More states are passing their own privacy laws, and that presents some big challenges to companies operating nationwide.

California kicked off the movement with SB 1386 way back in September of 2002. Massachusetts, which passed a privacy law back in August, also passed a law with a specific set of anti-theft requirement, MGL 93H law, which will go into effect January 1, 2010. Compliance will require companies to execute and show documented evidence of a comprehensive data security policy in order to do business with Massachusetts residents.  

More specifically, companies will be asked to identify an employee to "own" the issue, creating enterprise-wide policies, enforcing standards on third-party providers, and more. Any company that does business with even one person based in Massachusetts will be held accountable for any data breaches, resulting in penalties of $5,000 per record exposed, no matter who's fault it was. In addition, the regulations also require encryption of all personal data stored on laptops or other portable devices, encryption of personal data transmitted wirelessly or sent over the Internet. 

Michael Logan, president of data security firm Axis Technology, says, "Since most companies do transactions over the Internet, once a major state passes one of these laws companies are pretty much required to comply since the criteria is based on the client's place of residence not the company's." At some point, he says, a federal law might be passed, which may be preferable to 50 state laws.   

In any case, this is something that you might want to think about. - Jim