Businesses are faced with a growing list of data privacy laws by state, that requires them to safeguard identity data and prepare how they will react following a data breach. Unfortunately, the laws and associated regulations differ from state to state.
Rather than addressing each state’s laws individually, it is more efficient to follow the laws of the most demanding state regulations—Massachusetts and Nevada.
For example, states may define personally identifying information (PII) differently or have different requirements for how breach notifications should occur. Furthermore, state laws are designed to protect the information of the state’s residents regardless of where the business is located. To help customers manage these issues, security solution providers must understand the laws from every state and territory where their client has employees or customers reside.
In the U.S., nearly all states and territories have enacted laws or regulations requiring organizations that own or license information to protect the PII entrusted to them by their customers. These laws, and their associated regulations, typically make broad suggestions regarding how to protect the information, but go into more detail describing what needs to happen in the event of a breach.
As you support your client in protecting their data and obey state laws, you need to:
1. Identify and locate the PII they possess.
2. Understand which laws and regulations apply to them.
3. Determine what controls are needed to comply with these laws and regulations.
4. Prepare how your client will respond in the event of a breach .
What information does your client have?
The first order of business for any organization is to identify the PII it stores. Most state laws designate a person’s name, Social Security number, driver’s license number, credit card numbers and bank account numbers with a personal identifying number (PIN) as PII. However, there may be differences. For example Massachusetts considers a bank account number as sensitive even without a PIN, while other states do not.
Furthermore, by understanding the information your clients have, you may be able to reduce their exposure and their compliance requirements by eliminating particular PII that they do not need to store.
Which laws apply to your client?
Once you have identified your client’s PII, you will need to understand where it came from. The job of identifying which laws apply to your client’s organization might seem straightforward: Find the addresses of the people in their databases and compile the list of states and territories. However, there may be complications. You need to ensure the addresses are current. Companies are sometimes surprised to find that as a customer’s or employee’s (or even former employee’s) residency changes, so does the company’s compliance requirements. This means companies need to keep their records up to date and keep up with every state law that may apply.
With a list of states and territories, you can begin to compile compliance requirements for each state. But what if your list contains many or even all of the U.S. states and territories? Rather than addressing each state’s laws individually, it is more efficient to follow the laws of the two most stringent state regulations: Massachusetts and Nevada. Also apply the broadest definition possible of PII.
What controls do you need?
The type of security controls and notification requirements vary from state to state. The majority of data protection laws say little about how PII data needs to be protected, but establish clear requirements for what must be done in the event of a breach. Looking at the data protection tools and processes already in place, plan for and implement additional security controls to ensure your client is following the laws and regulations of each applicable state.
What should you do in the event of a breach?
There are more similarities than differences between state breach notification requirements. You should create a plan for your client to notify the victim(s) directly, as well as the major credit bureaus and attorneys general of each state affected. The preferred method of notification to individual victims is in writing. However, electronic methods are typically acceptable when email is the normal method for correspondence for that business. When the numbers of victims is large or the cost of notification exceeds a threshold set by the state, companies are permitted to use broadcast media and their own websites to notify victims.
The myriad laws that require protection and breach notification can seem daunting to a company new to the compliance game. However, the surest way to protect your client’s information and be ready in the event of a breach is to establish a strong security program. A best practice is to follow a cyclical process of analyzing the information your client has, understanding the applicable security and compliance requirements, implementing controls, and evaluating the effectiveness of those controls. A thoughtfully conceived and flexible data protection program will enable your client to adapt to changing data, risks and regulatory requirements while staying competitive and profitable.
About the author:
Richard E. Mackey Jr., vice president of consulting for SystemExperts Corporation, has advised leading Wall Street firms, manufacturers, health care providers, and online retailers on security architecture, identity management, regulatory compliance, partner management, and risk management. Prior to joining SystemExperts, he was the director of collaborative development for The Open Group. Mackey is an original member of the DCE Request for Technology technical evaluation team and was responsible for the architecture of the Distributed Computing Environment Releases 1.1 and 1.2. Mackey has been a frequent speaker at major conferences and has taught tutorials on developing secure distributed applications.