[AnneTheAgile]

I do like the idea of encrypting user names across the wire, but "to maintain a Written Information Security Plan (WISP) and file it with the state of Massachusetts" goes way too far, imho. I am not a lawyer nor a database geek, so perhaps your take will differ...

UPDATE: "Massachusetts does not require that written information security programs be filed at this time, just that they exist," according to a second article, http://www.informationweek.com/news/security/government/show... . That is alot better.

[AnneTheAgile]

For reference, the law's URL, which was cited in slantyyz's reference, was out of date. Here is the current link; http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

[attylynn]

There is absolutely no need to "file" the WISP with the state. The WISP is an internal document that state officials would likely look for in the event of a data security incident (i.e., a breach or report of lost data such as a missing laptop).