Enterprise Insights

Blog archive

Imation Helps Enterprises Makes Sense of Mishmash of State Data-Breach Regulations

If you think the patchwork of state data-breach notification laws is confusing, you’re not alone. Fortunately, Imation Corp. -- a scalable storage and data security company -- has collected and examined information from a variety of publicly available sites (such as the National Conference of State Legislatures) as well as analysis from two law firms, and consolidated its analysis into a compliance heat map, available at www.imation.com/compliancemap. (You’ll also find a link to the combined compliance map and state scores and rankings there.)

Imation looked at each of the states and applied a series of questions to evaluate details such what data is covered and the notification and data destruction required. For example, as part of its analysis, the company determined whether the law or regulation specifies how data is to be destroyed, the amount of the penalty, who must be notified, and what encryption is required (and whether encryption is sufficient). Imation factored in whether the law applies to “owners and licensees,” and examined whether the regulations apply to state agencies or if government entities are exempt.

The map shows how strict each state’s data breach laws and penalties are, from light yellow (the least strict) to dark red (the danger zone). In fact, according to their analysis, Virginia has the strictest laws; the state has specific requirements about “what is to be included in the breach notification, requires government and credit reporting agency notification, and includes a large financial penalty relative to other states.” Virginia, along with a few other states, also requires notification if the data breached was encrypted if the encryption key for the data was also stolen.

According to the company, “data breach notification laws are strikingly similar, but vary in compliance requirements for businesses, with all laws highlighting the need for companies to deploy methods for closely storing, protecting, and controlling sensitive information.” Imation looked at state compliance regulations of the 46 U.S. states with such laws (Alabama, Kentucky, New Mexico, and South Dakota have none), as well as the U.S. Virgin Islands, the District of Columbia, and Puerto Rico.

I asked Dave Duncan, software and security solutions marketing director at Imation, if there were any surprises in the results.

“What is surprising is that there are not yet uniform rules for data breach notification. A number of legislative attempts have been initiated in the U.S. Congress and Senate, but to date these have not yet become law. The lack of a standard application of data breach notification laws makes it extremely difficult for businesses to assess their risks and understand their obligations in the event of a potential or actual data loss.”

The report highlights the extra burden this patchwork system of regulations imposes. “Businesses with operations and customers in multiple states need to ensure they understand the potential implications of data loss in each state in which they have an operational facility and customers. This is because their requirements for response to any such loss will be mandated by the state in which customers live that have had their information lost. Some states also require notification disclosure based on the location of the company’s operations.

“Another issue is that some states require notification to customers if a potential for data loss occurs. For example, an organization may have misplaced a device that has consumer data on it. The device is not yet known to be lost or compromised nor has a theft of the data occurred. Merely the fact that a potential loss may occur can trigger notification laws in some states.”

Duncan added, “For businesses, the risks of potentially restrictive federal data breach notification legislative rules, may, in fact, be offset by the reduced costs of having a uniform set of guidelines by which they can better understand their risks and costs for notification in the event that a data loss occurs.”

-- James E. Powell
Editorial Director, ESJ

Posted on 09/04/2012 at 11:53 AM