States bear down on security breaches

States bear down on security breaches

Summary: Nevada is at the forefront of states that are passing laws requiring businesses – even small businesses – to encrypt customer data, The Wall Street Journal reports.The Journal tells the story of Alicia Granstedt, a Las Vegas hair stylist, who used to accept credit card numbers over email but has now started encrypting email communications.

SHARE:

Nevada is at the forefront of states that are passing laws requiring businesses – even small businesses – to encrypt customer data, The Wall Street Journal reports.

The Journal tells the story of Alicia Granstedt, a Las Vegas hair stylist, who used to accept credit card numbers over email but has now started encrypting email communications.

It is a hassle, "but I can't afford to be responsible for someone having their identity stolen," she said.

But Nevada is just the first of several states adopting such laws.

Starting in January, Massachusetts will require businesses that collect information about that state's residents to encrypt sensitive data stored on laptop computers and other portable devices. Michigan and Washington state are considering similar regulations
.

Nevada's new law imposes a $1,000 fine per breach per customer. And more importantly, they establish a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent.

"Breach-notification laws deal with what happens after the horse leaves the barn," said Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation. The new regulation in his state "is intended to prevent the horse from getting out of the barn in the first place."

Topics: Collaboration, Banking, Government, Government US, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • This makes me sick

    State and local governments, including the state of Nevada, routinely post all sorts of personal information on the internet in the clear, and without encryption. I just went browsing through the Nevada court system case files, and there is lots of nice stuff there, and none of what I saw on any state web page was even on an https server. At least businesses have a good reason to have your information and I have never heard of a case of purposeful business disclosure of customer information to the general public.

    But, your local and state governments put your information out on the web every day, in the clear and there have been countless news accounts of bad guys getting this information and doing bad things with it.

    It is a nice idea to force businesses to adopt a business practice to protect the consumer, even if the attempt is based on the false notion that a state government has the right to tell anyone to encrypt their data transmissions.

    I would submit that before Nevada or any government entity head down the business encryption path, that they ensure that they have locked down and protected the data they have on their own citizens.

    I would also submit that transmission of data over the communications infrastructure is not a state matter, but a Federal one. I would expect any state law that mandated data encryption to be overturned.
    M.M.Grimes
    • Ha! Good one!

      [i]I would submit that before Nevada or any government entity head down the business encryption path, that they ensure that they have locked down and protected the data they have on their own citizens.[/i]

      Silly Rabbit! Trix (laws) are for kids (everyone except the lawmakers).
      MGP2
  • RE: States bear down on security breaches

    I work for a major distributor of cash registers and equipment. Credit Card data security is getting to a major issues for anyone that accepts credit card payments.

    Data security has become a hot topic in manay states; the credit industry has taken very proactive action on this. Refer to the link below for detailed information on PABP.
    http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html
    dasdaniel2
  • RE: States bear down on security breaches

    I do agree with WGrimes. Before a state/province/country can force these rules on everyone else, why don't they first clean up their own act?

    Encryption is one thing. What about security to block users from burning data onto CDs and DVDs or dumping data onto MP3 players or USB keys? It's one thing to try and enforce encryption but you need to add software to the system to allow only encrypted devices and only those approved by the company/organization.

    Getting that type of software [allow/disallow devices] in Windows is easy. Haven't seen anything on a Mac. Major security hole as many places do have Macs. Anything for Linux?
    Gis Bun
  • Define business

    If a state accepts money for services rendered is it not a business? If a state accepts money for goods provided is it not a business? If it is a business is it not required to follow the laws regulating businesses? If it is/does not then it should be treated as a business that is not/does not and be held accountable under it's own laws. Yes you have to get permission to sue a government agency and some government agencies are very adept at avoiding such actions. Maybe it is time for a change. I think so.
    Merlin the Wiz