Massachusetts has enacted a new data privacy law with sweeping
implications for Oracle databases all across America.
Massachusetts data security law, (201 CMR 17.00) is a powerful
new
data privacy law, which says that any database, anywhere
on the planet that contains personally information about a resident
of Massachusetts must be encrypted, else face a $50,000 fine!
"Companies must file their WISPs with the state
[of Massachusetts] to show that they have data security programs in
place and confirm that they're compliant.
That's critical, because there's no other
auditing or oversight mechanism."
Here is the
FAQ
for this new data privacy law.
Note that this new law should not be a problem for Oracle shops
that follow Oracle best practices and encrypt confidential customer
information, they only need to file the WISP with the state of
Massachusetts. This law is also similar to many existing
state laws that require Oracle DBA's to perform due diligence and
encrypt
sensitive information, and most Oracle shops have done this
years ago.
This new data privacy law has wide reach, and it applies to any
database, anywhere on the planet that stores personally identifiable
information about a Massachusetts resident. The law requires
all Oracle database that contain personally identifiable information
to:
- Have an active security program: You
must attest that they have a working data security program in
place to protect any personally identifiable information (PII)
they've collected from state residents. This personally
identifiable information includes data that is unique to you
alone, things such as your home address, social security
numbers, drivers license numbers and financial account
information. It DOES NOT include information that does not
specifically identify you, data like your eye color, a list of
your favorite movies, your salary, or your occupation.
- Publish a written security policy:
You must maintain a comprehensive written information security
program (WISP) that includes "technical, administrative, and
physical safeguards" to protect PII. Here is an
example WISP.
- Encrypt confidential data: You must
maintain data encryption on all data, including data in Oracle
databases, spreadsheets, laptops and portable data management
devices like iPhones, MP3 players and even USB drives.
This law attempt to protect Massachusetts residents from
inadvertent disclosure of confidential personal information, and it
overlaps with several existing Federal data centric mandates such as
HIPAA, SOX and GLB.
This new State law comes with teeth, stiff fines for failure to
comply with fines of $5,000 per violation, $50,000 per instance and
$100 per resident affected.
States rights to impose their laws upon foreign
jurisdictions
This is not the first time that a sovereign jurisdiction has
attempted to regulate the entire world, and other attempts to
regulate the internet have met with failure.
The
dormant commerce clause (Article 1, Section 8, Clause 3 of
United States Constitution)
prohibits states from interfering with interstate commerce and
gives Congress the exclusive power "to regulate commerce with
foreign nations, and among the several states".
Hence, we see these notable failures among States and countries
who have tried to regulate eCommerce:
- Australia - The Aussies passed a Libel law
that attempted to regulate the entire world, claiming their
right to fine
anybody, anywhere, who violated their draconian libel laws.
In America, this nonsense was ignored because it is
contradictory to the First Amendment right to free speech.
- North Carolina - The
North Carolina Auctioneering Licensing
Board issued a ruling that anyone, anywhere who sells good to a
North Carolina resident via an online auction must possess a
valid North Carolina auctioneers license.
eBay successfully fought this law.
The fines in a typical Oracle database could reach millions of
dollars, a potential boom as cash-strapped Massachusetts (often
mocked as "Taxachusetts") tries to full their coffers from fining
Oracle database owners.
The ramifications of this law are unclear as are enforceability
issues across jurisdictions will surely be challenged in court.
However, it is clear that Oracle DBA's have a clear mandate to
protect the privacy of confidential personal information.
For a complete treatment of US Federal data privacy law is it
applies to Oracle databases, see the book
Oracle
Privacy Security Auditing by Rampant TechPress.
|
|
Get the Complete
Oracle SQL Tuning Information
The landmark book
"Advanced Oracle
SQL Tuning The Definitive Reference" is
filled with valuable information on Oracle SQL Tuning.
This book includes scripts and tools to hypercharge Oracle 11g
performance and you can
buy it
for 30% off directly from the publisher.
|