Mission critical: Examination of new data protection laws

January 15, 2015

By Dr. Ross Federgreen, CSR CEO, CIPM, CIPP, European Privacy Association

More than half of U.S. states today have enacted data protection laws and regulations, growing from just 15 states a year ago. Federal and international authorities also impose obligations on organizations to provide security for the legally protected personal information or personally identifiable information (PII) of their residents.

Warning for your business customers

Failure to plan can destroy reputations and severely hurt productivity and future sales. Penalties for noncompliance can include fines, civil and criminal prosecution, even leading to jail time and business closure.

Business opportunity for NAID members

As providers of information governance solutions, including destruction, NAID members are in a unique position to provide their customers with new offerings that create recurring monthly revenue streams as part of a package of security services to help their customers meet ongoing, mandated legal requirements. Risk assessment, remediation, and incident response planning are just a few turnkey services that can be incorporated to meet the needs for comprehensive plans to safeguard data.

Customers must develop information security programs now

Your business clients all have employees, customers or vendors. The majority of states have data protection laws and your business client should quickly review these and continue to watch for evolving legislation to determine their best response strategy.

Forty-seven states, three U.S. territories and the District of Columbia all have laws that address issues ofdata loss, including penalties, customer notification, and reporting requirements. Realizing that breach laws didn’t make a significant impact, most states have also passed data protection legislation.

Federal laws include HIPAA/HITECH, Gramm-Leach-Bliley, and COPPA have a broad impact on data protection. State data protection laws apply to all industries interacting with residents in their states.

These state laws vary in detail and definition of PII across dozens of types of PII data, from social security and driver’s license numbers, birthdates, credit/debit card and bank information to ZIP codes and email addresses, for instance.

Common requirements of state laws

Other state laws share these requirements in the Massachusetts data protection law:

  • Designation of a responsible individual or group
  • Risk assessment
  • Policies and procedures
  • Employee training
  • Restricted access
  • Regular monitoring

Penalties for noncompliance

Here are just a few examples that might give us an indication of future enforcement of data protection laws:

  • A former UCLA Medical Center employee was sentenced to jail time for accessing and looking at private medical files.
  • Massachusetts General Hospital reached a settlement for $1,000,000 after an unencrypted laptop was lost, which contained only 192 patient records.
  • A loss of 100 records from one location of Lifetime Fitness could mean $120,000 in fines between the Texas State Attorney General’s enforcement of the Identity Theft Enforcement and Protection Act and the Deceptive Trade Practices Act.
  • Recent court rulings in Massachusetts mean retailers collecting ZIP codes in card transactions can be open to class action lawsuits.
  • A hospital in Rhode Island paid a $150,000 fine for failing to protect the information of Massachusetts’ residents.

See CSR’s “Best Practices for Managing Personally Identifiable Information” for a free step-by-step guide with guidance on processing PII. Dr. Federgreen is CSR’s CEO and founder. He is honored to present “The State of Data Breach Reporting,” Saturday, March 21, at 8 a.m. during the NAID 2015 Annual Conference and Expo.