The Wall Street Journal reports on some new data privacy laws in the states.
Nevada is the first of several states adopting new laws that will force businesses — from hair stylists to hospitals — to revamp the way they protect customer data. Starting in January, Massachusetts will require businesses that collect information about that state’s residents to encrypt sensitive data stored on laptop computers and other portable devices. Michigan and Washington state are considering similar regulations.
While just a few states have adopted such measures so far, the new patchwork of regulations is something many businesses will have to navigate, since the laws apply to out-of-state companies with operations or customers in those states. […]
The new state data-security laws are stricter than past regulations, which only required businesses to notify people whose personal information they lost. The new laws establish a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent, said Miriam Wugmeister, an attorney with Morrison & Foerster LLP.
The so-called breach-notification laws, which were enacted in more than 40 states, ended up doing little to tamp down security breaches.
These new laws are sorely needed. Encryption is a basic level of security. It is not expensive. It does not have to be complex. But it will add a layer of protection if you or a business lose or have stolen a laptop, USB key, CD, external hard drive, or other mobile computing equipment. The Bank of New York Mellon learned this lesson the hard way; it only added this minimum level of security after it lost data on 4.5 million individuals and 747 companies.
You can learn more about security breaches and identity theft at Privacy Rights Clearinghouse. The organization has a “Chronology of Data Breaches,” which shows that 245 million records have been exposed because of security breaches in the public and private sectors since January 2005.