Discussion on:
View:
Show:
It's just a question of will, money and some caring toward the customers or registered people.
People should be over the mighty dollar...
People should be over the mighty dollar...
Check out the HealthNet (?) case in Connecticut. This is real, and in the Good Ol' Commonwealth, the due date for this was March 21st. There is at least one group that is going to every business to audit for compliance. And I was told by the kind people at 1 Financial Center in Boston that it's not if, but when, since the task force they are getting together is enormous.
The AG's office is also dedicating a large staff to dealing with this. And apparently, they're just waiting for the first breach.
The AG's office is also dedicating a large staff to dealing with this. And apparently, they're just waiting for the first breach.
The biggest issue with this law is that it requires you to notify of a breach even if the data is encrypted.
Otherwise it is essentially the same as any other regulation.
Otherwise it is essentially the same as any other regulation.
I believe that the law is designed to be nebulous and un-attainable, except in those very rare instances where the business management of the comapny "gets" it from day 1. everyone else is playing catch-up and of course this is by design. A great money making machine for the MA courts. They don't have to raise taxes and get a constant revenue stream.
Ambiguous and confusing law empowers politicians and regulatory agencies, giving them immense power over industry.
More of Big Brother taking over.
Pretty soon our national drink will be Vodka and we will be calling each other 'Comrad'
Pretty soon our national drink will be Vodka and we will be calling each other 'Comrad'
Let?s not forget Nevada's Privacy law NRS-603A.
It has many of the same requirements as MA 201 CMR 17.00, however it does mandate all organizations that accept payment cards for goods or services "MUST" comply with PCI DSS standards. When questioned about the state forcing businesses to comply with PCI DSS in an interview, the Nevada Attorney General replied; all organizations that accept payment cards are contractually required to adhere to PCI DSS, we're just ensuring they meet those requirements.
The law also cites NIST and similar agencies as the reputable source for information security programs. I?m a strong believer in not reinventing the wheel. I personally think requiring businesses to comply with NIST and PCI DSS is good for our state. We have a part time legislation that only seats once every two years. Requiring organizations to comply with PCI DSS and NIST allows for greater consumer security in a timely manner without legislators jumping into an area they have no experience in.
It has many of the same requirements as MA 201 CMR 17.00, however it does mandate all organizations that accept payment cards for goods or services "MUST" comply with PCI DSS standards. When questioned about the state forcing businesses to comply with PCI DSS in an interview, the Nevada Attorney General replied; all organizations that accept payment cards are contractually required to adhere to PCI DSS, we're just ensuring they meet those requirements.
The law also cites NIST and similar agencies as the reputable source for information security programs. I?m a strong believer in not reinventing the wheel. I personally think requiring businesses to comply with NIST and PCI DSS is good for our state. We have a part time legislation that only seats once every two years. Requiring organizations to comply with PCI DSS and NIST allows for greater consumer security in a timely manner without legislators jumping into an area they have no experience in.
I tried to read the PCI DSS one day & became bleary eyed and nervous.
Basically what it says is you have to be a MAJOR MULTIMILLION DOLLAR INTERNATIONAL CORPORATION in order to have the MONEY, Manpower & other resources to even try to comply with PCI DSS. And you can't be on a shared hosting type of server, BC YOU can't control or guarantee the hosting companies compliance with the PCI DSS, You have to have your own HIGH Bandwidth UPLOAD speed server (even comcast only allows 2M UPload on a good day) with back up servers & 24 hour operations/monitoring staff in a SECURE building with on-site back up generators & 24 hour security personnel & surveillance equipment.
How many small busines' or individuals running an online sales business from home can provide all that?
Just Because YOUR stater has lazy legislators, and your states votors allows them to be lazy, don't mean I should be punished & have to shut down my business for them. In Michigan Our legislators work FULL TIME all the time, on a fraction of the money Nevada has I might add, & they have No problem custom writing laws for any situation
.
