Imation: Research Into State Data Breach Notification Laws in USA
And associated penalties
This is a Press Release edited by StorageNewsletter.com on September 11, 2012 at 2:57 pmImation Corp. released results of research into state data breach notification laws and associated penalties.
The analysis shows that current state data breach notification laws are
strikingly similar but vary in compliance requirements for businesses,
with all laws highlighting the need for companies to deploy methods for
closely storing, protecting and controlling sensitive information.
Imation used publicly available sites (including information obtained via the National Conference of State Legislatures
to analyze state compliance laws in the 46 U.S. states that have such
laws, as well as in Puerto Rico, the District of Columbia and the U.S.
Virgin Islands.
Imation created a ‘Compliance Heat Map‘
to depict the strictness of data breach laws and resulting penalties
for breaches. It provides a visual snapshot of the strictness of
regulations by state, using a color scale ranging from light yellow
(less strict) to dark red (more strict).
"What the compliance heat map tells us is that data security needs to
be at top of mind for all IT pros, as there are rules in place for
nearly all states and territories and non-compliance could mean serious
penalties," said David Duncan, software and security solutions marketing director, Imation. "Yet,
companies also are challenged by explosive data growth and state and
federal requirements that mandate active archiving, long-term retention
and accessibility of that data. Businesses need resources to help
navigate laws and develop secure and scalable infrastructures for data
storage and protection."
IT pros today are responsible for managing data, which includes ensuring
security, BC and regulatory compliance. For SMBs, the challenge is
often to meet compliance requirements with limited resources, which
leads to higher risk.
In fact, the 2011 Verizon Data Breach report found that businesses with
between 11 and 100 employees reported more than six times as many data
breaches than businesses with between 101 and 1,000 employees, according
to the online website BusinessNewsDaily. Further, the loss or
theft of an unencrypted notebook, flash drive or removable hard disk
drive can expose gigabytes, or even terabytes, of private information.
IT professionals should implement strategies to protect their data
through network security, data encryption and enforcement of information
security policies, while staying well-informed of state compliance laws
in the not-unlikely event that a data breach does occur.
Compliance Heat Map Findings
Imation’s research found most state data breach notification laws to
offer similar definitions of personally identifiable information and
requirements regarding the notification of affected parties. Among the
research’s noteworthy findings:
- Four states have yet to enact a data breach notification law: Alabama, Kentucky, New Mexico and South Dakota.
-
According to Imation’s analysis, Virginia has the most strict law in the
nation. The law provides specific requirements on what is to be
included in a breach notification, requires government and credit
reporting agency notification, and includes a large financial penalty
relative to other states. -
A few states, including Virginia, require notification even if breached
data is encrypted-if the encrypted data was stolen along with the
encryption keys.
Compliance Heat Map Methodology
To conduct the research, Imation applied to the laws a series of
questions, organized to evaluate the laws’ requirements regarding
encryption, data that is within scope of the laws, notification of data
loss and destruction of data, as well as penalties for non-compliance
with the laws. Imation also considered other germane laws, such as those
dictating data destruction or allowing for consumer freezing of credit
report requests. Imation used publicly available information about the
laws, including the legislation itself.
Imation does not intend for this research to constitute a legal review
of the laws, and in no way are the results of this research intended to
be legal advice. Companies should consult with their legal counsel
before making any decisions regarding legal compliance.