Four New Privacy Laws That Can Affect Your Business
If you conduct business online, there are many privacy laws that you should be aware of, including the four recent laws described below. The first two focus on encrypting sensitive data. The second two require privacy policies to safeguard social security numbers.
Encrypting Sensitive Data
On Oct. 1, 2008, Nevada began requiring businesses to encrypt electronic transmission of sensitive data.
On Jan. 1, 2009 Massachusetts implemented an even stronger requirement.
Both laws apply to customers’ personal information, defined as a person’s name combined with identifiers such as social security number, driver’s license number, or financial account number. Massachusetts goes further than Nevada in requiring encryption not only of transmitted but also of stored data. This includes servers, laptops, and other portable devices such as PDA’s, cell-phones, and flash-drives.
You cannot assume that you are affected only if your company is located in Nevada or Massachusetts. The Massachusetts law expressly covers businesses with personal information on any Massachusetts resident, regardless of the business’s location. The Nevada law is unclear, but can be read to include out-of-state businesses, as well.
Neither law specifies a penalty. Both states (like many others) already have laws requiring companies to “reasonably” protect customers’ information. Violators could be open to lawsuits and resulting damages for failing to adequately safeguard customers’ sensitive data.
Other states are considering similar legislation, so this could become a trend. In light of these developments, it would be prudent to evaluate your data-handling practices.
Privacy Policies and Social Security Numbers
On Oct. 1, 2008, Connecticut began requiring any individual or business possessing another’s personal information, whether in electronic or paper form, to safeguard it from misuse by third parties and to destroy it before disposal. Personal information includes, among other things, an individual’s account number, credit and debit card number, driver’s license number and social security number.
The CT law is most concerned with the protection of social security numbers. If you are an employer that collects social security numbers, you must:
- publish or publicly display the Policy
Posting the Policy on your web page is one way that the CT law allows you to meet the publication requirement. The penalty for non-compliance is $500 per violation, up to $500,000 for a single event. However, the law contains a significant “out”. Only intentional failures to safeguard data are violations.
Effective Jan. 3, 2009, New York began prohibiting employers from communicating employee personal identifying information to the general public. Personal identifying information covers a home address or telephone number, e-mail address, Internet identification name or password, parent’s pre-marital surname, driver’s license number, and social security number. Employers must not publicly post or display an employee’s social security number, print it on a badge or time-card, or place it in a file to which there is unrestricted access.
Knowingly violating the law carries a penalty of up to $500. However, a violation will be considered knowing if your company has not implemented privacy policies to safeguard personal information and instructed your employees accordingly. Thus you can be liable even if the information was stolen or inadvertently released.
Businesses are encouraged to review both their internal and external use of personal identifying information, implement privacy policies and to resolve any doubt in favor of greater protection.
Notice: This above is not intended as legal advice. Consult an attorney for guidance on your particular circumstances.