Five States Introduce New Data Security Laws
Five states have introduced new data security laws that either moved forward in the legislative process or failed in 2017. They all require organizations to implement stronger data security efforts when handling personal information, a regulatory boon for a company’s practical efforts to keep ahead of the constantly changing cybersecurity curve.
New York introduced a sweeping data security bill in 2016, A.B. 5232, which sought to amend the state’s main data security and data breach notification law. It would have required any person or business doing business in New York to protect private information by developing and maintaining an information security program. The security program would have been required to identify and assess risk vulnerabilities, monitor third party providers, provide ongoing training, manage an appropriate number of staff members, and develop and enforce data security policies. The law would have required each program to be tailored to the size, amount of resources and level of private information each business maintained. This is not unlike the recommendations set out by the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
While A.B. 5232 failed in the legislature this year, the New York State Department of Financial Services finalized its cybersecurity requirements for financial institutions.
Maryland introduced H.B. 974 in 2017 to amend its existing data security law. The data security law, Maryland Personal Information Protection Act, requires businesses handling personal information of a Maryland resident to “protect personal information from unauthorized access, use, modification, or disclosure” and “implement and maintain reasonable security procedures and practices.” Businesses also have data breach investigation, notification, and third party management responsibilities under the law.
H.B. 974 primarily defines what “reasonable security procedures and practices” means. It means “developed in good faith and set forth in a written information security policy” that identifies risks, forms safeguards to address those risks, and evaluates and adjusts the cybersecurity policy, including its implementation.
Introduced in January 2017, Indiana’s data security bill, S.B. 549, allows the state attorney general to sue health care providers and similar professionals that intentionally, recklessly or negligently handle health records leading to a data security breach. Additionally, data base owners that follow federal Health Insurance Portability and Accountability Act (HIPAA) guidelines are no longer exempt under this Indiana law if they do not maintain and implement “reasonable procedures” to protect health care records.
While complying with HIPAA security and privacy standards are mandatory, and help fend off ransomware attacks, it shows compliance with federal data security laws is necessary, but not sufficient.
New Mexico and Alabama
Introduced for 2017 session consideration, New Mexico’s Data Breach Notification Act, aka H.B. 15, requires any person who gathers and stores personal information of New Mexico residents (like social security numbers when paired with their name) to “implement and maintain reasonable security procedures and practices” and notify people if their personal information has been breached or disclosed. Third party service providers handling similar data must also implement these procedures.
The Alabama Information Protection Act of 2016, S.B. 238, would require a business who handles “sensitive personally identifying information” to notify individuals affected by a breach, including the state attorney general. Further, to prevent breaches from occurring in the first place, the bill would require companies to maintain “reasonable security measures” to protect personal information.
New Mexico and Alabama’s bills are similar in overall structure and approach- they implement notification requirements and require “reasonable” data security practices. They also exempt companies that adhere to the federal Gramm-Leach-Bliley Act (for financial institutions) and/or HIPAA. They aren’t identical, however. The Alabama bill is more limited. Alabama requires a breach to affect 1,000 or more residents before the law would require any notification from a business. It also does not consider biometric information to be sensitive information. New Mexico’s bill does not have a cap on notification, and includes biometric data as sensitive information that should be protected.
These two bills are noteworthy because New Mexico and Alabama are two of only three states in the US that do not yet have a data security breach notification law (the other is South Dakota), according to the National Conference of State Legislatures.
Increasing data security protections, either through new laws or amended ones, shows the growing prevalence and impact of states regulating data security in the absence of federal data security laws. Companies that stay ahead of the curve and do more than what is required by law will not find themselves so burdened, especially since identifying, addressing, and preventing data security risks is good business practice. This is why companies are making cybersecurity a top priority.
LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.