“For most businesses doing business in multiple states, you have to look at the strictest breach law out there because that is where your compliance obligations are going to lie”, Smedinghoff told the panel. He later told Infosecurity that he considered Massachusetts to be the strictest data breach notificaiton law.
Bob Thibadeau with Wave Systems advised firms to do “150%” in terms of data breach notification requirements. “Then you are taking responsibility and you can make the arguments for what you have accomplished.”
Eric Hubbard with Hitachi Data Systems recommended that companies adopt industry standards, as well as employ encryption and key management, in order to ensure compliance with data breach laws. “There is a lot of things happening in the data and media standardization space that should be paid attention to”, he said.
Lucy Thomson, with CSC and chair-elect of the American Bar Association’s Section of Science and Technology Law, explained that state data breach laws cover the loss of sensitive personal information that could be used for identity theft or fraud.
Some states require firms to notify about any breach of security, while other states require notification of breach only when there is a reasonable likelihood of harm. Most states require firms to notify persons whose information was compromised. In addition, some states require firms to notify state enforcement agencies and credit agencies, she explained.
Thomson presented a series of steps firms should take to ensure adequate data security to comply with legal requirements: develop a comprehensive information security plan specifically designed to prevent data breaches; conduct a risk assessment – carefully document how the security controls selected and implemented address all risks in the risk assessment; and develop a strategy for implementing and managing encryption consistent with legal requirements and match the encryption solution to the risk.