Recent Updates To State Data Breach Laws
One of the challenges to companies doing business online is that your customers may be scattered all over the country. While this is obviously good for business, it also means that you need to comply with state data breach laws for all states where you have customers because the law’s applicability is based on where your customers are and not where you are. Unfortunately, this gets pretty complex pretty quickly and you should check with your legal counsel or outside privacy/security aware law firm to make sure that you are complying with the laws that you need to be complying with. As you will see with the changes to the Tennessee law belong, there are definitely nuances to these laws.
New Mexico
New Mexico has, until last month, been one of the “Three Musketeers” – the only three holdout states that don’t have a data breach notification law. The other two are – can you guess? – South Dakota and Alabama. Well, now there are only two musketeers left. Last month New Mexico passed and the governor signed a data breach notification bill. It goes into effect in June.
One thing that they have done is include biometric data in their definition of personally identifiable information. That includes fingerprints, voice prints, iris or retina patterns, facial characteristics and hand geometry.
New Mexico also specifies that you have 45 days to notify people. Most states say something like that you have to notify people without delay, but don’t give you a deadline. New Mexico has a deadline. It also requires that you notify the AG and credit bureaus if it affects more than 1,000 people.
Virginia
Virginia expanded its notification requirement to include income tax information. Most likely this is due to all the W-2 fraud. And, while we are at it, while we haven’t seen a lot of this, I-9 fraud seems like a likely offshoot of W2 fraud since, for most companies, they save copies of documents like a passport, drivers license and/or birth certificate with the I-9, definitely a juicy target. So now you have to notify the AG if there is a breach of unencrypted taxpayer ID info along with income tax withheld (i.e. a W-2), provided there is a reasonable expectation of identity theft or fraud. The notification must be made without undue delay and the AG will tell the tax departments.
Tennessee
Tennessee HAD the distinction of being the only state where you had to report breaches of encrypted data. Or least that was the interpretation some people had. Now that confusion has been cleared up. Like most other states, you DO NOT have a get out of jail free card if the encryption key was compromised along with the encrypted data. While you may laugh at that, if someone compromises your server or workstation, it is LIKELY that the encryption key that is used to protect the data may be embedded in a config file or the software itself and also compromised.
In what may be, again, the only state that specifies this, the data must be encrypted in accordance with NIST’s FIPS 140-2 standard. That is, unless your business is required to meet Gramm-Leach-Bliley or HIPAA, in which case this doesn’t apply, at least according to one source, but not the source below. Why they would do that is completely unclear. It may be that they think that it is too hard for people to comply with too many laws or that they don’t think they have jurisdiction, but since those laws (GLBA and HIPAA) don’t specify the “quality” of the encryption algorithm, if you encrypt your health or financial information with a weak encryption algorithm you may be compliant with GLBA and HIPAA (I don’t recommend using your Captain Marvel secret decoder ring to encrypt this data, but that is a personal decision), but if you run a retail store and you collect personal information, you better use strong FIPS-140 compliant encryption. What in accordance with FIPS-140 means is not clear, but I saw another reference that said that it had to be FIPS-140 certified software, which if true, is a very important distinction.
Why we tell people to consult legal counsel is these terms like “without undue delay”. ” reasonable expectation of identity theft or fraud” and “FIPS-140 compliant” are pretty vague and your company’s executive team with legal advice will need to decide what compliance really means.
I would definitely recommend checking out the Tennessee law requirements if you have customers in that state, because, if my understanding is correct, that could definitely add some wrinkles for your developers.
Information for this post came from Mondaq.