Less than one month into 2010 the trend to address data security, destruction, and encryption has continued among state lawmakers. Specifically, Florida, Michigan, Kentucky, Kansas, Pennsylvania, and New York all have introduced, reintroduced, or amended legislation of this kind. 

  • The Florida and Michigan laws would amend personal data destruction rules for companies.
  • The New York law would mandate data security and encryption measures.
  • The Kentucky bill would require government agencies to protect all personal data under the Gramm-Leach-Bliley Act.
  • The Michigan bill includes a state version of the Federal Trade Commission’s Red Flags Rule and would require creditors in the state to implement programs aimed at spotting “red flags” of possible identity theft and put in place mitigation measures. Michigan is also considering a number of other measures. 
  • The Kansas law would require state agencies to engage in periodic network security reviews.
  • The Pennsylvania bill would require public agencies to notify state residents of a breach of their personal information within seven days of the discovery of the breach.

While 5 states remain without data breach notice bills (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota), Congress is considering legislation, the Data Accountability and Trust Act (DATA) (H.R. 2221), that would preempt all state notification laws and instead establish a national breach notice standard.

As we have previously mentioned, we anticipate data privacy and security legislation and case law to be at the forefront of legal issues in 2010. Employers should begin by reading the Data Security Primer and consider implementing comprehensive data security policies and procedures that would allow them to comply with the various state laws that may impact their business. 

While we have highlighted the main points of each of the proposed laws, a more detailed analysis of the laws put forth in Michigan, Florida, and New York is set forth below. 

Michigan

The new Michigan data destruction bill would ease existing personal data disposal requirements outlined in the state’s Identity Theft Protection Act mandating that companies and agencies removing information from a database destroy only “unencrypted, unredacted personal information” and only such personal information related to state residents.

Another bill would require businesses with 50 or more employees that are “engaged in extending credit in the form of covered accounts to residents of this state” to implement and identity theft mitigation programs similar to those required under the federal Fair and Accurate Credit Reporting Act Red Flags Rule.   Companies that have complied with the federal Red Flags Rule would be exempt from the state law.

Michigan is also considering various other measures which would establish an Identity Theft Commission; make technical changes to the law; add misleading a law enforcement or court official about one’s identity to the list of violations of the law; and authorize the state attorney general to seek civil fines of up to $10,000 per incident for identity thieves.

Michigan is also considering a bill which would make businesses and agencies that adopt comprehensive data security safeguards to protect personal data in any form immune from civil liability for damages due to data breaches. The proposed law would provide breach liability immunity in an effort to encourage entities to adopt such safeguards.

Florida

Florida has introduced bills (S.B. 586 and H.B. 279) which would require companies to follow federal guidelines when disposing of personal data. The bills would require businesses and government agencies to follow the “Guidelines for Media Sanitization” set by the National Institute of Standards and Technology to make all personal data disposed of by companies and agencies inaccessible. In addition, state agencies would also be required to submit samples of allegedly sanitized storage media to an independent third party vendor to verify the destruction of the personal data. 

New York

A New York data security bill would establish a general encryption standard as a safe harbor for entities seeking to avoid giving breach notice to individuals under the state’s data breach notice law. The bill, would also require businesses and state agencies to: Implement and maintain reasonable security safeguards, appropriate to the nature of the information, to prevent unauthorized access to or unauthorized destruction, use, modification, or disclosure of the private information.

Unlike the data security regulations issued under Massachusetts breach notification law, the N.Y. bill does not authorize the promulgation of rules, but rather sets out the encryption standard in the text of the proposed law.The bill would also mandate notification of certain breaches to the state attorney general. Another New York bill would provide tax breaks for businesses that invest in data security.

