Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 E-mail Us
 Oracle Articles
New Oracle Articles

 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog

 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Oracle Support

 SQL Tuning

 Oracle UNIX
 Oracle Linux
 Remote s
 Remote plans
 Application Server

 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S


 Consulting Staff
 Consulting Prices
 Help Wanted!


 Oracle Posters
 Oracle Books

 Oracle Scripts

Don Burleson Blog 







Massachusetts State Privacy Law to effect hundreds of Oracle databases

Oracle Database Tips by Donald BurlesonApril 29, 2015

Massachusetts has enacted a new data privacy law with sweeping implications for Oracle databases all across America. 

Massachusetts data security law, (201 CMR 17.00) is a powerful new data privacy  law, which says that any database, anywhere on the planet that contains personally information about a resident of Massachusetts must be encrypted, else face a $50,000 fine! 

"Companies must file their WISPs with the state [of Massachusetts] to show that they have data security programs in place and confirm that they're compliant.

That's critical, because there's no other auditing or oversight mechanism."

Here is the FAQ for this new data privacy law.

Note that this new law should not be a problem for Oracle shops that follow Oracle best practices and encrypt confidential customer information, they only need to file the WISP with the state of Massachusetts.   This law is also similar to many existing state laws that require Oracle DBA's to perform due diligence and encrypt sensitive information, and most Oracle shops have done this years ago.

This new data privacy law has wide reach, and it applies to any database, anywhere on the planet that stores personally identifiable information about a Massachusetts resident.  The law requires all Oracle database that contain personally identifiable information to:

  • Have an active security program:  You must attest that they have a working data security program in place to protect any personally identifiable information (PII) they've collected from state residents.  This personally identifiable information includes data that is unique to you alone, things such as your home address, social security numbers, drivers license numbers and financial account information.  It DOES NOT include information that does not specifically identify you, data like your eye color, a list of your favorite movies, your salary, or your occupation. 
  • Publish a written security policy:  You must maintain a comprehensive written information security program (WISP) that includes "technical, administrative, and physical safeguards" to protect PII. Here is an example WISP.
  • Encrypt confidential data:  You must maintain data encryption on all data, including data in Oracle databases, spreadsheets, laptops and portable data management devices like iPhones, MP3 players and even USB drives.

This law attempt to protect Massachusetts residents from inadvertent disclosure of confidential personal information, and it overlaps with several existing Federal data centric mandates such as HIPAA, SOX and GLB. 

This new State law comes with teeth, stiff fines for failure to comply with fines of $5,000 per violation, $50,000 per instance and $100 per resident affected.

States rights to impose their laws upon foreign jurisdictions

This is not the first time that a sovereign jurisdiction has attempted to regulate the entire world, and other attempts to regulate the internet have met with failure. 

The dormant commerce clause (Article 1, Section 8, Clause 3 of United States Constitution)  prohibits states from interfering with interstate commerce and gives Congress the exclusive power "to regulate commerce with foreign nations, and among the several states".

Hence, we see these notable failures among States and countries who have tried to regulate eCommerce:

  • Australia - The Aussies passed a Libel law that attempted to regulate the entire world, claiming their right to fine anybody, anywhere, who violated their draconian libel laws. In America, this nonsense was ignored because it is contradictory to the First Amendment right to free speech.
  •  North Carolina -  The North Carolina Auctioneering Licensing Board issued a ruling that anyone, anywhere who sells good to a North Carolina resident via an online auction must possess a valid North Carolina auctioneers license. eBay successfully fought this law.

The fines in a typical Oracle database could reach millions of dollars, a potential boom as cash-strapped Massachusetts (often mocked as "Taxachusetts") tries to full their coffers from fining Oracle database owners.

The ramifications of this law are unclear as are enforceability issues across jurisdictions will surely be challenged in court.  However, it is clear that Oracle DBA's have a clear mandate to protect the privacy of confidential personal information.

For a complete treatment of US Federal data privacy law is it applies to Oracle databases, see the book Oracle Privacy Security Auditing by Rampant TechPress.

Get the Complete
Oracle SQL Tuning Information 

The landmark book "Advanced Oracle SQL Tuning  The Definitive Reference"  is filled with valuable information on Oracle SQL Tuning. This book includes scripts and tools to hypercharge Oracle 11g performance and you can buy it for 30% off directly from the publisher.



Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


Copyright © 1996 -  2020

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.



Oracle Training at Sea
oracle dba poster

Follow us on Twitter 
Oracle performance tuning software 
Oracle Linux poster