We held a terrific webinar today on "How to Comply With the Latest Data Privacy & Security Regulations." What made it work were the expert panelists, Dave Cieslak of Arxis Technology and Ken McCall of Boomer Technology Group. Dave moderated and provided a sharp overview of security threats and vulnerabilities facing corporate IT. And Ken cautioned against using email for file transfer because it's unsecure and unencrypted and causes overwhelming load to email systems.

I was lucky enough to share the forum with them, and provide updates on some of the relevant security statutes. If you missed it, below are highlights on some of the updates. You can also request a recording of the webinar by contacting: sales@leapfile.com
 

45 States and counting

Just earlier this month, Missouri joined 44 states, the District of Columbia, Puerto Rico and the Virgin Islands in requiring notification of security breaches involving personal information. States with no security breach law: Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota. You can expect this to change in the near future.

This area of legislation is intended to cover private information, which is defined specifically by each statute. Typically, the statutes will cover data that is identifiable by a name plus some other unique identifier like SS#, driver's license no, or bank account number.

Breach notification laws follow California SB 1386, the first of its kind, enacted in 2003. Under this approach, businesses must immediately disclose a data breach to customers. Things to look for in your specific state:

1. Notification: how soon must you inform customers of a data breach?

2. Penalty for failure to disclose: what civil or criminal penalties can be imposed?

3. Private right of action: Can consumers sue?

4. Exemptions: what kind of breaches, if any, companies are exempt from reporting?

Most states allow exemptions for encrypted data or data received by authorized persons. This suggests two safe harbors: using technology that provides encryption and authentication.

Massachusetts and Nevada take a different path

These two states have taken a more proactive, front end approach, with Massachusetts garnering most of the attention.

Nevada Updates Encryption Law and Mandates PCI DSS Compliance

Nevada SB 227 replaces NRS 597.970, and becomes effective January 1, 2010. Currently, businesses are required only to encrypt personal information that is transferred outside the secure system of the business. Under the new law, businesses will need to encrypt data storage devices that contain personal information when moved beyond the physical or logical controls of the business. In layman terms, this means that businesses must encrypt documents sent over the Internet as well as when they are stored on laptops and flashdrives. In addition to expanding what needs to be encrypted, the new law also mandates compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) for businesses that accept payment cards.

Massachusetts Encryption Statute (MA 201 CMR 17) postponed to January 1, 2010

The Massachusetts statute is probably the most talked about data privacy statute because it is the most comprehensive and most stringent. Not only does it prescribe encryption and firewall mandates, but also require businesses to institute internal compliance programs and obtain certificate of compliance from third party providers. Businesses are scrambling to comply, and given the current economy, many aspects of law have been postponed or watered down. Now, it's postponed to January 1, 2010. One noted change is removing the requirement for written compliance certification by vendors. This is significant as businesses must utilize 3rd party technologies to help comply with the stringent statute. It's a safe bet that we have not seen the final version of this ambitious statute.

Some Changes to HIPAA

Even if you are not a medical provider, HIPAA may be relevant to you if you have clients that are in the healthcare industry. With HIPAA, it seems, every year brings new changes. In 2009, some changes that affect HIPAA's privacy and security requirements come as part of the Federal Stimulus Plan.

Two are worth noting:
(1) Covered entities are now required to notify affected individuals when a privacy breach occurs. Previously, an entity only needed to try to limit the negative effects of a breach. The notification requirement applies only to "unsecured" information.

(2) Who is covered by HIPAA now includes "business associates" of covered entities. One example would be a third-party administrator who helps an employer administer its health plan. I know many of our accounting customers have a benefits arm that this is relevant to.