You might not know it, but many states have data security laws on their books that require you to protect your customers’ personal data.
Types of State-Level Data Regulations
There are four main types of state-level data security and privacy laws.
- Data security – focused on protecting sensitive personal data, and the main type of security law we are focused on here
- Data privacy – focused on all types of personal data; dictates how businesses can collect and use personal data; requires businesses to notify people of its personal data collection practices and policies; gives people the right to ask businesses for a copy of their personal data and to correct or delete their data if they prefer; only a few states such as California have data privacy laws
- Security breach notification – requires you to notify people affected by a breach as well as the state if the breach involves enough records
- Data disposal – covers what you need to do when disposing of IT hardware or if you’re moving or going out of business and need to safely dispose of customer records
These state laws are separate from federal and private-sector laws and regulations such as HIPAA and PCI DSS.
Another set of laws to keep in mind (since many of these other laws have to do with websites and apps) are accessibility laws. These laws require you to make your website accessible to those that have difficulty seeing. Ensuring everyone has access to your site regardless of any disability is the right thing to do, but we also mention them since there are law firms that go around suing businesses for failing to follow these accessibility laws. You don’t want to have to deal with that hassle.
What’s a State-Level Data Security Law?
We don’t have time to go into all the different state data security laws here, and anyway there are sites that already do a great job of listing and linking to all of them. We just want to talk about what is generally required and show you some examples, so you understand in general what these laws are, how to comply with them, and what might happen if you fail to follow them.
For each state where you have personal data, you should be able to Google “[state] data security law” to get more specific requirements.
Examples: California, Texas, New Mexico
Most state data security requirements are pretty vague and broad and similar to this example from California Civil Code 1798.81.5 section 2b:
A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Section 2d defines “personal information” as follows:
- An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
- Social security number.
- Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
- Medical information.
- Health insurance information.
- Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
- Genetic data.
- A username or email address in combination with a password or security question and answer that would permit access to an online account.
A few things to note here. First, the “persons” of the “personal data” in question aren’t just active customers but can be anyone including employees, vendors, partners, and potential and former customers.
Second, this doesn’t cover all personal data such as browsing history (something addressed under California’s data privacy laws) and except for account credentials only applies to data that combines a first name and last name with other sensitive data including social security and driver’s license numbers. So this law doesn’t apply to you if you’re only storing basic personal info like names, addresses, emails, and phone numbers, or if you’re a researcher that deals with sensitive but anonymized medical data.
For comparison, under Texas code 521, “A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.”
It defines “sensitive personal information” as:
- an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
- social security number;
- driver’s license number or government-issued identification number; or
- account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or
- information that identifies an individual and relates to:
- the physical or mental health or condition of the individual;
- the provision of health care to the individual; or
- (payment for the provision of health care to the individual.
New Mexico 57-12C
New Mexico 57-12C-4 is almost exactly the same as California’s law and shares a similar definition of covered data: “A person that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.”
What Do I Need to Do Exactly?
If these laws apply to you, you are required to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information”. What does this mean exactly?
If you’re expecting a clear answer like “installing antivirus and firewalls” you’re going to be disappointed because there is no such answer. These laws leave it up to you, your customers, and the courts (if it ends up there) to decide what “reasonable security procedures and practices” mean.
It’s similar in that way to “reasonable doubt” that we’re all familiar with from courtroom TV shows and movies and high-profile trials or if we’ve ever had to do jury duty. It requires thinking what the average person would consider reasonable and if that reasonableness can be proved in court. This gets tricky since peoples’ knowledge and definition of reasonable cybersecurity varies so widely from person to person.
Reasonable vs Unreasonable
Some things I think the average person would agree fall short of taking reasonable measures to protect personal information include:
- Storing sensitive data like customer credit card info and social security numbers on a personal, non-company device
- Putting a post-it note with your username and password on your computer, so anyone walking by can see it
- Sending a file with sensitive personal information to someone without confirming their identity or ensuring they’re trustworthy – perhaps someone posing as your accountant or IT admin in a phishing email
- Having no formal security policies at your company at all
- Using and allowing others to use passwords like “12345” and “password”
- Reusing or not changing username and passwords that were already publicly exposed in another data breach
Beyond no-brainer best practices like this (and even these might not hold up to scrutiny in court), it gets more complicated when you consider things that we at XO and other IT security professionals would consider baseline security best practices. This includes installing antivirus, maintaining a network-level firewall, and ensuring all your applications and OSes are updated and “patched” on an ongoing and timely basis. Would the average person consider these security measures reasonable?
