Data Security Law in 2011: States Remain the Center of Attention
Tags: Data Breach, Fraud Management
State laws requiring "reasonable" data security have had a positive impact, but data breach notification laws have had the most profound effect on the improvement of data security.
While the talk of 2011 is the possibility of Congressional action on a privacy bill and/or a single, preemptive federal data security law, states remain the primary source of data security laws in the U.S. State laws requiring "reasonable" data security have had a positive impact, but data breach notification laws2 have had the most profound effect on the improvement of data security. These laws have motivated companies through negative incentives to improve data security to avoid publicity, embarrassment, and the risk of notification. State involvement in data breaches also has extended to the medical space, as states have begun to enforce the HITECH Act.3 A handful of state data security laws were enacted in 2010, building on the solid base established during the preceding decade. And like the laws that came first, the new state laws purport to apply to personal data of state residents no matter where the data resides, in state or out-of-state. Thus, businesses holding data of citizens from multiple states are subject to multiple state laws.