The State of State Security Breach Notification Laws

By Matt Karlyn, Contributor 01 Nov 2006 | CIO Decisions Magazine

Digg This!     StumbleUpon     Del.icio.us

Security breach notification laws require that when information has been compromised, those who own, collect or license personal information about a state's residents notify these individuals and sometimes other entities. But there is substantial confusion about how to comply with each state's law. Here I address three commonly held myths concerning these laws.

Myth 1: Every security breach requires notification of all consumers whose information was lost.
To the contrary, if certain conditions are met, several of the 33 state laws relax notification requirements. Many, for example, do not require notification if the lost information is encrypted or otherwise inaccessible or if the company determines that the breach is unlikely to cause harm.

Myth 2: A company must comply only with the law of the state where information was lost or where the company is incorporated.
Both the state in which information was lost and the location of a company are irrelevant. The residence of the individuals whose information was lost determines the applicable law, and each state's law applies only to its residents. If the information of residents in Ohio and Tennessee is compromised, a company must comply with Ohio law for affected Ohio residents and Tennessee law for affected Tennessee residents.

Myth 3: If I comply with the California law, I have complied with all state laws.
California's security breach notification law was the first, and perhaps the most well known, but it is not always the most stringent. There is no single state law with which you can comply to comply with all others; no state's law is the most stringent in all respects. So it is critical to comply with each state law applicable to your situation.

Some states, for example, specify the maximum period required to notify individuals (Florida has a maximum of 45 days), while others require only that notice be provided "as quickly as possible" (as in Texas). In addition to notifying residents whose personal information was compromised, some states require notification of law enforcement and consumer-reporting agencies. The New Jersey law, for example, requires notification of the state police prior to consumer notification, and several others require notification of consumer-reporting agencies if a certain number of residents are affected.

Any security breach can jeopardize an individual's identity. To avoid such breaches, consider the following: Review your company's infrastructure to ensure that stored personal information is secure, encrypt personal information that you maintain, determine ahead of time which state laws apply to your company, and develop a detailed action plan to quickly and appropriately comply with each law. These efforts take time and cost money, but your company will be in a more advantageous position if it prepares than if it takes its chances.

Next: Negotiation strategies to gain and maintain leverage.

Matt Karlyn, J.D., M.B.A., is a member of Foley & Lardner LLP's Information Technology & Outsourcing Practice Group in Boston. Write to him at mkarlyn@foley.com.

Tags: Industry-specific requirements for compliance,  Data retention and compliance software,  ID and access management for compliance,  Risk management and compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Industry-specific requirements for compliance Critical infrastructure at risk to cyberattacks: What you can do Nevada toughens data protection law with crypto, PCI requirements Is all the PCI DSS compliance whining and complaining justified? Top regulatory compliance trends that will affect IT in 2009 What's in the White House Cyberspace Policy Review you need to know? Startup helps turn carbon footprint management into cost savings Dumped patient records underscore tougher HIPAA compliance rules Cloud computing forecast: Some risk ahead Mass. Senate seeks to amend, weaken data breach notification law Voices from RSA: CA's Dave Hansen on compliance strategy Data retention and compliance software Voices from RSA: CA's Dave Hansen on compliance strategy Biometric security data adds layer of privacy compliance risk Hacked dental school server compromises 300,000 Data center virtualization: Four steps to compliance Google amends log retention rules, privacy advocates respond Clearwell makes its electronic discovery search more transparent PCI groups to focus on wireless, pre-authorization changes Legal Expert: MDM can advance compliance goals Digitized data creates storage management and compliance challenges E-records management moves up the state CIO agenda ID and access management for compliance Twitter security risks, popularity spark regulatory concerns What's in the White House Cyberspace Policy Review you need to know? Why it may not be ideal for your lawyer to be your compliance officer Biometric security data adds layer of privacy compliance risk PDAs increase revenues, regulatory compliance risks Identity management begins with the roles people play Midmarket regulatory compliance management: Don't let your guard down Pre-emptive strategy best approach to breach notification

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI compliance  (SearchCompliance.com) XBRL  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary