States Pass Toughened Laws on Data Privacy
by Rob Streibel, infoLock Technologies
Two new state laws are re-framing the debate over data privacy and creating a new standard of protection for consumers' personally identifiable information (PII). Massachusetts law 201 CMR 17.00--which will take effect March 1, 2010--and Nevada law 603a--which took effect in January 2010--represent a sea change in the regulatory approach to data privacy.
In contrast to existing state laws that use vague language to describe security controls and/or apply only to notification procedures after a data breach has already occurred, the Massachusetts and Nevada laws outline specific, preventative controls—both administrative and technical—that organizations must use to protect PII from unauthorized access. They provide clear, consistent guidelines for what constitutes PII, how it must be protected, who is responsible for that protection, and what to do in the event that PII is compromised.
Any organization that stores personal information, or PII, about a Massachusetts or Nevada resident must comply with these new regulations. Massachusetts defines personal information as a resident's first and last name or first initial and last name, along with one or more of the following data points: social security number, drivers' license number/state ID number, financial account number, or credit or debit card number. Nevada uses a similar definition, however it requires a PIN or password to accompany the financial information in order for it to be considered PII.
There are some other differences between the two laws, as well. The Massachusetts law, for example, requires organizations with data on residents to implement a Written Information Security Program (WISP), including governance, risk assessment, partner management, preventative and detective technical controls, and an incident response process.
The Nevada law is a bit more general in its guidelines of administrative and technical controls. One significant feature, though, is its reference to the Payment Card Industry Data Security Standard (PCI DSS). It is the first state to give legal status to this industry regulation. Now, PCI DSS non-compliance can result in legal action by injured parties and/or the state in the event of a data breach.
While giving new teeth to data privacy regulation at the state level, the Massachusetts and Nevada laws may soon be preempted by the federal government with H.R. 2221—Data Accountability and Trust Act. Currently passed in the House of Representatives and awaiting approval in the Senate, H.R. 2221 falls somewhere in between the Massachusetts and Nevada laws in the strength of its guidelines for consumer data protection. Using Nevada's definition for PII, the federal bill requires a preventative data protection program (including vulnerability assessments, monitoring, and a security policy) in addition to post-breach notification processes. However, it does not specify the need for a WISP and it does not reference PCI DSS. H.R. 2221 would also allow compliance with other regulations, such as HIPAA, to demonstrate compliance and it would be enforced by the Federal Trade Commission (FTC).
Critics of the bill cite H.R. 2221's reliance on the FTC for enforcement as a major flaw considering the FTC does not have jurisdiction over nonprofit organizations, government agencies, and financial or depository institutions, not to mention their historical ineffectiveness in enforcing significant data breaches. This criticism is certainly justified – it is easy to envision a future data breach by an organization that is out of compliance with state law, yet finds safe harbor in the new federal law. Let’s hope new legislation doesn’t make the situation worse, as we finally seem to be gaining momentum in the data privacy war.
Regardless of their potential preemption by H.R. 2221, the Massachusetts and Nevada data privacy laws have changed the way organizations must now handle sensitive data. They have created a regulatory framework that places consumer protection first and, more importantly, signaled to organizations that deal in PII that it is time to take data security seriously or face the consequences.