Three more US states add laws on data breaches

Companies struggling to keep up with a patchwork of US state lawsrelated to data privacy and information security have three more tocontend with, as new security-breach notification laws went intoeffect in Illinois, Louisiana and New Jersey on Jan. 1.

Like existing statutes in more than 20 other states, the new lawsprescribe various actions that companies are required to take inthe event of a security breach involving the compromise of personaldata about their customers.

For instance, New Jersey’s Identity Theft Prevention Act requiresbusinesses to destroy all unneeded customer data and to notifyconsumers when sensitive data about them has been accessed by anunauthorized person. The law also limits the use of Social Securitynumbers on all items that are sent via postal mail.

Louisiana’s Database Security Breach Notification Law requiresentities that collect information on the state’s residents tonotify affected individuals of security breaches involving theirconfidential data. Government officials also need to be notified,according to the law. Illinois’ Personal Information Protection Actis similar, although it doesn’t require companies to inform thestate government when breaches occur.

For companies that do business nationally or in various states, thesmorgasbord of state laws poses a growing problem, because themeasures often specify different triggers for notifications and setvarying requirements on what needs to be disclosed, to whom andwhen, said Kirk Herath, chief privacy officer at Nationwide MutualInsurance Co. in Columbus, Ohio.

In addition, some states require companies to providecredit-monitoring services to affected customers, whereas othersdon’t, Herath said. And not all of the states offer safe-harborprovisions exempting from their laws companies that encrypt data,he said.

“What I would prefer to see is something that would be uniform andpreemptive [of state laws],” Herath said. “Otherwise, you have avery inconsistent application of the law, with some statesrequiring you to do nothing [and] some hammering you to the pointof being unfair.” He added that it would be better to have a singlelaw managed by a central regulatory authority, in much the samemanner that the CAN-SPAM Act and the National Do Not Call Registryare.

“We’re hoping a federal law will help clarify the situation,” saidthe director of information security at a specialty retail chainbased in California.

Until that comes to pass, the retailer plans to continue to use theSB 1386 breach-disclosure law that went into effect in Californiamore than two years ago as a “baseline” for developing its securityincident response and notification strategy, said the director, whoasked not to be identified.

The retail chain also plans to develop an information grid thatwill help it quickly go through a checklist of requirements foreach state in case it triggers a notification statute. Nationwidealready has such a grid, according to Herath.

“What the situation is crying out for is a federal version of thestate laws,” said Arshad Noor, CEO of StrongAuth Inc., a compliancemanagement services firm in Sunnyvale, Calif. But such a law wouldhave to be at least as strong as the existing state regulations arefor it to win approval from federal legislators, Noor said.