New Data Privacy Laws

by Doug Pollack

This week Ben Worthen of the Wall Street Journal published an article titled “New Data Privacy Laws Set for Firms” describing new laws that will affect business of all shapes and sizes in terms of how they protect the personal information of their customers and clients.

Law related to data privacy enforcement have been enacted by several states including Massachusetts and Nevada thus far, and numerous other states are considering similar laws. Mr. Worthen notes that:

“While it isn’t clear if state authorities intend to crack down on mom-and-pop businesses — the attorney general in Massachusetts is still developing an enforcement policy, a spokeswoman said — the laws establish a liability that could be used in civil suits against businesses following a data breach, privacy lawyers said.”

Over 40 US states have already enacted breach notification laws that speak to an organizations requirements to notify individuals that may be affected by a loss of data, a data breach. These new laws are intended to speak to how companies are required to protect personal information.

While existing Red Flag laws mandate financial institutions to take certain measures to protect the personal information of account holders, these laws do not cover the broader base of businesses and government organizations that also maintain databases that include personal information on employees, customers, vendors and the like.

As noted by Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation “Breach notification laws deal with what happens after the horse leaves the barn. The new regulation in his state “is intended to prevent the horse from getting out of the barn in the first place.”