A number of state laws have come into effect and updated to respond to the challenges created by breaches of sensitive data – specifically, credit card data that allows for fraudulent charges to be conducted. A very nice article is available by Charlene Brownlee on Davis Wright Tremaine LLP’s advisory page. I strongly suggest clicking over there from the link below to read the entire article. A few points to highlight:
Safe Harbor – Washington state has amended their Data Breach statute to focus on large businesses, processors, and vendors to take reasonable care to secure access to account information. Most interesting is the Safe Harbor clauses – encryption OR an appropriate certification under PCI DSS within the past 12 months! This is in stark contrast to the situations where organizations that suffered data breaches were found to not be in compliance ‘at that moment’, and therefore paid associated fines.
Massachusetts – effective March 1 2010, requires a comprehensive written security program in place.
Minnesota and Nevada’s data breach laws are also highlighted in this article. The table is especially informative.
States are moving strongly against Data Breaches and are referencing and supporting industry standards such as PCI DSS. Additional legislation at the Federal level for example: H.R. 4900, and H.R. 4061 (Cybersecurity Act – passed on March 2010 by the House and discussed here) are also being enhanced, and have the potential to create a larger framework of best practices for organizations to follow. Continued focus on appropriate risk management and threat models shall be more necessary as these laws mature and are amended.