outline your business’s “technical, administrative, and physical safeguards” that are in place to protect the data. If you lost a laptop without a WISP being filed with Massachusetts, you’re potentially on the hook for a cool million even if the data was encrypted. Yikes again.

If I didn’t know better, I’d think the security czar of Massachusetts (or whatever the title is of the person who wrote this law) was a SQL Server sales executive because the law could sell a heck of a lot of SQL Server 2008 Enterprise Edition upgrades to get Transparent Data Encryption and other useful Enterprise Edition–only features in the OS and database stack.

By the way, this law doesn’t affect just businesses in MA. It also affects businesses that have PII for Massachusetts residents. Do you know if the application you’re building for a company in Virginia might ever store Massachusetts resident data? Unless you’re sure that it never, ever will, you better be compliant with Massachusetts data security law, 201 CMR 17.00. What if you’re sure and then one of your employees moves from Virginia to Massachusetts? Well, now you probably have PII for a MA resident. Yikes again. This law changes pretty much everything we need to do and think about with respect to building database applications.

I could wax eloquently on about the potential battle of states’ rights versus federal oversight and the potential for a Supreme Court challenge based on the Commerce Clause, but, this is an article for geeks, so I won’t go there. Instead, I’ll simply say once again: yikes.

Please check out msdn.microsoft.com/en-us/library/cc278098.aspx for a nice review of SQL Server 2008 Enterprise Edition security features compared and contrasted to other ways to encrypt data on a Microsoft data stack.