Palisade Blog

Welcome to Palisade System's Blog

Three New State Privacy Laws - Get Ready American Business

by steve 19. November 2009 10:54

There are three new individual state privacy laws that are spearheading stricter privacy regulation and foreshadow the future for other states.

Get ready American Business!

California led the way in 2003 with SB1386 which requires disclosure of any breach, even at a single individual level of breach. In 2006, Illinois did the same thing with 815 ILCS 530.

Today, forty-four states require companies to notify individuals if there is a breach of their personal information. While many states require businesses to respond with notifications of data breaches, the new laws from Nevada, Connecticut and Massachusetts impose various compliance obligations to businesses to protect this information from a data security breach.
Nevada:

Nevada (Nev. Rev. Stat. § 597.970(1)), enacted on October 1, 2008, states:

A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”

Nevada’s law will expire on January 1, 2010 when a larger data security law will go into effect. This law will require all businesses storing or transmitting private data to be Payment Card Industry (PCI) DSS compliant. This is the first state to require all businesses accepting credit cards to comply with PCI DSS.

Connecticut

Connecticut enacted (Chapter 743 dd, section 42-471) a law on October 1, 2008 that goes beyond encryption as companies need to “safeguard the data computer files and documents containing the information from misuse by third parties”.  It further states to “destroy, erase or made unreadable such data, computer files and documents prior to disposal.” This law focuses on Social Security numbers in particular.

Massachusetts

Massachusetts Data Privacy Law (201 CMR 17) is to take effect January 1, 2010, and companies need to be in full compliance by then. Proof of Compliance certification will be issued by the Office of Consumer Affairs and Business Regulation.

This by far is the most thorough of the state laws and I think this one in particular will set a milestone for others to follow.

The new regulation requires that personal information about any resident in Massachusetts be encrypted when stored or transmitted (regardless of where the business is located in the US). It mandates that companies establish a data compliance program consistent to the requirements of the federal sentencing guidelines (see here).

Enforcement will be the responsibility of the attorney general.

In addition to Nevada, Connecticut, and Massachusetts, there is legislation pending in Washington and Michigan as well. As a trend, individual state government agencies are taking an increasingly active role in establishing regulations to protect resident’s private data.

Tags: , ,

General

Permalink | Comments (1)

Comments

5/5/2010 12:06:18 PM #

many states require businesses to respond with notifications , not transfer any personal information of a customer through an electronic transmission

Personalmanagement Weiden United States

Comments are closed

RSS Feed

RecentComments

Comment RSS
The views and opinions expressed and/or implied here are those of the individual contributors and do not necessarily reflect the views of Palisade Systems, Inc.