I read this and had kittens for a minute:
"emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name (<- that's not exactly right - Ed.), then you have to [0]encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name (and SSN, Credit Card, etc - Ed.) of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"
Discuss this story at:
http://yro.slashdot.org/comments.pl?sid ... 25/1745210
Links:
0. http://www.sqlmag.com/print/sql-server/ ... tions.aspx
Happily, here's the actual language in the law:
"a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "Personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public."
Since ShopSite can be set not to store CC numbers, no worries. That's the setup I use.
But, if people do store CC info, this is something to think about.
Thanks! Sorry for the freakout.
-Dee Dreslough
dee@sportsmogul.com
www.sportsmogul.com