Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Data Breach Could Test Massachusetts Law

CmdrTaco posted more than 3 years ago | from the keeping-the-secrets dept.

Government 73

Gunkerty Jeb writes "The Massachusetts Attorney General has been notified that financial data on 1,800 residents was exposed in a database breach linked to the CitySights NY sightseeing firm. Could this be the test case for enforcement of the State's nine month-old data privacy law? The leak of financial information on more than 100,000 customers of the CitySights sightseeing tour company could prove to be an early test of the nation's strongest data privacy law."

cancel ×

73 comments

Sorry! There are no comments related to the filter you selected.

Internal Termoil. (2)

tc3driver (669596) | more than 3 years ago | (#34635692)

This one has me torn... On one hand I would like to see companies held accountable for the damage that a breach can cause to an end consumer... the other side of me knows that you can only deter so much, if someone really wants in, they will gain access one way or another...

Re:Internal Termoil. (2)

psithurism (1642461) | more than 3 years ago | (#34635744)

They are not necessarily in trouble for being breached. It appears the breach highlighted the fact that they were not compliant with the law. The customer records should have been encrypted and the extent of data retained seems excessive.

Though, we don't know whether they are in violation of the law.

yet. (1)

psithurism (1642461) | more than 3 years ago | (#34635758)

yet. As the investigators are refusing comment.

Re:Internal Termoil. (2)

cappp (1822388) | more than 3 years ago | (#34635804)

TFA claims all files need to be encrypted but the law doesn't. I pasted the text a couple of replies down..there's nothing in there about encrypting records if they're not on portable media, being broadcast wirelessly, or travelling across public networks.

Re:Internal Termoil. (2)

Ritchie70 (860516) | more than 3 years ago | (#34636624)

Yes, this has been a major point at work - we're a retailer with locations in Mass, and many of our in-store systems date from the 1980's, so there's no encryption. The law says encryption is required when the data is in transit, including being on portable devices, not when it's sitting in a database.

Re:Internal Termoil. (1)

AltairDusk (1757788) | more than 3 years ago | (#34640662)

Even if the law did I would hope it would specify the levels/types of encryption acceptable if only to avoid "Yes your honor, we were completely compliant with the law. All of our customer data was encrypted in ROT26 format".

Re:Internal Termoil. (1)

icebike (68054) | more than 3 years ago | (#34635946)

Why should a sightseeing company have anything more than a credit card on file?

Re:Internal Termoil. (0)

Anonymous Coward | more than 3 years ago | (#34636590)

The Department of Homeland Security requires smaller businesses to keep full profiles on all aircraft passengers for a minimum of one year.

Re:Internal Termoil. (1)

icebike (68054) | more than 3 years ago | (#34636710)

Certainly nothing more than you need to book a flight which does not include any financial data.

You are making this up. What was stolen was simply credit card numbers.

Re:Internal Termoil. (1)

psithurism (1642461) | more than 3 years ago | (#34637372)

Why should a sightseeing company have anything more than a credit card on file?

Maybe they should make a law against that!

Re:Internal Termoil. (1)

hey! (33014) | more than 3 years ago | (#34637920)

Because they *can*. As far back as the landmark 1972 HEW report on Computers Records and the Rights of Citizens, the dangerous tendency to automatically file everything in computerized record keeping systems was obvious. The marginal cost of storing a record was lower than it had ever been before. Why not file everything you can get your hands on? You might find a use for it later. Well, it turns out there's all kinds of really bad things that can happen, especially if that information gives access to somebody else's credit. It didn't take a fortune teller to figure that out. People who bothered to think about this problem back in the *Nixon* administration realized how serious a problem knee-jerk record retention was.

Now back in the early 90s, I designed a set of payment processing business procedures with CPA friend of mine, and we had a big fight with the VP of marketing who had visions of telemarketing operators pulling up credit card numbers from caller ID. Of course that gave those same operators the ability to pull up any customer's credit card information just by typing their name. Anybody who has access to a backup tape could do some serious damage, and if he had half a brain he probably wouldn't get caught for a long time. So we simply refused to do it, citing standard accounting anti-fraud procedures. And nobody was going to order us to do differently, because we made it clear that wouldn't happen without a document trail that would make the responsibility for the decision crystal clear if anything went wrong.

