State Requiring Reasonable – and Documented – Data Security

Privacy Plus+

Privacy, Technology and Perspective

State Requiring Reasonable – and Documented – Data Security.  In the United States, implementing and maintaining “reasonable” data security measures and avoiding deceptive privacy and data security claims are the touchstones of data privacy. 

While the Federal Trade Commission (FTC) has taken the lead in enforcing numerous cases against both B2C (business-to-consumer) and B2B (business-to-business) companies based on inadequate information security and/or inaccurate privacy and data security claims in violation of the FTC Act, states are also enforcing numerous state-based data security laws requiring reasonable security measures.  The following link references some of those laws:

https://www.ncsl.org/research/telecommunications-and-information-technology/data-security-laws.aspx

The NY SHIELD Act also requires entities handling New York residents’ private information to “develop, implement and maintain reasonable safeguards” to protect the security of private information.  The Act gives examples of “reasonable safeguards,” and you can read more about that by clicking on the following link to our previous post:

https://www.hoschmorris.com/privacy-plus-news/ny-shield-act

Other state breach notification laws are similarly evolving to require “reasonable security measures,” like the Alabama Data Breach Notification Act of 2018.  A link to Alabama’s law follows: 

https://law.justia.com/codes/alabama/2019/title-8/chapter-38/section-8-38-3/

Massachusetts’s Data Security Regulation (201 Code Mass. Regs. 17.01- 17.05) expressly requires that "every person that owns or licenses personal information about a resident of the Commonwealth must develop, implement, and maintain a comprehensive information security program that is written…” A link to that statute follows:

https://www.mass.gov/doc/standards-for-the-protection-of-personal-information-of-ma-residents-201-cmr-1700/download

Implementing and maintaining a Written Information Security Program or WISP—the document by which an organization describes the administrative, technical, and physical safeguards it uses to protect the privacy and security of the data it processes and stores—is critical for establishing reasonable safeguards. Even the Texas Attorney General has made that clear, stating: “Texas law requires businesses to implement and maintain reasonable safeguards against cyberattacks to protect consumers’ personal information from unlawful use or disclosure… I urge companies to evaluate whether they have in place a thorough and ongoing written information security program that serves to safeguard their customers’ information.” A link to the Texas AG’s statement follows:

https://www.texasattorneygeneral.gov/news/releases/ag-paxton-announces-15-million-settlement-neiman-marcus-over-data-breach

The following link references a model WISP that may be helpful to your organization as it assesses (and documents) its privacy and security posture:

https://iapp.org/media/pdf/resource_center/Krasnow_model_WISP.pdf

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.