Our Data Security Laws Update 9:07, April 27, 2017

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Our Resources

Our Data Security Laws Update

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

We have written a lot about data security risks like password reuse, the value of data security training, employee negligence, and cybersecurity enforcement actions. Every so often, we write about data security legal updates. This post summarizes four posts that discussed data security laws, explains if they are still up to date, and supplies takeaways.

International Data Security Laws

EU Privacy Shield

On July 12, 2016, the EU approved a framework for transferring European citizen data to the US. Known as the EU Privacy Shield Framework or, “Privacy Shield,” it requires US companies to take extra precautions to protect the privacy of personal information belonging to EU citizens when that data crosses the Atlantic. Specifically, it requires US companies to maintain a privacy policy, ensure third party agents maintain the same level of privacy protections, and a commitment to handle only only the least amount of secure data as possible, among others.

The data security language of the Privacy Shield has not changed since we published the post. The biggest update is the rollout of the Swiss-U.S. Privacy Shield Framework, a “valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States.” Companies can sign on to either or both frameworks and comply with the law. Additionally, the General Data Protection Regulation (GDPR) is a similar data security law with international reach that is already having considerable impact on companies despite not being effective until 2018.

The Takeaway

While joining the EU Privacy Shield is voluntary for US businesses, businesses should pay attention to how the Privacy Shield defines “personal information” because it’s much broader than most language found in the United States and is similar to what the GDPR demands.

State Data Security Laws

In addition to federal law and agency powers, companies should look to states to understand their data security obligations. California, New Mexico, and New York passed laws that are effective in 2017. The other states mentioned in this post, Alabama and Indiana, have not yet passed their data security laws.


California expanded its data breach notification law to require companies to notify consumers if the security of encrypted personal information is breached or if the encryption key or security credential is also compromised. Before, California law only required notification for the release of unencrypted personal information. The law was effective January 1, 2017.

New Mexico

New Mexico was one of many states to introduce new data security laws for the 2017 sessions. New Mexico’s Data Breach Notification Act, aka H.B. 15, requires any person who gathers and stores personal information of New Mexico residents (like social security numbers or biometric information when paired with their name) to “implement and maintain reasonable security procedures and practices” and notify people if their personal information has been breached.

The New Mexico law is effective June 1, 2017.

New York

To much fanfare, the New York State Department of Financial Services, a state regulator, passed the final version of its cybersecurity regulation for financial services companies. The data security law institutes a legion of requirements such as specifying the kind of nonpublic information that must be protected, cybersecurity programs and policies that companies must develop, and multiple security measures companies must incorporate to assess, monitor, and prepare for potential data breaches. It applies only to financial institutions regulated by the state agency.

The final version did not change much from its previous version, except for providing more ways for smaller financial institutions to be exempt. Data security training is still required, and must be completed by these financial institutions by March 1, 2018.


There is no official federal data security statute that applies to all industries and all states, yet. Nonetheless, all companies should be proactive in establishing appropriate data security standards for their size, risk profile, industry and operations. Learn more about Online Data Security training or read a white paper on what makes effective data security training.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

You might also be interested in...

  • NY Cybersecurity Regulations Change Training RequirementsJanuary 23, 2017 NY Cybersecurity Regulations Change Training Requirements The New York State Department of Financial Services (DFS) amended its proposed cybersecurity regulations on December 28, 2016, which changed the cybersecurity training requirements, delayed the effective date of the data security regulations, and loosened up strict obligations. This post […] Posted in data security
  • Protecting Humans From Data Security AttacksMay 10, 2017 Protecting Humans From Data Security Attacks Metrics and narratives are all the rage in compliance. Metrics allow companies to benchmark and measure compliance program effectiveness, business risk, and, increasingly, employee behavior. And adult learning research shows that narratives are an effective way to teach adults new […] Posted in data security
Douglas Kelly
Douglas Kelly is EverFi's lead legal editor. He writes on corporate compliance and culture, analyzing new case law, legislation and regulations affecting US companies. Before joining EverFi, he litigated federal and state employment cases and wrote about legal trends. He earned his JD from Berkeley Law and BBA from Emory University.

Leave a Reply

Leave a Reply

White Paper
Data Security training
for employees

  |   Download White Paper


Compliance Course Catalog
  |   Download Catalog