This year, 11 states across the U.S. have enacted or plan to enact data security laws that require higher levels of administrative controls over customer information. In addition, many of these new laws (which cover some of the most populous states in the nation, like California and New York) now require more robust technical and physical safeguards to be in place to protect data.
The hope is that these laws will add up to a more comprehensive layer of privacy and security for everyday Americans. But it won’t be easy to transform data protection policies for the thousands of businesses and millions of consumers that stand to be impacted. Taking the initiative now to better defend your data is critical to your company’s success. That applies to the short term, as these new regulations roll out—and the long term, as clients come to expect such information protection.
While the details of these security-related state laws differ, the key overlaps between them all include the way that they:
- Define personal information
- Require protection of that information
- Empower consumers to take control of their data, and
- Compel businesses to notify consumers of data breaches
Because so many states with large populations and dynamic economies have passed new regulations, the rising tide of data privacy could spread nationwide. That would help the United States catch up to Canada, which passed the Personal Information Protection and Electronic Documents Act (PIPEDA) way back in the late 1990s, and the European Union, which raised the global bar for data privacy with its General Data Protection Regulation (GDPR) in 2018.
Take New York’s new Stop Hacks and Improve Electronic Data Security Act. The SHIELD Act, as it’s come to be known, expands the state’s current laws about data breaches. Like HIPAA, it imposes affirmative cybersecurity obligations on covered entities. The law states that “any person or business that owns or licenses computerized data, which includes private information of a resident of New York, shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data.”
What do those “reasonable safeguards” look like in regards to administrative, technical, and physical procedures?
- Designating one or more employees to coordinate a data security program
- Identifying reasonably foreseeable internal or external risks
- Assessing the sufficiency of safeguards in place to control the identified risks
- Training and managing employees in the security program practices and procedures
- Selecting IT service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract, and
- Adjusting the security program in light of business or new circumstances.
- Assessing the risk in network and software design, information processing, transmission, and storage
- Detecting, preventing, and responding to attacks, intrusions, and system failures
- Regularly testing and monitoring the effectiveness of key controls, systems, and procedures
- Assessing the risks of information storage and disposal
- Protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
- And disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Could your business be in compliance with these requirements by next week, next month, or even next year? Even if your company is not located in New York, do you have any clients who live or work in New York? If so, you could be on the hook for such stepped-up regulations. And even if not, other state laws are on the books or on the way in 2020:
1) California Consumer Privacy Act (CCPA).
This grants consumers the right to request details about information collected, the sources of that information, and the stated purposes of any business that collects data related to California residents.
2) New York State Department of Financial Services, Cyber Security Requirements for Financial Services Companies (23 NYCRR 500).
This places specific minimum cybersecurity requirements on all covered financial institutions.
3) Nevada Senate Bill 220 Online Privacy Law.
Similar the California Consumer Privacy Act, Nevada’s new law requires certain kinds of information to be included in the privacy policies of companies that do business in the state. It also goes above and beyond other online privacy laws by granting consumers the right to opt out of the sale of personal data.
4) Maine Act to Protect the Privacy of the Online Consumer Information.
This prohibits Internet service providers from using, disclosing, or selling personal information without consent, and prevents refusal of services if consent is not given.
5) Massachusetts Bill H.4806 – An Act Relative to Consumer Protection from Security Breaches.
This update to existing Massachusetts law enhances the requirements for breach notifications to state residents and requires free credit monitoring for any residents who fall victim to a data breach that exposes Social Security numbers.
6) New Jersey – An Act Concerning Disclosure of Breaches of Security and Amending P.L2005, c.226(S.51).
Another update to existing law, this New Jersey act classifies credentials for any online account as personal information subject to state breach notification laws, clarifying how such notifications are to be performed.
7) Maryland Personal Information Protection Act – Security Breach Notification Requirements & Modifications (House Bill 1154).
This extends existing data breach requirements to personal information maintained by a business as well as information owned or licensed by a business.
8) Oregon Consumer Information Protection Act (OCIPA).
This expands the definition of personal information to include online account credentials and amends the notification requirements of a breach.
9) Texas – An Act Relating to the Privacy of Personal Identifying Information and the Creation of the Texas Privacy Protection Advisory Council.
Like New Jersey, Maryland, and Oregon, this new act amends the notification requirements for security breaches.
10) Washington – An Act Relating to Breach of Security Systems Protecting Personal Information (SHB 1071).
This expands the statutory definition of personal information and reduces the number of days to deliver the required notifications.
If you’re concerned about whether your company meets new data privacy and security requirements, contact CMIT Solutions today. We work with businesses across North America to protect information, defend networks, and train employees about new cybersecurity regulations. We take state laws seriously and help your company get in compliance—before it’s too late.