Basically what it says is you have to be a MAJOR MULTIMILLION DOLLAR INTERNATIONAL CORPORATION in order to have the MONEY, Manpower & other resources to even try to comply with PCI DSS. And you can't be on a shared hosting type of server, BC YOU can't control or guarantee the hosting companies compliance with the PCI DSS, You have to have your own HIGH Bandwidth UPLOAD speed server (even comcast only allows 2M UPload on a good day) with back up servers & 24 hour operations/monitoring staff in a SECURE building with on-site back up generators & 24 hour security personnel & surveillance equipment.
How many small busines' or individuals running an online sales business from home can provide all that?
Just Because YOUR stater has lazy legislators, and your states votors allows them to be lazy, don't mean I should be punished & have to shut down my business for them. In Michigan Our legislators work FULL TIME all the time, on a fraction of the money Nevada has I might add, & they have No problem custom writing laws for any situation
.
PCI-DSS has different compliance rules and regulations for the categories of Merchants, Service Providers, and Payment Applications.
It's important to identify the appropriate category your business falls into. Under the categories are different Levels and Tiers for compliance. A small business performing e-commerce transactions (and NOT storing Credit Card data - which most small business shouldn't do) only needs to use VISA's Quarterly Network Security Scan which is an automated tool making compliance very easy for the small business owner and IT staff.
The Massachusetts privacy law is a rehash of most of the privacy laws with one exception - the law requires that if a business stores information on MA residences and that information is lost or stolen the breach must be reported even if the data is encrypted.
It's important to identify the appropriate category your business falls into. Under the categories are different Levels and Tiers for compliance. A small business performing e-commerce transactions (and NOT storing Credit Card data - which most small business shouldn't do) only needs to use VISA's Quarterly Network Security Scan which is an automated tool making compliance very easy for the small business owner and IT staff.
The Massachusetts privacy law is a rehash of most of the privacy laws with one exception - the law requires that if a business stores information on MA residences and that information is lost or stolen the breach must be reported even if the data is encrypted.
Joey,
You obviously did not read PCI DSS. There are different levels of PCI DSS compliance. It depends how you process your transactions and how many transactions you process. It appears to me you utilize internet based transactions to process payment cards from home. This form of processing has many, many risks involved and requires more security then a simple transactions using a phone line. Therefore the protection requirements of PCI DSS are much more in-depth. If you are using internet based transaction you are required to have your system scanned quarterly among many others which becomes expensive over time. Should you decide not to comply with PCI DSS and your service provider suffers a breach, you are still responsible for all damages because you outsourced to a third party. You really need to reevaluate your needs for credit card processing and decide which method works best for you while providing you and your customers the best protection. I myself outsource my processing through PayPal. Although my students register for my classes at my website, they are taken to PayPal to make payment for the classes. It is up to them to pay by check or payment cards and I never ever have possession of their card or account numbers. This is slightly more expensive; however, it seriously limits my exposure in the event PayPal was to suffer a data breach. Although I perform business in this manner, there are still some requirements I must put in place to ensure Im compliant with PCI DSS but not very much at all. You can always outsource your processes, but you can not outsource your responsibilities.
In regards to our Lazy Legislators here in Nevada. We have citizen legislators who run their own businesses and ranches.
They are first and foremost business and family people looking out for the state as needed. They are not Professional Politicians living off the backs of the people such as the case with your state. We only have one professional politician in Nevada and we hope to make Dirty Harry available to run for office in your state this November.
You obviously did not read PCI DSS. There are different levels of PCI DSS compliance. It depends how you process your transactions and how many transactions you process. It appears to me you utilize internet based transactions to process payment cards from home. This form of processing has many, many risks involved and requires more security then a simple transactions using a phone line. Therefore the protection requirements of PCI DSS are much more in-depth. If you are using internet based transaction you are required to have your system scanned quarterly among many others which becomes expensive over time. Should you decide not to comply with PCI DSS and your service provider suffers a breach, you are still responsible for all damages because you outsourced to a third party. You really need to reevaluate your needs for credit card processing and decide which method works best for you while providing you and your customers the best protection. I myself outsource my processing through PayPal. Although my students register for my classes at my website, they are taken to PayPal to make payment for the classes. It is up to them to pay by check or payment cards and I never ever have possession of their card or account numbers. This is slightly more expensive; however, it seriously limits my exposure in the event PayPal was to suffer a data breach. Although I perform business in this manner, there are still some requirements I must put in place to ensure Im compliant with PCI DSS but not very much at all. You can always outsource your processes, but you can not outsource your responsibilities.
