April 30, 2015

Navigating State Privacy Laws: A Compliance Handbook for Businesses

What do state privacy laws require you do if cyber thieves get access to your firm’s customer credit and debit card information, or un-shredded client files are found in a garbage dumpster?

It actually depends on where you are in the United States.

While President Obama has proposed new federal breach notification legislation, there’s currently what industry experts refer to as a “patchwork” of data breach laws across the country – and differences between each one.

Here’s what business needs to know about state security laws:

Cover all your bases. Regardless of where the head office is located, if an organization has branches, supply chain partners or customers in different states it’s important to know all the specific privacy laws.

Breach notification rules vary a little… and a lot. State rules, in general, require organizations to notify customers whose personally identifiable information (PII) has been breached. But be clear on how the state defines PII because there isn’t one standard definition. PII usually consists of a combination of a person’s name with a sensitive number such as a social security or driver’s license number, credit card PIN or account password. There are a few unusual statutes. For example, Nebraska considers biometric data to be PII, North Carolina considers an individual’s parent’s surname prior to marriage to be sensitive, and Wisconsin law covers DNA. Also, the time businesses may wait before informing customers of a breach can vary. And, three states – Alabama, New Mexico and South Dakota – do not have breach notification rules at all.

Laws are never set in stone. The 2015 Second Annual Data Breach Industry Forecast by Experian warned that without a national standardized data protection act, “states may experiment with data breach laws in the coming year ranging from adjusting timing and content of notification, to defining personal data, and requirements to alert media and regulators.” The National Conference of State Legislatures reports that at least 29 states have introduced or are considering security breach notification bills or resolutions in 2015. 

Small business, especially, needs to brush up on state privacy laws. A 2015 Softwareadvice.com report showed that only 33% of small business decision-makers were “very confident” they understood their state’s data breach notification laws; 34% describe themselves as “moderately confident”. Another one-third admitted that they are “largely” or “completely unaware” of their state’s breach disclosure requirements.

Be clear about disposal laws too. Whether PII is collected and stored in digital or paper formats or both, in many states it must be securely destroyed or otherwise made unreadable or undecipherable when no longer needed. Secure shredding services are recommended. A reliable document destruction company provides on or off site shredding with a cross-cut shredder as well as different shred size options.

When a data breach occurs, acting quickly, efficiently and adhering to compliance regulations can help reduce the damages in terms of lost reputation and legal penalties. Implement a comprehensive document management policy so PII is identified and secured. Provide on-going security awareness training. And, always take a proactive approach to understanding privacy laws and legislation in your industry – and state.

Replacing open recycling bins with locked consoles is an uncomplicated way to better protect confidential information in the workplace.