The Day the Legislation Got Its Teeth

by J. Kirk
Sr. Product Solutions Manager

For those companies responsible for data loss, a spate of punishments is coming down the pike. But as Dan Raywood of notes in his article this week, “Proposals to unveil harsher punishments for data loss will lessen the problem but not be a silver bullet.”

He may be right. But is that a temporary or permanent condition?

Let’s take a look at some legislation already out there (or, at least, soon to be out there).

On July 1, 2003, the personal privacy law known as California Senate Bill 1386 was enacted, and to this day, it affects anyone who has personal information within the state of California. It states that if there’s any personal information that’s breached—whether it’s somehow lost in transit or in storage (e.g., stolen laptops, misplaced thumb drives, etc.)—the company responsible for the breach must notify all individuals involved and make a public announcement.

This certainly bruises the company’s reputation, but it’s not really a punishment. To be certain, it’s a bad thing for the company, but it’s an intangibly bad thing for the company, and teaches the company about as much as a five-minute detention teaches a misbehaved child.

Whenever you get a letter from a company apologizing for losing your data and offering you a free credit report, you experience the consequences of toothless, unintimidating legislation like this.

But things are changing. In October 2008, in Nevada, a statute called NRS-597.970 went into effect. It states:

A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

While no penalties are identified in NRS-597.970, the statute’s specificity exposes companies to virtually unlimited liability should they not abide.

Finally, in January 2010, just weeks from now, in Massachusetts, a law known as 201 CMR 17.00 goes into effect.

Under this law, if there is a data breach at a non-compliant business—e.g., lost driver’s license information, social security numbers, credit card information, or any combination associated with personal contact information—the Attorney General of Massachusetts can assess a maximum of $5,000 per violation. Plus, anyone affected by the breach can also recover legal and investigation costs, and that’s to say nothing about what kind of lawsuit the Attorney General may file, or what degree of punitive damages the courts will order.

Now that regulation’s got teeth.

So Dan Raywood is right: harsher punishments will not be a silver bullet in the short term. But in the long term, you can count on this: once a few firms are impacted—and in the matter of data breaches, any company who ignores the law will be impacted—society will recognize just how devastating this legislation can be. On that day, the bullet of harsher punishments will take on a decidedly more silver sheen.

Leave a comment

No comments yet.

Comments RSS TrackBack Identifier URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s