Three More States Add Laws on Data Breaches
Computerworld - Companies struggling to keep up with a patchwork of state laws related to data privacy and information security have three more to contend with, as a result of new security-breach notification laws that went into effect in Illinois, Louisiana and New Jersey on Jan. 1.
Like existing statutes in more than 20 other states, the new laws prescribe various actions that companies are required to take in the event of a security breach involving the compromise of personal data about their customers.
For instance, New Jersey's Identity Theft Prevention Act requires businesses to destroy all customer data that's no longer needed and to notify consumers when sensitive data about them has been accessed by an unauthorized person. The law also limits the use of Social Security numbers on all items that are sent via postal mail.
Louisiana's Database Security Breach Notification Law requires entities that collect information on the state's residents to notify affected individuals of security breaches involving their confidential data. Government officials also need to be notified, according to the law. Illinois' Personal Information Protection Act is similar, although it doesn't require companies to inform the state government when breaches occur.
For companies that do business nationally or in various states, the smorgasbord of state laws poses a growing problem, because the measures often specify different triggers for notifications and set varying requirements on what needs to be disclosed, to whom and when, said Kirk Herath, chief privacy officer at Nationwide Mutual Insurance Co. in Columbus, Ohio.
In addition, some states require companies to provide credit-monitoring services to affected customers, whereas others don't, Herath said. And not all of the states offer safe-harbor provisions that exempt companies that encrypt data from their laws, he said.
"What I would prefer to see is something that would be uniform and preemptive [of state laws]," Herath said. "Otherwise, you have a very inconsistent application of the law, with some states requiring you to do nothing [and] some hammering you to the point of being unfair."
"We're hoping a federal law will help clarify the situation," said the director of information security at a specialty retail chain based in California.
Until that comes to pass, the retailer plans to continue to use the SB 1386 breach-disclosure law that went into effect in California more than two years ago as a "baseline" for developing its security incident response and notification strategy, said the director, who asked not to be identified.
The retail chain also plans to develop an information grid that will help it quickly go through a checklist of requirements
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!