Data Backup Digest

In light of the increasing threat of online data breaches around the world, and in order to better safeguard crucial information from hackers and identify thieves here in the United States, government officials have recently enacted security breach laws in nearly every state. Providing a strict protocol for big businesses, enterprises, information brokers and government officials regarding the usage, access and storage of personal information, these recent security breach laws offer guidance and clarity regarding laws, exemptions and specific definitions on the topic.

Participation

At the time of this writing, a total of 47 states currently abide by some sort of security breach law. This includes Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin and Wyoming.

In addition, security breach laws are also in place in the District of Columbia, Guam, Puerto Rico and the Virgin Islands. States that do not currently have security breach laws in place include Alabama, New Mexico and South Dakota. Kentucky is the most recent state to introduce such laws, having done so in early 2014.

Security Breach Law Provisions

The provisions, guidelines and specifications of security breach laws can vary greatly from state-to-state, though most include a common framework or starting point. For example, typical security breach laws usually apply solely to businesses and entities that work with large amounts of consumer data on a daily basis, so the majority of home PC users are exempt.

Most security breach laws also provide exact definitions for the type of data covered. This almost always includes such data as social security numbers, bank account numbers and state identification numbers, but it can also be expanded to include personal names, addresses and, in some cases, phone numbers.

Common security breach laws in place today also provide guidelines regarding what exactly constitutes a security breach, which typically consists of the unauthorized access or acquisition of data on the part of a third-party hacker or identity thief.

Many states also include procedures and policies regarding the disposal of outdated information. Data that has been improperly disposed of is always at risk of being picked up by hackers of would-be identity thieves, so this provides yet another level of protection against these types of online crimes.

Some individual data breach laws also contain provisions concerning the usage, storage and unauthorized access of student information, which is commonly stored on cloud-based servers and networks. For example, Kentucky's recent law states that cloud service providers cannot process this data for "any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services” without express permission.

Finally, typical provisions seen in security breach laws of today list any possible data exemptions, such as encrypted data, as well as requirements for notifying data breach victims in a timely, concise and straightforward manner.