In regards to our Lazy Legislators here in Nevada. We have citizen legislators who run their own businesses and ranches.
They are first and foremost business and family people looking out for the state as needed. They are not Professional Politicians living off the backs of the people such as the case with your state. We only have one professional politician in Nevada and we hope to make Dirty Harry available to run for office in your state this November.
Thanks for posting this. I had contemplating covering other states ... Keep me posted if you learn more about this initiative in NV.
It seems to me that Mr. Underwood should do some more research before he writes another article about state laws and maybe consult an appropriate lawyer.
I Am Not A Lawyer, but laws passed by the State of Massachusetts are enforceable only within the territory of the State of Massachusetts. The legislature of Massachusetts cannot pass laws which oblige the residents of any other state to do anything, while those residents are not within the boundaries of the State of Massachusetts. Period.
That "jurisdiction" principle also applies to the legislatures of each and every one of the other states, too. Whatever privacy law(s) have been enacted by the Florida legislature apply to persons in Florida who possess P.I.I. about persons who reside in Massachusetts, as well as to such records as they may have about anyone else regardless of where those persons may reside. I live in Florida, and if I do business with a firm in Massachusetts, then that firm must "secure" the records which contain data about me as described in the Massachusetts law, not the Florida law.
Which is to say, a "patchwork" of state privacy laws is largely irrelevant, EXCEPT for a business that has agents and/or employees who conduct its operations in two or more states. Consider an insurance company whose agents sells policies in several States. Which State law, if any, applies to their creation, modification and retention of P.I.I. for the people whom they insure? Their agents almost certainly retain printed copies of applications and of policies issued, etc., so they will be subject to the laws of the respective state in which they do business. The insurance company will probably be required to obey the laws of the state in which their records are stored, if not also where their underwriters and other employees work.
However, a State does not have any power to regulate interstate commerce, only Congress can do that. So any company which does business in more than one State probably cannot be compelled to obey any of the State laws, and will be compelled to obey any Federal law on the matter instead.
You know, don't you, that privacy legislation is currently pending in Congress?
Addendum: An interesting summary of the proposed federal privacy legislation is presented today (07/27/10) on the Sunbelt Blog in "Privacy bills in U.S. Congress in brief" by Tom Kelchner:
http://sunbeltblog.blogspot.com/2010/07/privacy-bills-in-us-congress-in-brief.html
It includes links to the texts of the two respective bills. Now tell me why a sysadmin in the USA should care about laws passed by the European Union. Hint: where do they have jurisdiction?
I Am Not A Lawyer, but laws passed by the State of Massachusetts are enforceable only within the territory of the State of Massachusetts. The legislature of Massachusetts cannot pass laws which oblige the residents of any other state to do anything, while those residents are not within the boundaries of the State of Massachusetts. Period.
That "jurisdiction" principle also applies to the legislatures of each and every one of the other states, too. Whatever privacy law(s) have been enacted by the Florida legislature apply to persons in Florida who possess P.I.I. about persons who reside in Massachusetts, as well as to such records as they may have about anyone else regardless of where those persons may reside. I live in Florida, and if I do business with a firm in Massachusetts, then that firm must "secure" the records which contain data about me as described in the Massachusetts law, not the Florida law.
Which is to say, a "patchwork" of state privacy laws is largely irrelevant, EXCEPT for a business that has agents and/or employees who conduct its operations in two or more states. Consider an insurance company whose agents sells policies in several States. Which State law, if any, applies to their creation, modification and retention of P.I.I. for the people whom they insure? Their agents almost certainly retain printed copies of applications and of policies issued, etc., so they will be subject to the laws of the respective state in which they do business. The insurance company will probably be required to obey the laws of the state in which their records are stored, if not also where their underwriters and other employees work.
However, a State does not have any power to regulate interstate commerce, only Congress can do that. So any company which does business in more than one State probably cannot be compelled to obey any of the State laws, and will be compelled to obey any Federal law on the matter instead.
You know, don't you, that privacy legislation is currently pending in Congress?
