New State Laws Target Data Encryption, RFID Tracking
The states have been busy of late enacting laws that address a broad spectrum of security protections, from outlawing radio frequency identification (RFID) tag tracking to requiring organizations to encrypt sensitive data whether it is stored on a computer or sent over the Internet.
California Gov. Arnold Schwarzenegger this week approved a bill that would make it illegal to secretly scan the data encoded on unsecured RFID chips for the purposes of tracking, identity theft or counterfeiting the devices. RFID tags are tiny chips that are now commonly embedded into many retail products, student IDs, drivers' licenses, passports and medical ID cards. Most RFID tags are "passive," in that they have no internal power supply and are designed to be read from a few inches away, but researchers have shown that even passive tags can be read from more than 30 feet with special equipment.
However, for the second year running, the governor killed a hugely popular bill that would have limited the amount of time retailers and collectors of personal information could hold onto the data. California Assembly bill 1656 also would have required businesses that experience a data breach to give more details to those affected about the information that had been lost or stolen.
Schwarzenegger vetoed last year's version of the measure, which would have forced retailers to foot more of the bill in cleaning up after customer data spills. He said it would have saddle businesses with burdensome costs and attempt "to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers."
Norma Garcia, a senior attorney with Consumers Union, said she was disappointed that the governor killed the bill again this year, as it had been stripped of the reimbursement requirements to win passage.
"The particular provisions upon which the veto was based were dealt with in this version, and from the consumer perspective, this was a bill that that was very reasonable and enjoyed wide support in both houses" of the California legislature, Garcia said.
Over in Nevada, a new law took effect Oct. 1 that requires businesses to encrypt all customer personal information sent "outside of the secure system of the business." The requirement excludes data sent by fax. The law defines personal information as first name or first initial plus last name in combination with either a Social Security number, driver's license, ID card, credit/debit card or account number, along with any security code or password that would permit access to a person's financial accounts.
In Massachusetts, state regulators issued rules that require entities that store personal information on residents to encrypt that data on laptops and other portable devices. The requirements take effect on Jan. 1, 2009.
State-level technological mandates don't carry the weight and breadth of federal laws, but they often force companies to implement the requirements businesswide, due largely to the costs that would be associated with maintaining separate business practices dictated by the customer's state of residence. Novel state laws that push the legal envelope also have a way of catching on in other states. Nowhere has this been more evident than with California's landmark 2003 data breach disclosure law, variations of which have since been adopted in more than 40 states.
October 3, 2008; 12:36 PM ET
Categories: Fraud , From the Bunker , U.S. Government
Save & Share: Previous: House.gov Still Plagued by E-mail Deluge
Next: Report: Data Breaches Expose About 30M Records in '08
Posted by: Chris | October 4, 2008 4:38 AM | Report abuse
Posted by: Anonymous | October 5, 2008 3:03 AM | Report abuse
Posted by: http://onlinesecure.org/ | October 5, 2008 3:05 AM | Report abuse
Posted by: Tom | October 5, 2008 3:40 AM | Report abuse
Posted by: Devin | October 5, 2008 4:52 PM | Report abuse
Posted by: firstname.lastname@example.org | October 5, 2008 8:30 PM | Report abuse
Posted by: brucerealtor | October 5, 2008 10:58 PM | Report abuse
Posted by: Pete | October 6, 2008 3:22 AM | Report abuse
Posted by: Tom Harkins, Chief Strategy Officer Secure Identity Systems | October 6, 2008 11:15 AM | Report abuse
Posted by: Charles Corcoran | October 6, 2008 2:27 PM | Report abuse
Posted by: Buddy | October 7, 2008 1:32 PM | Report abuse
Posted by: Simon Dehaute | October 8, 2008 7:23 AM | Report abuse
The comments to this entry are closed.