The web of data security regulations applicable to businesses that collect, store and/or transmit personal information is getting thicker by the day. Nevada and Massachusetts recently enacted new laws requiring certain personal information used by businesses to be encrypted. The Nevada law, NRS §590.970, became effective on October 1, 2008 and essentially requires businesses with operations or customers in Nevada to use encryption to transmit personal information outside of their firewalls. The Massachusetts regulation, 201 CMR §17.00, which will go into effect on January 1, 2010, requires every person that owns, licenses, stores or maintains personal information about a Massachusetts resident (who may be a customer, employee or anyone else) to develop and implement a comprehensive written information security program, which must include the encryption of personal information transmitted wirelessly or over public networks as well as information stored on laptops or other portable devices. Please check out www.revenews.com for an upcoming article by me examining these aggressive new data security requirements in depth.
As if the Nevada and Massachusetts laws weren’t fun enough, on August 1 the FTC will start enforcing the new Red Flags Rule, which requires “financial institutions” and “creditors” (as defined in the Rule) to develop and implement programs that identify and detect the warning signs (or “red flags”) of identity theft and provide for appropriate responses to prevent and mitigate identity theft. The Red Flags Rule applies to a wide range of businesses and organizations beyond banks and others under the supervision of a federal regulatory agency (who were required by their respective regulators to comply as of November 1, 2008), including any business that regularly defers payment for goods or services or provides goods or services to be billed later. Utility companies, mobile telecommunications providers and even ambulance services may have to comply. Accordingly, businesses which offer accounts, or are in any way involved in providing or servicing accounts, that may involve credit (even short-term payment deferral) and exposure to the personal information of consumers or individuals should determine whether they are subject to the Red Flags Rule. More information about the Red Flags Rule can be found on the FTC’s website here.
On a happier note, it’s Friday….