IMGCAP(1)]
This story appears in the September 2009 issue of Cards&Payments.
Compliance with data privacy and information security laws presents a dizzying array of challenges for businesses owning, maintaining or handling sensitive personal information, particularly information relating to credit, debit or other financial accounts.
No single federal law or regulation governs the security of all types of personal information across all business sectors. Instead, the U.S. government has taken a sectoral approach to protecting personal information.
Laws such as the Graham-Leach-Bliley Act and Fair Credit Reporting Act regulate how certain industries protect information, while the Federal Trade Commission's new "Red Flags Rule" requires financial institutions and creditors to take steps to spot identity theft and respond appropriately when it is detected.
Though businesses generally are aware of obligations arising under these federal laws, many tend to overlook state laws and regulations. The absence of overarching federal rules has resulted in the enactment of a complicated patchwork of state laws. With data losses as a result of hackings, phishing scams, stolen laptops and other incidents on the rise, states have sprung into action by passing additional legislation.
In the past seven years alone, 45 states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands have enacted laws requiring entities experiencing data breaches to notify affected consumers. States also have enacted a slew of substantive data-protection laws intended to safeguard information.
These laws, which vary considerably across states, establish minimum standards for the safeguarding of personal information and generally fall into three broad categories: protection of personal information, data disposal and Social Security number protection. Companies doing business in numerous states typically are subject to the laws of multiple jurisdictions, making compliance a tricky proposition and exposing companies to liability from multiple sources.
As if keeping tabs on these laws were not enough, businesses need to track and be prepared for changes in these state laws. New laws and regulations are set to take effect in Massachusetts and Nevada on Jan. 1, for example.
The Massachusetts regulations are wide-ranging in substance and scope, applying to any entity that collects or maintains personal information (including financial account or credit or debit card numbers) on a Massachusetts resident. Among other things, the regulations mandate that companies adopt a comprehensive, written information-security program, encrypt personal information stored on laptops and portable electronic devices, and adopt other administrative and technical safeguards.
The Nevada law mandates compliance with the Payment Card Industry Data Security Standard for all data collectors doing business in that state that accept credit or debit cards in connection with the sale of goods or services, as well as encryption in certain situations.
Failure to comply with state laws can lead to high-profile investigations or lawsuits by government officials and to private suits. State attorneys general typically are vested with enforcement authority under state data-protection and breach-notification laws, as well as under general consumer-protection statutes. More and more attorneys general have become active in investigating data losses, and they frequently partner with other attorneys general on multistate investigations.
Notably, in June more than 40 states settled a sprawling multistate investigation of TJX Cos. Inc., parent of retail chains TJ Maxx and Marshalls. TJX ended up paying $9.75 million in connection with the hacking of a system managing credit and debit card transactions that resulted in the exposure of more than 94 million card accounts.
In light of such incidents, it is essential for companies to develop compliance programs that account not only for federal law but state laws as well. Doing so can help avoid a data loss and mitigate compliance risks. CP
Divonne Smoyer is a partner and Ryan Mehm is an associate in the Washington, D.C., office of Dickstein Shapiro LLP, where they counsel clients on data privacy and information security matters. They can be reached at smoyerd@dicksteinshapiro.com and mehmr@dicksteinshapiro.com.
