New State Privacy Laws Requiring More Prescriptive Data Protection Standards

In 2002 California became the first state to enact a privacy breach notification law.  California requires notifications of persons whose "unencrypted" sensitive personal information might be compromised in the event of a security breach.  While there is no specific requirement to encrypt sensitive personal information, the law basically states that there is no breach requiring notification if the data is encrypted.  There are now 45 states with privacy breach disclosure laws.  Some states follow the California model.  Most state laws require "reasonable security standards" to protect sensitive personal information.     However in October 2008, Nevada became the first state to enact a data security law mandating encryption for the transmission of customer personal information.  Encryption broadly means "the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant ... (more specifics are provided)."  The law is brief and vague as to whether it affects only businesses in the state.  Until the law is clarified, it would be wise to assume the law applies to any organization "doing business with" Nevada residents.   Extended to be effective in January 2010, a new Massachusetts state privacy law imposes a new set of information security requirements.  This law covers "persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts."  The law requires compliance to GLB principles and additional specific standards, such as encryption of electoncially "transmitted records" and of laptops and portable devices.  There are secure user-authentication and access control requirements and many others.  This law requires a close study to ensure compliance.        There are currently active bills in Michigan and Washington that are variants of these two recent state laws.     Also in October 2008, New York published the "Business Privacy Guide: How to Handle Personal Identifiable Information and Limit the Prospects of Identity Theft."  The Guide states that "New York businesses" ... "should refer to this Guide as a resource outlining principles and best practices for privacy protection, but it is highly recommended that you continually consult a privacy professional and an attorney to ensure legal compliance with applicable state and federal laws and regulations."  The New York State Attorney General, Andrew Cuomo, has been a leading enforcement activist for its residents reaching settlements with organizations located in many other states.  If your organization, located in another state such as California, were to suffer a privacy breach harming New York residents, the NY State AG's Office may hold your organization accountable for violating such generally accepted standards (although the Guide refers to these as principles).   With the increasing frequency of privacy breaches, we are likely to continue to see a trend for more prescriptive state laws.    Disclaimer: I am not a lawyer. This blog's purpose is to raise awareness, not provide legal counsel.   Michael Cox, CIPP President, SoCal Privacy Consultants