In case you haven’t heard about the new Massachusetts state law regarding consumer or client information in databases, you can read about it here, at Information Week, or just Google for “Massachusetts data security law”. And if you haven’t read about, then I strongly suggest you do. This is one of those instances where I believe their heart is in the right place, even if the execution/implementation wasn’t perfect.
I get the feeling that Mass will make an example of a few offenders and then hope that the law either gets picked up by other states or federalized. The problem is that this law will only really affect companies that are headquartered in Mass. I am by no means a lawyer, but I don’t believe that its legal for the state of Mass to go after companies that are headquartered in other states.
Now at the very least, this should be a reminder to developers and sysadmins to make sure that data is properly protected, both in storage and transfer, and that is properly managed within an application. Although this is a scary prospect that the government is getting involved in software design and data management, it certainly isn’t the first time (think HIPAA, FIPS testing, and Sarbanes–Oxley). Although those have been helpful, the goals seemed a little clearer.
This law is going to put a pretty heavy imposition on smaller organizations with regard to user education and basic requirements fulfillment for data storage. It’s going to be quite a bit harder to bring a product to market in Mass. Although it seems like the government is doing a service, here they may be doing a disservice to their state economy.
I guess we’ll have to see how this plays out. Thoughts?