A New Law Could Change the Way You Build Database Applications

  • Thread starter Thread starter M Skabialka
  • Start date Start date
M

M Skabialka

Normally I wouldn't post a URL for an article not specifically for Access,
but I know there are programmers out there with employee or customer
databases in Access:

Massachusetts recently passed a sweeping new data security law that will
have a profound impact on the way the United States, and perhaps the rest of
the world, manages and develops data-centric applications
..
Here are the basics of the new law. If you have personally identifiable
information (PII) about a Massachusetts resident, such as a first and last
name, then you have to encrypt that data on the wire and as it's persisted.
Sending PII over HTTP instead of HTTPS? That's a big no no. Storing the name
of a customer in SQL Server without the data being encrypted? No way, Jose.
You'll get a fine of $5,000 per breach or lost record. If you have a
database that contains 1,000 names of Massachusetts residents and lose it
without the data being encrypted that's $5,000,000.

More here:
http://www.sqlmag.com/article/sql-s...-the-Way-You-Build-Database-Applications.aspx
 
.... and they include firstname and lastname as PII?!

OK, now, all you "John Smiths" in Massachusetts, raise your hands...<g>

(thanks for the heads up!)

Regards

Jeff Boyce
Microsoft Access MVP

--
Disclaimer: This author may have received products and services mentioned
in this post. Mention and/or description of a product or service herein
does not constitute endorsement thereof.

Any code or pseudocode included in this post is offered "as is", with no
guarantee as to suitability.

You can thank the FTC of the USA for making this disclaimer
possible/necessary.
 
Jeff Boyce said:
... and they include firstname and lastname as PII?!

OK, now, all you "John Smiths" in Massachusetts, raise your hands...<g>
Click to expand...


Reading the article and comments posted on it, it *looks* like you need the
combination of last name, first name/initial, and another significant ID
number (such as SSN, driver's license number, or state-issued ID number) in
order to have it considered PII. If that is the case, it isn't quite so
bad; however, it's still a very significant legal burden.
 
I see no reason to have anyone walking on the street with my name and my
social security number on his computer without some proper security for
protecting them and I applaud this law.

We have seen so many cases where millions of SSN have been stolen because
someone forgot - or got stolen - his computer on the street while having no
real reason to have a confidential database on his computer out in public
other than a total disregard for security matters and protection of
confidential information.

It's like that they think that « - My name and my SSN are not on this
database/computer, so I don't care if it got stolen. ». Well, now it's time
to put an end to this and make them think twice before not taking the
protection of confidential private data seriously and make sure that they
will do care even in the cases when their own SSN is not there.

--
Sylvain Lafontaine, ing.
MVP - Windows Live Platform
Blog/web site: http://coding-paparazzi.sylvainlafontaine.com
Independent consultant and remote programming for Access and SQL-Server
(French)
 
Back
Top