News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Outlook for State Data Security Laws: More than Breach Notification Related reading: Morrison Foerster Privacy Library

rss_feed

""

Is data security legislation coming to a state near you? With data breaches continuing to make the headlines, 60 Minutes reporting that breaches are inevitable and federal legislation seeming unlikely, consumers and advocates may press state lawmakers to address data security. We have already seen state data breach notification laws proliferate following California’s enactment of the first such law in 2002. We may see data security laws spread in a similar fashion. In this post, we look at current and proposed state data security laws and consider their potential impact.

At least 31 states have already established laws regulating the secure destruction or disposal of personal information. And at least 12 states—Arkansas, California, Connecticut, Florida, Indiana, Maryland, Massachusetts, Nevada, Oregon, Rhode Island, Texas and Utah—have imposed broader data security requirements. Some states, such as California and Indiana, impose the general requirement that organizations implement and maintain reasonable safeguards to protect personal information from unauthorized disclosure or use. Other states, such as Nevada and Massachusetts, impose more granular requirements. Nevada requires organizations that collect payment data to comply with the PCI Data Security Standard. Massachusetts regulations require organizations to implement and maintain written data security programs that include specific requirements, including oversight of third-party service providers, risk assessments and imposing discipline for violations of security policies.

This year, the New York State Assembly is considering legislation (A. 10190) that would impose prescriptive Massachusetts-like data security requirements. In fact the proposed legislation is similar to the Massachusetts regulations in many ways. The New York bill requires businesses processing personal information to adopt comprehensive information security programs implementing administrative, technical, and physical safeguards. Businesses must designate one or more employees to maintain information security programs and identify and assess reasonably foreseeable information security risks. The bill requires businesses to take reasonable steps to select third-party service providers that are capable of maintaining appropriate security measures and contractually require those service providers to adopt such measures. The bill also imposes requirements relating to secure physical storage of data, annual security reviews and a mandate that actions taken in connection with security breaches are documented.

The New York bill differs from the Massachusetts law in an important respect, however. It establishes separate requirements for companies that maintain, but do not own, computerized data, distinguishing between entities that have broad rights to data; i.e., companies that “own” computerized personal information, and those service providers that process or store information only on behalf of data owners; i.e., companies that “maintain” computerized personal information. No such distinction is found in the Massachusetts standard, which expressly applies the same standards to data owners and data maintainers.

The additional requirements for service providers under the proposed New York law include establishing, to the extent feasible, a security system that addresses:

  • secure user authentication protocols;
  • secure access control measures that assign unique, non-default IDs and passwords to each person with access to systems;
  • encrypting personal information that travels across public networks or is transmitted via wireless;
  • monitoring systems for unauthorized use of or access to personal information;
  • encrypting information stored on portable devices;
  • implementing appropriate firewall protections and operating system patches;
  • implementing security software that receives regular updates, and
  • security education and training.

A. 10190 is still in the early stages of New York’s legislative process, but the bill may be a harbinger of legislation to come, with potentially significant implications for corporate security and compliance resources and budgets. On their face, granular security requirements may appear to establish stronger protections for personal information than do statutes that simply require organizations to implement “reasonable” security measures. However, that perception undervalues the strength of security programs that are designed to meet the reasonableness requirement.

For over a decade, the Federal Trade Commission (FTC) has used its authority under Section 5 of the FTC Act to enforce reasonable security practices. The FTC has taken the position that reasonable practices include:

  • authentication controls (including strong password policies);
  • encrypting personal information during transmission or when stored on portable devices;
  • limiting access to personal information based on job responsibilities;
  • secure data disposal and destruction;
  • reviewing software and products for vulnerabilities on an ongoing basis;
  • overseeing the activities of service providers;
  • implementing firewalls and security patches, and
  • monitoring for intrusions and unauthorized access to personal information.

Note that the list of reasonable practices closely resembles the granular requirements proposed in the New York legislation. One could therefore question whether a granular set of requirements is necessary to establish enforceable security standards. Moreover, the FTC’s views of what constitutes reasonable security are regularly updated in light of actual matters pursued by the commission, and it would be more difficult to update a statute (although some say that the FTC’s views on data security are difficult to ascertain and could usefully be explained with more detail and regularity).

One could also question whether a granular set of requirements enacted into law will always be sufficient to promote security. For example, consider the New York proposal that service providers implement access control measures that “assign unique identifications and passwords, which are not vendor-supplied default passwords, to each person with computer access that are reasonably designed to maintain the integrity of the security of the access controls.” That can be interpreted as a requirement for organizations to use passwords as a security control, which may seem reasonable. But a growing number of security experts claim that “passwords are dead” and do not provide adequate protections. Whatever the merits of passwords may be, legislation that imposes specific security controls risks harming security if those controls become obsolete or otherwise ineffective.

Another potential drawback of states establishing granular security requirements is that interstate and international organizations may be governed by a patchwork of security standards imposing potentially conflicting obligations. Already, organizations with U.S. operations must navigate various breach notification laws that differ in the types of information protected, the types of incidents that warrant notification and the required content of notifications.

If granular security laws proliferate like breach notification laws have, organizations may soon have to navigate various, and potentially conflicting, data security obligations. The costs of compliance could be substantial. And those costs would ultimately be borne by consumers.

Author
Headshot Hogan Lovells Privacy Team Nonmember Contributor
Tags
U.S.
Privacy Law
2 Comments

If you want to comment on this post, you need to login.

  • comment William • Dec 17, 2014 
    In the article above, there is a suggestion that passwords are dead. 
<cite>That can be interpreted as a requirement for organizations to use passwords as a security control, which may seem reasonable. But a growing number of security experts claim that “passwords are dead” and do not provide adequate protections.</cite>

It is worth clarifying that passwords as the <i>only</i> security control is widely recognized as insufficient, but passwords are still a necessary component of user authentication. Industry experts recommend 2-factor authentication: something you have, such as a security token that generates a six-digit code, and something you know, such as a password. 

Passwords are far from dead. They just should not be used as the sole mechanism for user authentication.

William L. Wells, MFA, MS, CISSP, CISM, CISA, CIPT, CRISC
  • comment Mark • Dec 30, 2014 
    Hi.  I'm having some trouble locating "broader data security requirements" in at least 12 states noted in para #2 above.  I understand that some states may simply have a single paragraph requiring businesses implement and maintain reasonable safeguards to protect personal information from unauthorized disclosure or use. But in some states like Ct and In and cannot even locate that.  Could someone provide a reference for these broader data security requirements in all 12 states.

Thanks!  Mark Brady CIPM/CIPP-E, CIPP-US  631 495-8823
Related Stories
Related Stories
Tags
U.S.
Privacy Law
Recent Comments