|
|
|
|
Security Regulations
|
State Laws
- Applies to: Any business or organization, small or large, that gathers, licenses, transmits, or stores any form of personal information about their customers including name, social security number, credit card information, drivers license numbers, account numbers, birth dates, health information, financial information, and more.
- Penalties, Fines: $500 to $5,000 fines per customer record lost or stolen - depending on the state. Civil penalties up to $500,000 are applicable in most states for failures to safeguard personal data, properly dispose of such data, and to provide adequate privacy protections. Reckless or negligent disclosure of customer or employee personal information generally results in criminal penalties with severe fines and 1 to 3 years jail time..
- Virtually every state now has laws requiring all businesses to implement proper technical and administrative safeguards to protect customer information against identity theft and fraud. States are becoming increasingly aggressive at requiring specific practices and safeguards such as having a documented security plan, regular vulnerability risk assessments, updated and monitored computer security systems, data encryption, and most commonly, an incident response plan to notify customers of a breach and to remedy the situation.
Many state laws focus upon employee misuse of personal information. This "insider threat" has evolved into one of the greatest risks to ever confront organizations maintaining customer information. The regulations attempt to address this risk by requiring businesses to develop and implement data protection policies, employee awareness training, ongoing compliance monitoring, and disciplinary standards for willful privacy violations.
State laws are also interstate laws. Businesses with customers in other states must not only comply with their own state laws, they must also comply with state information security and security breach notification laws where their any of their customers reside. As a practical matter, businesses should comply with the regulations in the most highly-regulated states.
Additional Information:
|
|
