Personally Identifiable Information and your Web App - It'll be ok

I read a link on proggit that freaked me out a little bit: A New Law Could Change the Way You Build Database Applications. It talks about a new law 201 CMR 17.00 (PDF) applicable to the storage and transmission of Personally Identifiable Information of MA residents, here's a quick paragraph from the article:

Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it’s persisted. Sending PII over HTTP instead of HTTPS? That’s a big no no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You’ll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted that’s $5,000,000. Yikes.

Crikey, I thought. We're screwed. Every time you store someone's name in your database or transmit it over the internet it's got to be encrypted? That can't be right. Facebook would be shut down pretty quickly unless they started serving every page over SSL. What's Mark gonna do?

So either the Massachusetts legislature has a serious gap in understanding or that article is a little more huff and puff than fact. Turns out the latter is true. A commenter on reddit put this in its place as FUD.  I pulled up the PDF (linked above) to the law and took a look for myself to double check:

Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

The law actually makes sense. First name and last name in combination with some very specific pieces of information that you shouldn't be storing anywhere near your Web app in any case. It's still going to be a pain for companies who use your SSN that shouldn't (I'm looking at you Comcast, Verizon, NStar, etc) so that actually makes me kinda happy. Those are the sorts of companies whose employees lose laptop worths of data on a regular basis.

End result for us? Eh, nothing to see here, carry on...