|
|
Legal Opinion
|
 |
 |
 |
 |
|
|
Test Your Computer NOW for Spyware, Hacker Tools and Other Threats
|
|
 |
 |
 |
 |
|
|
|
|
|
|
|
The States and Attorneys are Involved
|
|
States may have even more stringent regulations. In the past year and a half, 30 states have passed laws requiring the notification of clients whose information has been compromised. The California legislature maintains that any enterprise can be legally liable for inadequate data security. Under A.B. 1950, almost any business possessing private data about a California resident has a duty to protect that data no matter where the firm was located. Thus, California laws are having an impact far beyond the state's borders. Data security legislation is affecting firms nationwide.
|
|
Many other states already have, or are considering, security regulations that are more strict than the federal requirements. Indiana makes it a crime to lose unencrypted data, and New York requires periodic third party evaluation of your security system. On the other hand, most states do not even require you to notify clients that their information was lost or stolen … if it was encrypted!
|
34 States Now Regulate Information Privacy Notification:
State laws are not preempted by GLBA, except to the extent they are "inconsistent" with federal law. A state law is not inconsistent if it affords "greater protection" to consumers than provided by federal law.
(FTC &175 Section 507 of the G-L-B Act)
There have already been several cases in which a company victimized by criminals has faced liability under a state's consumer protection statues. Several states have already passed or are considering consumer information privacy regulations. Here are three that have regulations already in effect.
California has been at the forefront of protecting the privacy of online and electronic information and requires entities to notify their customers anytime they become aware of a breach of security which involves the disclosure of personal information.
In 2003, California adopted Senate Bill 27, which becomes operative on January 1, 2005. SB 27 which allows consumers to discover how companies disseminate personal information for direct marketing purposes. It also incorporates the "opt-in" concept (as compared to the opt-out approach in GLBA), which has become a prevalent means by which regulators and legislators seek to allow consumers to control access to their personal and financial information.
California defines "personal information" as a person's first name or first initial and last name in combination with any one or more of the following elements where either the name or the elements are non-encrypted. The law was enacted after California's Teale Data Center lost information on 265,000 state employees whose personal data was exposed during a hacking incident. (California Civil Code 1798.84 (SB1386), California Senate Bill 1386 which became effective July 1, 2003.
- Social securities number
- Driver's license or identification card number
- Account number, credit or debit card number together with a code which permits access
The problem has not gone away-as recently as March 13, 2004, the Los Angeles Times reported that a malfunctioning web site may have allowed the social security numbers, addresses and other personal information of more than 2,000 University of California applicants to be viewed by other students.
|
|
|
|
|
|
|
|