Tags: breach notification, comprehensive data security plan, Data Accountability and Trust Act, data breach, data disposal, Data Security, destruction, electronic health records, Florida, Kansas, Kentucky, Michigan, New York, Pennsylvania, red flag rules
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jason C. Gavejian Jason C. Gavejian

Jason C. Gavejian is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and co-leader of the firm’s Privacy, Data and Cybersecurity practice group. Jason is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jason C. Gavejian is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and co-leader of the firm’s Privacy, Data and Cybersecurity practice group. Jason is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

As a Certified Information Privacy Professional (CIPP/US), Jason focuses on the matrix of laws governing privacy, security, and management of data. Jason is co-editor of, and a regular contributor to, the firm’s Workplace Privacy, Data Management & Security Report blog.

Jason’s work in the area of privacy and data security includes counseling international, national, and regional companies on the vast array of privacy and security mandates, preventive measures, policies, procedures, and best practices. This includes, but is not limited to, the privacy and security requirements under state, federal, and international law (e.g., HIPAA/HITECH, GDPR, California Consumer Privacy Act (CCPA), FTC Act, ECPA, SCA, GLBA etc.). Jason helps companies in all industries to assess information risk and security as part of the development and implementation of comprehensive data security safeguards including written information security programs (WISP). Additionally, Jason assists companies in analyzing issues related to: electronic communications, social media, electronic signatures (ESIGN/UETA), monitoring and recording (GPS, video, audio, etc.), biometrics, and bring your own device (BYOD) and company owned personally enabled device (COPE) programs, including policies and procedures to address same. He regularly advises clients on compliance issues under the Telephone Consumer Protection Act (TCPA) and has represented clients in suits, including class actions, brought in various jurisdictions throughout the country under the TCPA.

Jason represents companies with respect to inquiries from the HHS/OCR, state attorneys general, and other agencies alleging wrongful disclosure of personal/protected information. He negotiates vendor agreements and other data privacy and security agreements, including business associate agreements. His work in the area of privacy and data security includes counseling and coaching clients through the process of investigating and responding to breaches of the personally identifiable information (PII) or protected health information (PHI) they maintain about consumers, customers, employees, patients, and others, while also assisting clients in implementing policies, practices, and procedures to prevent future data incidents.

Jason represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination, and wage and hour claims in both federal and state courts. He regularly appears before administrative agencies, including the Equal Employment Opportunity Commission (EEOC), the Office for Civil Rights (OCR), the New Jersey Division of Civil Rights, and the New Jersey Department of Labor. Jason’s practice also focuses on advising/counseling employers regarding daily workplace issues.

Jason’s litigation experience, coupled with his privacy practice, provides him with a unique view of many workplace issues and the impact privacy, data security, and social media may play in actual or threatened lawsuits.

Jason regularly provides training to both executives and employees and regularly speaks on current privacy, data security, monitoring, recording, BYOD/COPE, biometrics (BIPA), social media, TCPA, and information management issues. His views on these topics have been discussed in multiple publications, including the Washington Post, Chicago Tribune, San Francisco Chronicle (SFGATE), National Law Review, Bloomberg BNA, Inc.com, @Law Magazine, Risk and Insurance Magazine, LXBN TV, Business Insurance Magazine, and HR.BLR.com.

Jason is the co-leader of Jackson Lewis’ Hispanic Attorney resource group, a group committed to increasing the firm’s visibility among Hispanic-American and other minority attorneys, as well as mentoring the firm’s attorneys to assist in their training and development. He also previously served on the National Leadership Committee of the Hispanic National Bar Association (HNBA) and regularly volunteers his time for pro bono matters.

Prior to joining Jackson Lewis, Jason served as a judicial law clerk for the Honorable Richard J. Donohue on the Superior Court of New Jersey, Bergen County.

Read more about Jason C. Gavejian
Show more Show less
Related Posts
Multi-factor Authentication (MFA) Bypassed to Permit Data Breach
April 1, 2024
Top 10 Blog Posts for the Workplace Privacy, Data Management & Security Report for 2023
December 21, 2023
Data Protection Update: Q4 Noteworthy Dates
November 6, 2023