The title itself is a little FUD-ish.<p>According to this link: <a href="http://www.leapfile.com/MA-201-CMR-17" rel="nofollow">http://www.leapfile.com/MA-201-CMR-17</a> , it only applies to the following subset of data:<p>--snip--
According to the definitions in 201 CMR 17.02, personal information is a Massachusetts resident’s first name or first initial and last name IN COMBINATION with any one of more of the following data related to the person: social security number, driver’s license number or state-issued identification card number, financial account number, credit or debit card number with or without any required security or access code or password that would permit access to financial information.
--snip--
Ummm, what's the legal theory that allows a US state to regulate out of state commerce like this?<p>On the other hand, I wouldn't want to be a web company based in Massachusetts and this might have more than a small effect on the Boston area's attractiveness to many startups.
After reading the law, I'm either missing the part where data has to be encrypted in all databases or (more likely) the article is misleading. As I read it, the data in question has to be encrypted during transmission (SSL, no big deal) or while stored on a portable device. Nowhere did I get the sense that a web application must maintain encrypted database records at all times.
I do like the idea of encrypting user names across the wire, but "to maintain a Written Information Security Plan (WISP) and file it with the state of Massachusetts" goes way too far, imho. I am not a lawyer nor a database geek, so perhaps your take will differ...<p>UPDATE: "Massachusetts does not require that written information security programs be filed at this time, just that they exist," according to a second article, <a href="http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=224400426" rel="nofollow">http://www.informationweek.com/news/security/government/show...</a> . That is alot better.