From: M Skabialka on
Normally I wouldn't post a URL for an article not specifically for Access,
but I know there are programmers out there with employee or customer
databases in Access:

Massachusetts recently passed a sweeping new data security law that will
have a profound impact on the way the United States, and perhaps the rest of
the world, manages and develops data-centric applications
..
Here are the basics of the new law. If you have personally identifiable
information (PII) about a Massachusetts resident, such as a first and last
name, then you have to encrypt that data on the wire and as it's persisted.
Sending PII over HTTP instead of HTTPS? That's a big no no. Storing the name
of a customer in SQL Server without the data being encrypted? No way, Jose.
You'll get a fine of $5,000 per breach or lost record. If you have a
database that contains 1,000 names of Massachusetts residents and lose it
without the data being encrypted that's $5,000,000.

More here:
http://www.sqlmag.com/article/sql-server/A-New-Law-that-Will-Change-the-Way-You-Build-Database-Applications.aspx


From: Paul Shapiro on
That's pretty scary for anyone doing data management, but some of the
comments submitted for that article ease my concern a bit. I did NOT read
the law, so I'm just reporting a few comments. They sound as reputable as
the original article to me, but that's not much of a legal opinion. The
original article was written by Brian Moran, a SQL Server expert but as far
as I know, not a lawyer.

1. A person's first and last name alone do NOT constitute Personally
Identifiable Information (PII). The definition of "personal information" is
a MA resident's first name and last or first initial and last name in
combination with SS#, DL#, state issued ID, finanical account number(s) /
info that one could use to gain access to a residents finanical account.
Just the first + last name is not considered PI as it is publicly available
information. Someone else said that Connecticut considers passport numbers,
alien registration numbers and health insurance ID to be PII with similar
requirements for protection.

2. Mass Law doesn't require encryption at rest everywhere - only portable
devices and laptops. It also requires encrypted transmissions of the
specified data that will travel across PUBLIC networks and all data across
wireless networks. Mass law does raise the bar, but encryption of every
database is not a requirement.

"M Skabialka" <mskabialka(a)NOSPAMdrc.com> wrote in message
news:e59NZfv4KHA.1888(a)TK2MSFTNGP05.phx.gbl...
> Normally I wouldn't post a URL for an article not specifically for Access,
> but I know there are programmers out there with employee or customer
> databases in Access:
>
> Massachusetts recently passed a sweeping new data security law that will
> have a profound impact on the way the United States, and perhaps the rest
> of
> the world, manages and develops data-centric applications
> .
> Here are the basics of the new law. If you have personally identifiable
> information (PII) about a Massachusetts resident, such as a first and last
> name, then you have to encrypt that data on the wire and as it's
> persisted.
> Sending PII over HTTP instead of HTTPS? That's a big no no. Storing the
> name
> of a customer in SQL Server without the data being encrypted? No way,
> Jose.
> You'll get a fine of $5,000 per breach or lost record. If you have a
> database that contains 1,000 names of Massachusetts residents and lose it
> without the data being encrypted that's $5,000,000.
>
> More here:
> http://www.sqlmag.com/article/sql-server/A-New-Law-that-Will-Change-the-Way-You-Build-Database-Applications.aspx

 | 
Pages: 1
Prev: Calendar in textbox
Next: Access 2007 Pivot Table