Our Data Security Laws Update

We have written a lot about data security risks like password reuse, the value of data security training, employee negligence, and cybersecurity enforcement actions. Every so often, we write about data security legal updates. This post summarizes four posts that discussed data security laws, explains if they are still up to date, and supplies takeaways.

International Data Security Laws

EU Privacy Shield

On July 12, 2016, the EU approved a framework for transferring European citizen data to the US. Known as the EU Privacy Shield Framework or, “Privacy Shield,” it requires US companies to take extra precautions to protect the privacy of personal information belonging to EU citizens when that data crosses the Atlantic. Specifically, it requires US companies to maintain a privacy policy, ensure third party agents maintain the same level of privacy protections, and a commitment to handle only only the least amount of secure data as possible, among others.

The data security language of the Privacy Shield has not changed since we published the post. The biggest update is the rollout of the Swiss-U.S. Privacy Shield Framework, a “valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States.” Companies can sign on to either or both frameworks and comply with the law. Additionally, the General Data Protection Regulation (GDPR) is a similar data security law with international reach that is already having considerable impact on companies despite not being effective until 2018.

The Takeaway

While joining the EU Privacy Shield is voluntary for US businesses, businesses should pay attention to how the Privacy Shield defines “personal information” because it’s much broader than most language found in the United States and is similar to what the GDPR demands.

State Data Security Laws

In addition to federal law and agency powers, companies should look to states to understand their data security obligations. California, New Mexico, and New York passed laws that are effective in 2017. The other states mentioned in this post, Alabama and Indiana, have not yet passed their data security laws.

California

California expanded its data breach notification law to require companies to notify consumers if the security of encrypted personal information is breached or if the encryption key or security credential is also compromised. Before, California law only required notification for the release of unencrypted personal information. The law was effective January 1, 2017.

New Mexico

New Mexico was one of many states to introduce new data security laws for the 2017 sessions. New Mexico’s Data Breach Notification Act, aka H.B. 15, requires any person who gathers and stores personal information of New Mexico residents (like social security numbers or biometric information when paired with their name) to “implement and maintain reasonable security procedures and practices” and notify people if their personal information has been breached.

The New Mexico law is effective June 1, 2017.

New York

To much fanfare, the New York State Department of Financial Services, a state regulator, passed the final version of its cybersecurity regulation for financial services companies. The data security law institutes a legion of requirements such as specifying the kind of nonpublic information that must be protected, cybersecurity programs and policies that companies must develop, and multiple security measures companies must incorporate to assess, monitor, and prepare for potential data breaches. It applies only to financial institutions regulated by the state agency.

The final version did not change much from its previous version, except for providing more ways for smaller financial institutions to be exempt. Data security training is still required, and must be completed by these financial institutions by March 1, 2018.

Takeaway

There is no official federal data security statute that applies to all industries and all states, yet. Nonetheless, all companies should be proactive in establishing appropriate data security standards for their size, risk profile, industry and operations. Learn more about Online Data Security training or read a white paper on what makes effective data security training.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.