What happened since then is that standards of financial responsibility have fallen dramatically in the rush to make a quick buck in ecommerce. It has nothing to do with some brave new world of technology and everything to do with laziness and greed. People have always done it, and it's always been sloppy. Customers are to blame too. They love the convenience of not having to fish out their credit card and type it in every time they buy something, until they get their identity stolen.

Re:Internal Termoil. (1)

icebike (68054) | more than 3 years ago | (#34638216)

Of course that gave those same operators the ability to pull up any customer's credit card information just by typing their name. A

What happened since then is that standards of financial responsibility have fallen dramatically in the rush to make a quick buck in ecommerce.

Actually the opposite has happened.

Storing credit card numbers in your database has so many Visa/Mastercard requirements and restrictions these days that many companies simply choose not to do it at all, and ask for a cc each time you need to purchase.

Unless your software encrypts the data, forget it. Some small businesses lie and do it anyway, but its very foolish and dangerous.

I'm not. (3, Insightful)

Anonymous Coward | more than 3 years ago | (#34635772)

. the other side of me knows that you can only deter so much, if someone really wants in, they will gain access one way or another...

Tough shit. If a company is going to store that information, then they need to protect it. There's absolutely no reason what so ever for a sightseeing company to store credit card information. None. Customer comes back next year, well get the card number again - the card could be expired anyway.

And companies who keep it on file for things like automatic renewals at magazines - fucking Scientific American does this whether you like it or not when you subscribe online - then they must protect that data. Someone breaks in? Too fucking bad. It's their fault - no excuses.

Re:I'm not. (1)

TaoPhoenix (980487) | more than 3 years ago | (#34636568)

AC is right, yet he's modded flamebait.

Violation of Payment Card Industry regulations? (3, Interesting)

PatPending (953482) | more than 3 years ago | (#34635714)

Related story: Sightseeing Firm Overlooks Security, 110k Credit Card Numbers Stolen [threatpost.com] (emphasis added)

The database contained a variety of customer financial data, including the customer's name, address, e-mail address, credit card number, as well as the expiration date and card verification value (CVV2) data. If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention, which prohibit retailers from permanently storing the CVV2 data along with other card data, because it makes it far easier to generate fraudulent transactions when combined with the card data.

Twin America said it has filed a complaint with the FBI's Internet Crime Complaint Center and hired Kroll, Inc. to investigate the incident. It has also notified individuals affected by the breach and patch discovered vulnerabilities on its Web server, deployed an application layer firewall, limited access to its Web based administrative panel and changed and hardened administrative passwords throughout its organization.

Re:Violation of Payment Card Industry regulations? (1)

Anonymous Coward | more than 3 years ago | (#34635812)

If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention

PCI compliance is not law. Industry standards are not enforceable.

Re:Violation of Payment Card Industry regulations? (4, Informative)

PatPending (953482) | more than 3 years ago | (#34635912)

Not law but:

Penalties for Non-compliance

25. Are there fines associated with non-compliance of the PCI Data Security Standards?

Yes. Visa, MasterCard, and Discover Network may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant.

26. Are there fines if cardholder data is compromised?

Yes. If cardholder data that you are responsible for is compromised, you may be subject to the following liabilities and fines associated with non-compliance:

  • Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies).
  • All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.
  • Cost of re-issuing cards associated with the compromise.
  • Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).

Source: https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25 [wellsfargo.com]

Re:Violation of Payment Card Industry regulations? (1)

icebike (68054) | more than 3 years ago | (#34635960)

Ok, So that was the Attorney General of Visa that the story mentions?

Re:Violation of Payment Card Industry regulations? (0)

Anonymous Coward | more than 3 years ago | (#34636492)

In the calculus of personally identifying information data loss, the industry standard is somewhere between $190-220 per customer exposure. At 110k users that's about 20.9m worth of liability they've just been hit with. I hope other companies look at this as a warning, since this is not the first but one of a series since TJ Max.

Re:Violation of Payment Card Industry regulations? (1)

locallyunscene (1000523) | more than 3 years ago | (#34641140)

All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.

