New data protection laws coming soon
Last month, a new data protection law took effect in Nevada (data security news). Next month, a new law will take effect in Massachusetts. These laws represent a rising class of new state regulations that few national companies will be able to ignore.
Currently, roughly 40 states require companies to notify customers when a breach of security occurs (disclosure news). The Nevada and Massachusetts laws go a step further in that they seek to prevent unauthorized access activity before it occurs. To that end, they require organizations to deploy specialized controls to protect personal information.
The Massachusetts law by far has been the most contentious. It was supposed to go into effect in January of last year, but the business community fought hard and won two reprieves. But, as of now, the law will take effect March 1.
In some ways this is a gift for security vendors, who are marketing hard around this. The law requires businesses to encrypt sensitive information on Massachusetts residents that they store or transmit over a network. Businesses must also keep an inventory of sensitive information, monitor usage and maintain a formal security plan, known as a WISP, or written information security plan. In addition, they must take measures to verify that their third-party service providers are protecting personal information. By March 2012, businesses must include provisions in vendor contracts obligating them to protect personal information.
The business community, which was outraged initially, scored some early victories in watering down some provisions of the Massachusetts bill. The vendor requirement was originally much more onerous. But, in the end, compliance will be required.
It's unclear how fast other states will embrace this approach, but, from a compliance perspective, a rash of state laws is almost always less preferable to a single federal law. You will need to pay close attention, as it's a likely that more states will adopt similar approaches. The issue of course is that no two laws will be identical. At some point, we should hear calls for a federal law that takes precedence. - Jim
SHARE WITH:
Comments
By Chris | Posted 3:03pm | March 9, 2010
Agree with you regarding these types of laws becoming a trend. Protecting the identity of citizens is as much a social issue as a IT security issue. I think we'll see states adopt similar legislation over time.
I captured my thoughts on the matter here: http://blog.maas360.com/massLaw
Post new comment
Home
| Subscribe | Advertise | Mobile Edition | RSS |
Privacy
| Site MapTHE FIERCEMARKETS NETWORKFierceFinance | FierceFinanceIT | FierceComplianceIT | FierceHealthcare | FierceHealthFinance | FierceHealthIT | Hospital Impact | FierceMobileHealthcare | FierceHealthPayer | FiercePracticeManagement | FierceCIO | FierceCIO:TechWatch | FierceContentManagement | FierceMobileIT | FierceGovernmentIT | FierceBiotech | FierceBiotech Research | FiercePharma | FierceVaccines | FierceBiotechIT | FiercePharma Manufacturing | FierceMedicalDevices | FierceDrugDelivery | FierceIPTV | FierceOnlineVideo | FierceTelecom | FierceVoIP | FierceBroadbandWireless | FierceDeveloper | FierceMobileContent | FierceWireless | FierceWireless:Europe | FierceCable© 2010 FierceMarkets. All rights reserved. |
 |