Data Security Privacy Laws in Business
There are a ever growing number of state and federal data security privacy laws. Plus, it is the responsibility of every business to report when there is a data breach. To better prepare your business, you first need to know what is considered “Personal Information (PI)”. Not all the data security privacy laws take into account all these identifiers, but it is best that everyone knows what to conciser as PI.
- Resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to the resident:
- Social Security number.
- Driver’s license number or Massachusetts identification card number.
- Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident’s financial account.
- A biometric indicator.
- Insurance number
- Health information
US Federal Data Security Privacy Laws
Businesses, educational institutions, medical facilities and government agents are required by data security privacy laws to protect all customer, employee, patient and vendor personal information.
The average data security breach in 2010 cost businesses $7.2 million per incident*. Healthcare accounted for over 66% of all 2010 data security breaches**.
- American Recovery and Reinvestment Act: ARRA allows state attorney generals & individuals to seek financial damage from a security breach.
- HITECH: Health Insurance Portability and Accountability Act, Title 13, Subtitle D of ARRA defines data protection, what is a breach and notification rules after a breach.
- FTC Red Flag Rules: Red Flag Rules Identity Theft Prevention Program for document management, access & disposal.
- Health Insurance Portability and Accountability Act: HIPAA requires all medical facilities and businesses that store medical or health insurance information is subject to HIPAA.
- Fair and Accurate Credit Transactions Act: FACTA requires businesses must take “reasonable measures” to protect, store and disposal of personal information in electronic media.
- Gramm-Leach-Bliley Act: GLBA requires mortgage companies, schools, car dealers, insurance companies, retail stores, etc. are now considered “Financial Institutions”.
- Federal Information Security Management Act: FISMA is the U.S. federal law that recognizes the importance of information security.
security to its economic and security interests. Each federal agency must provide agency-wide information security and their contractors. - Children’s Internet Protection Act: CIPA requires K-12 schools and libraries to operate technology protection measures on computers with Internet access that protects against access to visual depictions that are obscene, child pornography, or harmful to minors.
- Children’s Online Privacy Protection Act: COPPA applies to the online collection of personal information by persons under U.S. jurisdiction from children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children’s privacy and safety online including restrictions on the marketing to those under 13.
- Privacy Act of 1974: The Privacy Act establishes certain controls over what personal information is collected by the federal government and how it is used. The act guarantees three primary rights: (1) the right to see records about oneself, subject to the Privacy Act’s exemptions; (2) the right to amend that record if it is inaccurate, irrelevant, untimely, or incomplete; and (3) the right to sue the government for violations of the statute, including permitting others to see your records, unless specifically permitted by the act.
- Electronic Communications Privacy Act: ECPA prohibits the unauthorized interception of electronic communications, like email, texts and instant messages.
- Stored Communications Act: SCA prohibits unauthorized access to electronic communications stored in certain computer systems.
US State Data Security Privacy Laws
The hardest part now for businesses is that they must be aware of all the 50 states data security privacy laws because most include a clause the business doesn’t have to reside in that state, but stores information on a resident of that state. With eCommerce, everyone is affected.
- California’s SB1386 (the Database Security Breach notification Act): SB1386 requires any holder of personal information about a California resident – regardless of where they are located – to notify each resident whose information may have been compromised in some way. Almost every US state have passed similar laws.
- Massachusetts Data Privacy Act: 201 CMR 17.00 requires all private and public sector entities, including non-profits , that collect and handle Personal Information of MA residents regardless of where that entity is located to institute safeguards by adopting a Comprehensive Written Information Security Program by March 1, 2010.
Industry Data Security Privacy Laws
- Payment Card Industry Data Security Standard: PCI DSS is the industry standard that encompasses a set of requirements for protecting the security of consumers’ payment account information.
* Ponemon Institution, Annual Study ** 2010 ITRC Breach Stats Report
Link to a white paper by the Better Business Bureaus, “A Review of Federal and State Privacy Laws.“