I wonder what "losses" covers exactly. Retailers are generally the only ones that lose out in credit card fraud and I doubt this money is going to them.

Re:Violation of Payment Card Industry regulations? (1)

PatPending (953482) | more than 3 years ago | (#34647756)

It's my understanding that once a merchant receives an authorization number for a given transaction, the issuing credit card company is out the money, not the merchant, in this case (i.e., stolen information).

Re:Violation of Payment Card Industry regulations? (1)

locallyunscene (1000523) | more than 3 years ago | (#34652842)

Nope, I've worked for several online retailers. The credit card issues a chargeback stating the transaction was fraudulent. Retailers are on the hook to verify their transactions are legal.

Credit Card Companies have a very sweet deal.

Re:Violation of Payment Card Industry regulations? (1)

PatPending (953482) | more than 3 years ago | (#34657174)

An authorization number is just that -- the issuer of the credit card has hereby authorized the transaction.

If the issuer knew the credit card was invalid (for whatever reason(s)), it would never have issued the authorization number in the first place.

Furthermore, an authorization number is not retroactive.

So we must agree to disagree.

Re:Violation of Payment Card Industry regulations? (1)

Kakari (1818872) | more than 3 years ago | (#34761838)

Oh how I wish your view prevailed, but the fact is that while the card was valid at the time the purchase was fraudulent and the purchaser effectively stole from the merchant. The payment processor (who bundles transactions up to Visa/MC/Amex/etc. networks) will pull the payment from the merchant's account without notice (see http://www.natwest.com/global/legal/business/worldpay.ashx [natwest.com] under section 8. Chargebacks and specifically 8.5)

8. CHARGEBACKS 1. 8.1 In certain circumstances, Card Issuers, Card Schemes and/or Other Financial Institutions refuse to Settle a Transaction or require repayment from Us in respect of a Transaction previously Settled and/or Remitted, notwithstanding that Authorisation may have been obtained from the Card Issuer and/or Other Financial Institution (such circumstances being a " Chargeback").

and

# 8.5 Where a Chargeback occurs, We shall immediately be entitled to debit Your Merchant Bank Account and/or make a deduction from any Remittance in accordance with clause 7.3.1 and/or invoice You in accordance with clause 7.3.2 to recover: 1. 8.5.1 the full amount of the relevant Chargeback; and 2. 8.5.2 any other costs, expenses, liabilities or Fines which We may incur as a result of or in connection with such Chargeback (" Chargeback Costs"). # 8.6 A Chargeback represents an immediate liability from You to Us and where the full amount of any Chargeback and/or any Chargeback Costs is not debited by Us from Your Merchant Bank Account or deducted from any Remittance or invoiced as referred to in clause 8.5, then We shall be entitled to otherwise recover from You by any means the full amount of such Chargeback and Chargeback Costs (or the balance thereof, as the case may be). # 8.7 We shall not be obliged to investigate the validity of any Chargeback by any Card Issuer, Card Scheme or Other Financial Institution, whose decision shall be final and binding in respect of any Chargeback.

It sucks and merchants get the shaft and as locallyunscene said, "Credit Card Companies have a very sweet deal."

Re:Violation of Payment Card Industry regulations? (1)

PatPending (953482) | more than 3 years ago | (#34762784)

A Chargeback is an entirely different subject. (We routinely handle them every so often.)

Re:Violation of Payment Card Industry regulations? (0)

Anonymous Coward | more than 3 years ago | (#34636152)

But whoever stole the data is guilty of breaking the law (computer access laws, fraud, among others), which is why they reported it to the FBI.

Re:Violation of Payment Card Industry regulations? (1, Interesting)

MichaelKristopeit314 (1963188) | more than 3 years ago | (#34635842)

if amazon.com doesn't store card data, then how am i allowed to make purchases using existing saved card data?

Re:Violation of Payment Card Industry regulations? (4, Informative)

PatPending (953482) | more than 3 years ago | (#34635932)

The credit card merchant services provides a hash value that is subsequently used. You may store the expiration date and last four digits.

Re:Violation of Payment Card Industry regulations? (2, Insightful)

MichaelKristopeit317 (1963196) | more than 3 years ago | (#34636178)

so the credit card merchant services provider is then storing the full card information? someone MUST be. if the hash is interchangeable with the card number, then the hash IS the card number for all intents and purposes.

