Over the past several years, many states, including California, Rhode Island and Texas, have passed laws governing the privacy and protection of personal information. These laws generally require businesses that handle personal information to adopt reasonable security procedures to safeguard the personal information of their customers. The definition of personal information varies by state, but typically means an individual’s name in combination with other non-publicly available information, such as a credit card number or Social Security number.

Within the past year, however, noteworthy developments in this area of the law have taken place in states like Massachusetts and Nevada. Both of these states have adopted new laws that are likely to impact the practices of businesses nationwide. What is significant about these laws is the move away from merely requiring businesses to adopt “reasonable” security procedures and instead requiring compliance with specific security requirements and procedures.

While many businesses may find that they have already implemented at least some of the new requirements, the biggest challenges businesses are likely to face will be compliance with Massachusetts’ detailed regulations and Nevada’s encryption requirement. Also worth mentioning is a new Connecticut law requiring the publication of a privacy protection policy by businesses that collect Social Security numbers.

A brief overview of relevant state data security laws is provided below. 

 “Reasonable” Measure States:

California - Under California law, all businesses that own, license, or maintain personal information about California residents must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification or disclosure. In addition, businesses must take all reasonable steps to destroy customer records containing personal information within their custody or control that is no longer needed.

Connecticut - Effective as of October 1, 2008, businesses in possession of personal information are required to safeguard personal information data, computer files and documents containing such information from misuse by third parties. Businesses that collect Social Security numbers must create and publish or publicly display a privacy protection policy designed to protect the confidentiality, disclosure, and access to Social Security numbers. For purposes of the statute, posting the policy on an Internet Web page is sufficient to meet the “public display” requirement.

Rhode Island - Rhode Island law requires businesses that own or license computerized, unencrypted personal information about Rhode Island residents to implement and maintain reasonable security procedures and practices appropriate to the nature of the information and to protect the personal information from unauthorized access, destruction, use, modification or disclosure.

Texas - Under Texas law, businesses that collect or maintain personal information are required to implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard against the unlawful use or disclosure of such information.

“Specific Measure” States:

Massachusetts - Effective as of May 1, 2009, all businesses that collect, store or transmit personal data about Massachusetts residents must adopt a comprehensive written security program, conduct internal and external security reviews, and implement employee training programs. The regulations set out a checklist of minimum requirements for the security program and minimum technical requirements for computer systems that electronically store or transmit personal information, all of which can be found here. Of particular note, the regulations require businesses to encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data, and utilize up-to-date firewall protection that creates an electronic gatekeeper between the data and the outside world and only permits authorized users to access or transmit data. The regulations also affect third-party service providers by requiring businesses to contractually require third-party service providers to protect any personal information entrusted to them. Although there is also a requirement for written certification from third-party providers, this portion of the regulation will not go into effect until January 1, 2010.  Also effective as of that date, is the deadline for ensuring encryption of other portable devices, such as memory sticks, DVDs and PDAs. Note, however, the deadline for ensuring encryption of laptops is May 1, 2009. Finally, the regulations do provide some “wiggle room” by noting that compliance with the law will be determined based on the relative size of the business and the type and amount of data the business maintains.

Nevada - Effective as of October 1, 2008, all businesses “in this State” are required to use encryption when electronically transmitting customers’ personal information (other than by facsimile) outside of the secure system of the business. It is unclear, however, whether the law applies solely to businesses physically located in Nevada and the personal information of Nevada residents. As a result, the law could be interpreted to apply to all entities conducting business with Nevada residents, regardless of the location of the business.

Businesses that collect or transmit personal information and operate on a nationwide basis need to be aware that recently adopted state data privacy and protection laws may affect their current business practices. A violation of these laws may result in injunction, fines, and/or imprisonment, so businesses should take care to adopt security standards comprehensive enough to comply with all applicable state laws. 

This article is intended merely as an overview of recent changes to state data protection laws and not meant to render specific legal advice with respect to these laws. 

For more information about state data privacy and security laws or for assistance in compliance with these laws, please contact:

David C. Gryce
gryce.david@arentfox.com
202.775.5797

Halle Markus
markus.halle@arentfox.com
202.857.6113