[slantyyz]

The title itself is a little FUD-ish.

According to this link: http://www.leapfile.com/MA-201-CMR-17 , it only applies to the following subset of data:

--snip-- According to the definitions in 201 CMR 17.02, personal information is a Massachusetts resident’s first name or first initial and last name IN COMBINATION with any one of more of the following data related to the person: social security number, driver’s license number or state-issued identification card number, financial account number, credit or debit card number with or without any required security or access code or password that would permit access to financial information. --snip--

[viraptor]

Well - that's enough to make it relevant whenever there's a card transaction... that's going to affect a lot of people.

This however "and perhaps the rest of the world" is complete FUD - noone outside of US cares about US state laws (unless you have some branch there of course - but then you already know you have a lot more paperwork to do).

[slantyyz]

For more sensitive information, such as those elements listed, it's more common sense that you'd encrypt that data and have a security policy, regardless of what state in which the people in your database reside.

The title of this article so broad it implies that if you simply had a contact database (with no sensitive information) containing Mass residents that you'd have to file a security policy and encrypt every piece of information.

[bobbyi]

There's no need to store any of those things in your database in order to allow card transactions.

[viraptor]

Unless I misunderstood this, it affects you even if you only transfer the information to a 3rd party:

17.04: Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information...

Also many online shops allow you to save the info in case you want to reuse it in the future.

[nostrademons]

If you're not storing the information, presumably you don't need to encrypt the data that you're not storing. You do need to encrypt it while transferring it (i.e. use https instead of http), but if you don't do this already, shame on you!

Similarly, if you're storing credit card numbers in plaintext in a database, shame on you! That's worse than storing plain-text passwords.

I think the worst parts of this law are the "you have to file with the Massachusetts government" aspects. The technical stuff is basically common-sense data security that everyone should already be doing.

[hga]

This is not my field, but don't you have to store card card numbers in order to do things like issue refunds?

[hga]

Correct that, partial refunds.