July/August 2009 / Features
Data Breaches Have Bred a Patchwork of State Laws
The first state law addressing data breaches was passed in California in 2002. Since then a patchwork of laws has evolved in 41 states, Puerto Rico and the District of Columbia. State laws apply based on where the potentially harmed clients or consumers are located, not the company, so companies small or large can have a major legal as well as a PR problem after a breach.
There are major differences in how the states define a breach and what they require by way of a response. Penalties vary widely as well, from a few hundred dollars for a violation up to six figures. Ten states require businesses to conduct a “reasonable” investigation after a breach, with the definition being left to interpretation.
The author says there are both technical and “policy” reasons for retaining investigators outside the company’s own IT department, at least for incidents where a large amount of data is involved. Policy considerations include the need to preserve evidence, untainted, and the possibility that IT departments would be conflicted if they in effect are called upon to investigate themselves.
Despite legislation, the frequency of data breaches is increasing, with insider breaches, targeting of major financial institutions and the involvement of organized crime all becoming more common. Encryption is the single most important preventive measure, the author says.