Re:Violation of Payment Card Industry regulations? (1)

terraformer (617565) | more than 3 years ago | (#34636228)

so the credit card merchant services provider is then storing the full card information? someone MUST be. if the hash is interchangeable with the card number, then the hash IS the card number for all intents and purposes.

It's not interchangeable. It is limited to this vendor.

Re:Violation of Payment Card Industry regulations? (-1, Troll)

MichaelKristopeit314 (1963188) | more than 3 years ago | (#34636324)

when "this vendor" = amazon.com, and amazon.com serves as an intermediary for nearly EVERY 3rd party vendor, then it's fairly ignorant and hypocritical to call the data "useless" when it alone can be used to process new charges nearly ubiquitously.

Re:Violation of Payment Card Industry regulations? (1)

Rakishi (759894) | more than 3 years ago | (#34638520)

It's useless unless you're able to hack into amazon's servers and initiate charges using hashed information. In which case the information is still useless since you've got much better access from the hack anyways.

So yes, your own inability to understand what's going doesn't change reality.

Re:Violation of Payment Card Industry regulations? (0)

MichaelKristopeit321 (1963760) | more than 3 years ago | (#34642502)

ur mum's face's inability to understand what's going doesn't change reality.

perhaps you're not familiar with man in the middle attacks... or perhaps you just hypocritically ignore the potential they provide.

you're an idiot.

Re:Violation of Payment Card Industry regulations? (1)

Rakishi (759894) | more than 3 years ago | (#34646108)

If you're able to do a man in the middle attack between amazon's servers and the credit card companies servers than it doesn't really matter if you have the hashed number or not. In every other case they're useless.

So once again you've shown your incompetence. Thank you for making it easy.

Re:Violation of Payment Card Industry regulations? (1)

MichaelKristopeit321 (1963760) | more than 3 years ago | (#34646576)

ur mum's face've shown your incompetence.

of course it doesn't matter if i HAVE the hashed numbers... the exploit exists in the hash numbers REMAINING STORED ON AMAZON'S SERVERS AND BEING USED BETWEEN AMAZON'S SERVERS AND THE PAYMENT PROCESSOR IN LIEU OF AN ACTUAL CARD NUMBER.

you're an idiot.

Re:Violation of Payment Card Industry regulations? (1)

pthreadunixman (1370403) | more than 3 years ago | (#34637870)

Didn't you hear? All security problems can be solved with hash functions.

Re:Violation of Payment Card Industry regulations? (0)

MichaelKristopeit319 (1963200) | more than 3 years ago | (#34638314)

yeah, same guy taught me how to encode passwords with javascript before sending them to the server. SUPER secure.

Re:Violation of Payment Card Industry regulations? (2)

terraformer (617565) | more than 3 years ago | (#34635938)

if amazon.com doesn't store card data, then how am i allowed to make purchases using existing saved card data?

They store data that is useless to others. They don't need to store the card's data, only data about their first transaction with you.

Re:Violation of Payment Card Industry regulations? (0)

MichaelKristopeit316 (1963192) | more than 3 years ago | (#34636188)

if the data can be used to initiate future transactions, it is not useless.

Re:Violation of Payment Card Industry regulations? (1)

terraformer (617565) | more than 3 years ago | (#34636216)

if the data can be used to initiate future transactions, it is not useless.

If it can only be used to initiate future transaction with the original vendor, it is of limited utility to criminals. It also makes the liability for fraud limited to the vendor who got hacked, which is a nice market based mechanism for those who have crappy security to fix their problems.

Re:Violation of Payment Card Industry regulations? (-1, Troll)

MichaelKristopeit315 (1963190) | more than 3 years ago | (#34636294)

a limited use is still a use.

did your mother name you "terraformer"? why do you cower behind a chosen pseudonym? what are you afraid of?

you're completely pathetic.

