Sorry for the hiatus, but I’ve moved to new offices in Old City, Philadelphia. Baer Business Law is now located at 325 Chestnut Street, Suite 403, in the heart of the vibrant restaurant and historical district (three blocks from Independence Hall, and need I even mention Buddakan, Paradigm, Cuba Libre, the Continental, City Tavern, etc., etc.?) You can look forward to a whole slew of new happy hour recommendations in Old City and the Northern Liberties coming soon on this blog.
Our new offices in Old City
In other news, I just got back from San Francisco, where I spoke at a Tech Target conference about recent developments in data security law. Among the highlights were tidbits already discussed on this blog, such as the new Nevada statute (Senate Bill 227) requiring encryption and PCI DSS compliance and Massachusetts’ recent move to make 201 CMR 17.00 more risk-based and technology neutral. Also on the agenda was California Senate Bill 20, which sets forth content requirements for data breach notices and is currently awaiting the Governator’s signature. Finally, I gave an overview of the two pieces of federal data security legislation (H.R. 2221 and S. 1490) currently dawdling in Congress while our esteemed representatives work on a little matter called health care.
My biggest challenge in putting the presentation together was to connect all of these dots into some type of coherent pattern. At the beginning of the summer, it looked like we were moving to a much more “prescriptive,” technology-specific, top-down style of data security regulation in the former Massachusetts mold (rigorous computer system security and personnel access control requirements for all businesses owning or licensing personal information, 128-bit encryption, etc.). Then Massachusetts did an about-face, and other states failed to follow the Nevada and Massachusetts model of requiring encryption for personal information transmitted over open networks or stored on portable devices.
The two federal data security bills would set a national data breach standard and national standards for implementing data security safeguards, but are largely technology-neutral (Congressman Bobby Rush’s H.R. 2221 even goes so far as to prohibit the FTC from setting specific technological requirements!). At the end of the day, I told my largely California-based audience that their state data security statute (the original data breach notice legislation combined with a requirement to use reasonable data security safeguards appropriate to the nature of the data) would likely be the paradigm for national and other state data security legislation. California is the trend-setter for insanity in many areas of the law, but its regime seems relatively sane when compared, for example, with the earlier, anal-retentive version of Massachusetts’ 201 CMR 17.00.
While the breeze in San Francisco Bay was lovely, it’s good to be back in the City of Brotherly Love, and in new digs, too. More to come.