State Data Breach Laws
In addition to federal regulation, many US states are adding their own mandates regulating notification requirements following a breach of data security. Click individual states to learn more about specific state data security laws and statutes.
Data Breach Legislation Overview
More than 45 state governments have mandated corporate data breach notification laws. Many states have also mandated encryption of sensitive customer data. This trend to address data security, destruction, and encryption has continued to strengthen among state lawmakers, leading many states to reintroduce or amend their legislation in 2010. In addition, Congress is considering the Data Accountability and Trust Act (DATA) (H.R. 2221), which would establish a national breach notice standard that will supersede all state notification laws.
These laws apply to personal information on PCs as well as portable devices such as laptops, smartphones and USB memory sticks that have been lost or stolen.
Non-Compliance: A Risk Companies Can't Afford
Penalties for failing to comply with any data protection initiative, whether at the state or federal level, can be severe. Penalties can include punitive fines, adverse publicity and damage to customer relationships, and, in some extreme cases, criminal charges. Today, a data breach that compromises customer information can result in more than bad headlines; it can end in bankruptcy.
However, if your organization has proof that the personal information on the stolen device was properly encrypted, damages can be contained and notification is not always required. Frequently, companies that meet federal compliance requirements such as those for the Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley (GLB), Health Insurance Portability and Accountability Act (HIPAA) or the Federal Information Security Management Act (FISMA) are also compliant at the state level.
CREDANT is dedicated to ongoing research and education concerning strong, auditable security regardless of where data resides to manage risk, protect sensitive data and enable cost-effective compliance. Data security, implemented correctly, can ensure technology investments grow revenue and improve daily operations as intended, while keeping sensitive data compliant.