Re:Violation of Payment Card Industry regulations? (1)

Anonymous Coward | more than 3 years ago | (#34636526)

dude, how many slashdot accounts do you have...?

http://slashdot.org/~MichaelKristopeit313 [slashdot.org]
http://slashdot.org/~MichaelKristopeit314 [slashdot.org]
http://slashdot.org/~MichaelKristopeit315 [slashdot.org]
http://slashdot.org/~MichaelKristopeit316 [slashdot.org]
http://slashdot.org/~MichaelKristopeit317 [slashdot.org]

"you're completely pathetic."

you've got way too much free time, man...

Re:Violation of Payment Card Industry regulations? (0)

MichaelKristopeit313 (1963186) | more than 3 years ago | (#34636614)

i don't have any more than i CAN have.

why do you cower? what are you afraid of?

you're completely pathetic.

Re:Violation of Payment Card Industry regulations? (2, Informative)

Anonymous Coward | more than 3 years ago | (#34636018)

You can store card data, but not the CVV2 info. There are requirements about how that data is stored, but CVV2 cannot be stored. Ever. Even encrypted. That's the point. And you don't have to have the CVV2 to process transactions, it just helps prove it isn't a fraudulent transaction. This is to help make the physical card (or whoever holds it) the only source of this information. That's the theory anyway. It rarely works that way in practice, of course.

Re:Violation of Payment Card Industry regulations? (0)

MichaelKristopeit316 (1963192) | more than 3 years ago | (#34636226)

i completely understand as i build such systems for a living... i'm simply pointing out that the largest retailers online place ease of ordering above security and store enough information required to process a new transaction.

Re:Violation of Payment Card Industry regulations? (0)

Anonymous Coward | more than 3 years ago | (#34636934)

I see your name is Michael. Still, I shall call you "Dick."

Re:Violation of Payment Card Industry regulations? (0)

MichaelKristopeit309 (1962666) | more than 3 years ago | (#34636956)

i see you have chosen to not take responsibility for the words you provide.

you are exactly what you've claimed to be: NOTHING.

i shall address you as such.

why do you cower? what are you afraid of?

you're completely pathetic.

Re:Violation of Payment Card Industry regulations? (0)

Anonymous Coward | more than 3 years ago | (#34640752)

I really hope your job isn't customer facing...

Re:Violation of Payment Card Industry regulations? (1)

MichaelKristopeit330 (1963782) | more than 3 years ago | (#34643054)

you want to shield everyone from THE TRUTH?

why do you cower? what are you afraid of?

you're completely pathetic.

Test the Law (2)

cappp (1822388) | more than 3 years ago | (#34635730)

I'm not so sure it's a test of the law at all. At least there's no way to know without more details about how the breach occured. The law can be found here [mass.gov] (pdf). TFA states the breach occured because of an SQL injection - but nothing beyond that.

In the interests of stimulating a little chatter, the law calls for

(1) Secure user authentication protocols including:
(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
(2) Secure access control measures that:

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

Re:Test the Law (1)

JSG (82708) | more than 3 years ago | (#34635818)

So, 4,6,7 and 8 would seem to apply. That should give the lawyers plenty to play with.

Re:Test the Law (2)

cappp (1822388) | more than 3 years ago | (#34635852)

Note the use of the qualifier "reasonable"...the get out clause in every law ever written.

Re:Test the Law (1)

mssymrvn (15684) | more than 3 years ago | (#34637876)

The other big can of worms is the application of MA commonwealth law to a business *in another state*. MA likes to write laws like this all the time. But the reality is that MA has no jurisdiction outside of its borders. Or shouldn't - though we'll see how stupid the courts are on this one if it comes to trial.

Re:Test the Law (2, Interesting)

Anonymous Coward | more than 3 years ago | (#34635848)

I work for a MA company that deals with personal data for several fortune 100 companies. (posting AC for obvious reasons)
The Law is a joke. The rules are so vague that no matter what precautions are taken you could be found in violation. Who defines "reasonable?" What is adequate "encryption?"

This law is just another example of rushed "Think of the children" (for children read anyone) laws that get passed these days.

Encryption not much use against SQL injection (2)

JSG (82708) | more than 3 years ago | (#34635794)

The linked article mentions only that the law requires that data be held encrypted. That is not much use in this case where a SQL attack was used.

Does anyone know whether the law requires a certain standard for the front ends to the data. I'm pretty sure that PCI DSS - as another applicable standard - defines no such thing either.