Addendum: An interesting summary of the proposed federal privacy legislation is presented today (07/27/10) on the Sunbelt Blog in "Privacy bills in U.S. Congress in brief" by Tom Kelchner:
http://sunbeltblog.blogspot.com/2010/07/privacy-bills-in-us-congress-in-brief.html
It includes links to the texts of the two respective bills. Now tell me why a sysadmin in the USA should care about laws passed by the European Union. Hint: where do they have jurisdiction?
When you apply your diktat, Ocie (with which I agree), to "illegal" immigrants on the federal level.
These "laws", they enjoin only the rest of us to any one of us. More, they enjoin the rest of us, and not a one of us.
These "laws", they enjoin only the rest of us to any one of us. More, they enjoin the rest of us, and not a one of us.
i LIVE IN THAILAND,AND ALLTHOUGH IM NOT THE GREATEST OR SANEST OF PEOPLE,,I DO KNOW WHEN IM BEING WATCHED! PROVING IT IS ANOTHER THING,,FOR INSTANCE I WALKED THREW A MALL ONE DAY TO HEAR THE THAI PUBLIC SAYING "FARANG MAO" AS IN DRUNK OR CRAZY. THOUGHT NOTHING OF IT TILL I WENT OUT ON THE STREET AND HEARD THE SAME SCENARIO,ONLY TO BE ADDED WAS "FARANG GO HOME". NOW TO MY SURPRISE NO ONE WOULD SPEAK OF WHERE AND WHY THIS WAS HAPPENING,,AS I WOULD IMAGINE THE THREAT OF IT OCCURIN G TO THEM WOULD BE PUNISHMENT ENOUGH,,KNOWING ALL I SAY AND DO,,AND VICE VERSA. THEN I WENT TO GET MY COMPUTER FIXED AND IT HAPPENED,,THE TECHNICIAN SAID HE WOULDNT TOUCH MY COMPUTER AND WOULDNT EVEN TAKE IT AS A GIFT,,HE SAID"FARANG GO HOME" THISA IS AFTYER I ASKED WHERE HE SAW MY FACE.WELL I NOW HAVE BEEN SUBJECT TO "AUDIO SPOTLIGHT" ING WHERE THESE PEOPLE,,USUALLY A MAN AND LADY WILL COMMENTATE MY EVERY MOVE AND OF COURSE BLOG ON VARIOUS CHANNELS AND STATIONS IN ORDER TO DISCREDIT ME. THE POLICE ON THE OTHER HAND HAVE BEEN VERY SYMPATHETIC AS FOR THE SEVERAL TIMES POLICE HAVE SHOWN UP TO TAKE ME AWAY,,ALONG WITH CHEERFUL LAUGHTER FROM COMMENTATORS,,THEY SECRETLY RELEASED ME AT PLACES OF MY CHOICE,,ONCE EVEN GAVE ME A FEW BEERS FOR MY TROUBLES.BUT HOW CAN THEY SEE MY EVERY MOVE? IN MY HOUSE AND OUT? I HEAR A HELICOPTER HOVERING MOST NIGHTS AND EVEN HAD A FEW PASSOVERS WHEN I WAS BUYING BEER,,AND I LIVE IN A SMALL FARMTOWN CALLED PRACHUAP KHIRI KHAN,AWNOI, NIKOM KILO 5.THEY ALSO HAVE TURNED THE TOWN AGAINST ME BY GIVING FREE FOOD,,AND SAYING IM A SICK MAN,,MY GIRLFRIEND WONT EVEN TALK TO ME!!MY SON IS HALF THAI,,VERY WHITE SO I THOUGHT IT WAS NAZIISM,BUT IT SEEMS I WAS VOTED INTO THIS ON A LIST FROM A WEBSITE CALLED FORUMBRZEG.PL AS BASKETBALL PLAYER OF THE YEAR,,I HAVE A SAMSUNG GT-C3222 AND USE AIS-GSM AIRCARD WITH A SIM CARD FOR 3G,,AGAIN IM NOT THE BESTRT GUY IN THE WORLD BUT I DONT DESERVE THIS,,I DONT THINK ANYONE DOES,,ANY INSIGHT?
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
