This year, 11 states across the U.S. have enacted or plan to enact data security laws that require higher levels of administrative controls over customer information. In addition, many of these new laws (which cover some of the most populous states in the nation, like California and New York) now require more robust technical and physical safeguards to be in place to protect data.
The hope is that these laws will add up to a more comprehensive layer of privacy and security for everyday Americans. But it won’t be easy to transform data protection policies for the thousands of businesses and millions of consumers that stand to be impacted. Taking the initiative now to better defend your data is critical to your company’s success. That applies to the short term, as these new regulations roll out—and the long term, as clients come to expect such information protection.
While the details of these security-related state laws differ, the key overlaps between them all include the way that they:
- Define personal information
- Require protection of that information
- Empower consumers to take control of their data, and
- Compel businesses to notify consumers of data breaches
Because so many states with large populations and dynamic economies have passed new regulations, the rising tide of data privacy could spread nationwide. That would help the United States catch up to Canada, which passed the Personal Information Protection and Electronic Documents Act (PIPEDA) way back in the late 1990s, and the European Union, which raised the global bar for data privacy with its General Data Protection Regulation (GDPR) in 2018.
Take New York’s New Stop Hacks and Improve Electronic Data Security Act
The SHIELD Act, as it’s come to be known, expands the state’s current laws about data breaches. Like HIPAA, it imposes affirmative cybersecurity obligations on covered entities. The law states that “any person or business that owns or licenses computerized data, which includes private information of a resident of New York, shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data.”
What do those “reasonable safeguards” look like in regard to administrative, technical, and physical procedures?
- Designating one or more employees to coordinate a data security program
- Identifying reasonably foreseeable internal or external risks
- Assessing the sufficiency of safeguards in place to control the identified risks
- Training and managing employees in the security program practices and procedures
- Selecting IT service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract
- Adjusting the security program in light of business or new circumstances
- Assessing the risk in network and software design, information processing, transmission, and storage
- Detecting, preventing, and responding to attacks, intrusions, and system failures
- Regularly testing and monitoring the effectiveness of key controls, systems, and procedures
- Assessing the risks of information storage and disposal
- Protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
- And disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
Could your business be in compliance with these requirements by next week, next month, or even next year? Even if your company is not located in New York, do you have any clients who live or work in New York? If so, you could be on the hook for such stepped-up regulations. And even if not, other state laws are on the books or on the way in 2020:
This grants consumers the right to request details about the information collected, the sources of that information, and the stated purposes of any business that collects data related to California residents.
This places specific minimum cybersecurity requirements on all covered financial institutions.
Similar to the California Consumer Privacy Act, Nevada’s new law requires certain kinds of information to be included in the privacy policies of companies that do business in the state. It also goes above and beyond other online privacy laws by granting consumers the right to opt-out of the sale of personal data.
This prohibits Internet service providers from using, disclosing, or selling personal information without consent, and prevents refusal of services if consent is not given.
This update to existing Massachusetts law enhances the requirements for breach notifications to state residents and requires free credit monitoring for any residents who fall victim to a data breach that exposes Social Security numbers.
Another update to existing law, this New Jersey act classifies credentials for any online account as personal information subject to state breach notification laws, clarifying how such notifications are to be performed.
This extends existing data breach requirements to personal information maintained by a business as well as information owned or licensed by a business.
This expands the definition of personal information to include online account credentials and amends the notification requirements of a breach.
Like New Jersey, Maryland, and Oregon, this new act amends the notification requirements for security breaches.
This expands the statutory definition of personal information and reduces the number of days to deliver the required notifications.
If you’re concerned about whether your company meets new data privacy and security requirements, contact CMIT Solutions today. We work with businesses across North America to protect information, defend networks, and train employees about new cybersecurity regulations. We take state laws seriously and help your company get in compliance—before it’s too late.