By Law, Who Is Responsible For Providing Safety Data Sheets?
Three More States Add Laws on Data Breaches
Past
Computerworld |
Companies struggling to keep up with a patchwork of country laws related to data privacy and information security have three more to contend with, as a event of new security-breach notification laws that went into effect in Illinois, Louisiana and New Jersey on Jan. i.
Similar existing statutes in more than xx other states, the new laws prescribe various actions that companies are required to take in the event of a security breach involving the compromise of personal data about their customers.
For instance, New Jersey'south Identity Theft Prevention Act requires businesses to destroy all customer data that'southward no longer needed and to notify consumers when sensitive data about them has been accessed past an unauthorized person. The law also limits the utilize of Social Security numbers on all items that are sent via postal mail.
Louisiana'due south Database Security Alienation Notification Law requires entities that collect information on the country's residents to notify afflicted individuals of security breaches involving their confidential data. Government officials besides demand to be notified, according to the law. Illinois' Personal Information Protection Act is similar, although information technology doesn't require companies to inform the land government when breaches occur.
For companies that practice business nationally or in diverse states, the smorgasbord of country laws poses a growing problem, because the measures ofttimes specify different triggers for notifications and set up varying requirements on what needs to be disclosed, to whom and when, said Kirk Herath, master privacy officer at Nationwide Common Insurance Co. in Columbus, Ohio.
In addition, some states crave companies to provide credit-monitoring services to affected customers, whereas others don't, Herath said. And not all of u.s.a. offer safety-harbor provisions that exempt companies that encrypt data from their laws, he said.
Seeking Consistency
"What I would adopt to run across is something that would be uniform and preemptive [of state laws]," Herath said. "Otherwise, you take a very inconsistent application of the police, with some states requiring you to exercise zero [and] some hammering you to the bespeak of being unfair."
"We're hoping a federal law will help clarify the situation," said the director of information security at a specialty retail chain based in California.
Until that comes to pass, the retailer plans to go along to use the SB 1386 breach-disclosure police force that went into effect in California more than ii years agone as a "baseline" for developing its security incident response and notification strategy, said the manager, who asked not to be identified.
The retail concatenation too plans to develop an data filigree that will aid it rapidly go through a checklist of requirements for each state in case it triggers a notification statute. Nationwide already has such a grid, according to Herath.
"What the situation is crying out for is a federal version of the state laws," said Arshad Noor, CEO of StrongAuth Inc., a compliance and identity direction services business firm in Sunnyvale, Calif. But such a law would have to be at least as strong as the existing state regulations are for it to win blessing from federal legislators, Noor said.
| LEGAL DIFFERENCES |
| The new breach notification laws each have unique provisions: |
Copyright © 2006 IDG Communications, Inc.
By Law, Who Is Responsible For Providing Safety Data Sheets?,
Source: https://www.computerworld.com/article/2561591/three-more-states-add-laws-on-data-breaches.html
Posted by: mcmullincousine.blogspot.com
0 Response to "By Law, Who Is Responsible For Providing Safety Data Sheets?"
Post a Comment