Lesson learned: don't use MySQL (-1)

Anonymous Coward | more than 3 years ago | (#34635836)

to store private data...

Buffer overflows and SQL injections are the ban of open source software.

Re:Lesson learned: don't use MySQL (-1)

Anonymous Coward | more than 3 years ago | (#34635916)

haha that's funny. do you get paid by the post?

Re:Lesson learned: don't use MySQL (1)

igreaterthanu (1942456) | more than 3 years ago | (#34637052)

Buffer overflows and SQL injections are the ban of open source software.

But if I pay Oracle though, it's magically secure right?

Re:Lesson learned: don't use MySQL (1)

AltairDusk (1757788) | more than 3 years ago | (#34640768)

SQL syntax works on Oracle too... Shove that user input straight into an Oracle query and you'll find SQL injection is alive and well on all SQL databases where input is not sanitized properly.

Re:Encryption not much use against SQL injection (0)

Anonymous Coward | more than 3 years ago | (#34635920)

Does anyone know whether the law requires a certain standard for the front ends to the data.

The law [wikipedia.org] is (intentionally?) vague.

It basically says "best practices".

Re:Encryption not much use against SQL injection (1)

VTI9600 (1143169) | more than 3 years ago | (#34636572)

Most laws of this nature are indeed left intentionally vague...as they should be. This is so as to not put an onerous burden on companies trying to implement good security practices, not to favor one specific security vendor over another, and to maintain the flexibility needed for vendors to adapt to changes in technology.

Re:Encryption not much use against SQL injection (1)

VTI9600 (1143169) | more than 3 years ago | (#34636538)

Protecting against SQL injection attacks is much easier than making sure that all storage devices and network connections are encrypted. To use the Hitchhikers' Guide to the Galaxy analogy, encryption is like a towel. If your data is encrypted then people (sometimes rightfully) assume you've already got everything else you need to protect your customer's data from the crackers of the universe. These guys, however, clearly had none of the above.

So... (2)

Evets (629327) | more than 3 years ago | (#34635824)

What is the penalty for violating the law?

Re:So... (0)

Anonymous Coward | more than 3 years ago | (#34635936)

Only Death. But it's by old age so I'm not sure if that's much of a penalty.

Re:So... (2)

Monkeedude1212 (1560403) | more than 3 years ago | (#34635968)

What happens if you are hit by a bus and don't serve your penalty?

Re:So... (1)

healyp (1260440) | more than 3 years ago | (#34636272)

What happens if you are hit by a bus and don't serve your penalty?

Then your next of kin must die of old age instead.

Re:So... (0)

Anonymous Coward | more than 3 years ago | (#34636282)

C'mon, this is Massachusetts--one is burned at the stake!

Re:So... (0)

Anonymous Coward | more than 3 years ago | (#34637028)

You get to hear, "STOP RIGHT THERE, CRIMINAL SCUM!" for the next 20 years?

Re:So... (1)

Evets (629327) | more than 3 years ago | (#34637068)

To answer my own question

It contains no specific penalties for non-compliance with the law, but could open the door to lawsuits or legal actions by the state’s attorney general.
Source [networkworld.com]

I don't think you can call a law "tough" when there are no penalties.

Re:So... (1)

inerlogic (695302) | more than 3 years ago | (#34643878)

a lifetime senate seat....

oh wait, that's just for murders...

mod uP (-1)

Anonymous Coward | more than 3 years ago | (#34636122)

Due to the troubles to prediCt *BSD's

How are businesses supposed to comply? (1)

chrismcb (983081) | more than 3 years ago | (#34637324)

How is a business supposed to comply with something like this? Are you supposed to follow the laws published in every corner of the country? [quote]Among other things, 201 CMR 17.00 requires organizations that store personal information on Massachusetts' residents to encrypt personal information at rest - in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted[/quote] I'm not exactly sure what qualifies as "personal information" but I would assume that includes name and address. Which makes it illegal to use anything but https. I would guess a LOT of companies are not in compliance with this law.

Yuo f4il It (-1)

Anonymous Coward | more than 3 years ago | (#34637812)

BRILLIANT PLAN [goat.cx]
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?