Last month, a new data protection law took effect in Nevada (data security [1] news). Next month, a new law will take effect in Massachusetts. These laws represent a rising class of new state regulations that few national companies will be able to ignore.
Currently, roughly 40 states require companies to notify customers when a breach of security occurs (disclosure [2] news). The Nevada and Massachusetts laws go a step further in that they seek to prevent unauthorized access activity before it occurs. To that end, they require organizations to deploy specialized controls to protect personal information.
The Massachusetts law by far has been the most contentious. It was supposed to go into effect in January of last year, but the business community fought hard and won two reprieves. But, as of now, the law will take effect March 1 [3].
In some ways this is a gift for security vendors, who are marketing hard around this. The law requires businesses to encrypt sensitive information on Massachusetts residents that they store or transmit over a network. Businesses must also keep an inventory of sensitive information, monitor usage and maintain a formal security plan, known as a WISP, or written information security plan. In addition, they must take measures to verify that their third-party service providers are protecting personal information. By March 2012, businesses must include provisions in vendor contracts obligating them to protect personal information.
The business community, which was outraged initially, scored some early victories in watering down some provisions of the Massachusetts bill. The vendor requirement was originally much more onerous. But, in the end, compliance will be required.
It's unclear how fast other states will embrace this approach, but, from a compliance perspective, a rash of state laws is almost always less preferable to a single federal law. You will need to pay close attention, as it's a likely that more states will adopt similar approaches. The issue of course is that no two laws will be identical. At some point, we should hear calls for a federal law that takes precedence. - Jim [4]