Alternatively, they might consider it reasonable for a businessperson to say to themselves, “I don’t know anything about cybersecurity but I know I’m required to protect personal data. I better bring in a pro to help me out.” Not knowing about cybersecurity themselves may not be justification enough to avoid reaching out for help with securing this data appropriately.
What Happens If I Don’t?
Penalties include private lawsuits and state injunctions.
From California 1798.84:
- (b) Any customer injured by a violation of this title may institute a civil action to recover damages.
- (e) Any business that violates, proposes to violate, or has violated this title may be enjoined.
- A person who violates this chapter is liable to this state for a civil penalty of at least $2,000 but not more than $50,000 for each violation. The attorney general may bring an action to recover the civil penalty imposed under this subsection.
- If it appears to the attorney general that a person is engaging in, has engaged in, or is about to engage in conduct that violates this chapter, the attorney general may bring an action in the name of the state against the person to restrain the violation by a temporary restraining order or by a permanent or temporary injunction.
- In an action under this section, the court may grant any other equitable relief that the court considers appropriate to:
- prevent any additional harm to a victim of identity theft or a further violation of this chapter; or
- satisfy any judgment entered against the defendant, including issuing an order to appoint a receiver, sequester assets, correct a public or private record, or prevent the dissipation of a victim’s assets.
From New Mexico 57-12C-11:
- When the attorney general has a reasonable belief that a violation of the Data Breach Notification Act has occurred, the attorney general may bring an action on the behalf of individuals and in the name of the state alleging a violation of that act.
- In any action filed by the attorney general pursuant to the Data Breach Notification Act, the court may:
- issue an injunction; and
- award damages for actual costs or losses, including consequential financial losses.
- If the court determines that a person violated the Data Breach Notification Act knowingly or recklessly, the court may impose a civil penalty of the greater of twenty-five thousand dollars ($25,000) or, in the case of failed notification, ten dollars ($10.00) per instance of failed notification up to a maximum of one hundred fifty thousand dollars ($150,000).
A New Approach: Affirmative Data Security Laws
Perhaps in response to the lack of clarity of previous, binding state data security laws, some states are going a different route – offering immunity from civil data security lawsuits if they follow specific requirements. This is a pretty smart approach – it encourages increased cyber security, and because it’s voluntary the government avoids dealing with complaints and legal challenges that it’s imposing undue requirements and costs on businesses.
Ohio was the first to introduce one of these laws in 2018.
Ohio code 1354 requires businesses that want protection from data security lawsuits to:
Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework
Section 1354.03 gives a list of industry recognized cyber security frameworks that apply, including:
- NIST 800-171
- NIST 800-53 and 53a
- ISO 27000
- PCI DSS
Other states including at least Utah and Connecticut have passed similar laws.
Even if the requirement to implement and maintain “reasonable” data security measures are somewhat vague, you should still take them seriously. For one thing, you can get sued or get shut down by the government. Other good reasons to protect your data include:
- It’s the right thing to do, as others have trusted you with their data
- Security breaches can damage your reputation and cost you deals, customers, and partners
- Security breaches are extremely costly and time-consuming in terms of lost productivity and remediation
- It’s easier and less expensive to secure your data than you might think
We’ve covered our data security recommendations in other blog posts, but generally a reasonably-effective cybersecurity system should at least have:
- Network-level, next-gen firewall with stateful packet filtering
- Patch management
- Identity and account management
- Multi-factor authentication
- Strong password policy
- Physical security including locked network racks
Reach out if you have any questions or need help complying with your state data security laws.
The preceding article is not meant to be formal legal advice. Please consult your lawyer if you have any questions. If you don’t have a lawyer that specializes in data security law, reach out and we’ll connect you to one. Thanks.