Re: Data Security Law
- From: Bill Ferguson <wbfergus@xxxxxxxxx>
- To: Richard.Goulet@xxxxxxxxxxx
- Date: Wed, 28 Apr 2010 14:12:24 -0600
This "personally identifiable information" (PII) part has really
caused me lots of heartburn.
According to NIST Special Publication 800-122 (Draft), section 2.2
(Examples of PII Data): (these are just the ones that cause me
heartburn)
Name, such as full name, maiden name, mother's name, or alias.
Address information, such as street address or email address.
Telephone numbers, including mobile, business, and personl numbers.
Information about an individual that is linked or linkable to one of
the above (e.g., date of birth, place of birth, race, religion,
weight, activities, or employment, medical, education, or financial
information).
So, by these flaky definitions, the phone book is chock full of PII.
Every email is PII. About the only thing that isn't PII is a blank
file.
So, even though the folks in my office do nothing except gather
publically available information, analyze it and make some assumptions
and maybe make a few graphs, etc., and then regurgitate out into
another publication, everything still needs to be treated as if it
contained national security secrets since parts of it will certainly
contain some of the above types of data.
--
-- Bill Ferguson
> -----Original Message-----
> From: oracle-l-bounce@xxxxxxxxxxxxx
> [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Daniel Fink
> Sent: Wednesday, April 28, 2010 2:46 PM
> To: oracle-l
> Subject: Data Security Law
>
> There is a law in Massachusetts (USA) that requires any Personal
> Identifying Information about any Massachusetts's resident be encrypted
> and sets some pretty hefty penalties for violations. It is important to
> note that it is not about businesses in/or doing business in
> Massachusetts, but any organization that has a client who resides in
> Massachusetts.
--
//www.freelists.org/webpage/oracle-l
Other related posts:
