October 2009 Developments - 20

Hot Topicata security is something every company must grapple with, and for those that have avoided the issue to date, the landscape is just about to become much more complex and onerous. The time to begin complying is now. Dan Bachrach and Andrew Serwin Into New Waters: Technology Traps Data security, perhaps more than any other issue, could place your company on a regulator’s radar screen, as well as a plaintiff’s class action lawyer. derived from “consumer reports.” This usually becomes an issue for businesses in the employee context, particularly if background checks are done on prospective employees. State Level: Critical Points The federal restrictions are just the beginning, as a number of states have enacted similar laws which we expect to multiply.1 For instance, Massachusetts enacted a data security law that applies broadly and has extensive requirements in it, but the compliance date has been pushed off several times. Another notable example is Nevada. Nevada had a data security law on the books already, but it was recently amended (effective January 1, 2010) and has drawn a significant amount of attention. The amendments to Nevada law require data collectors,2 who accept a payment card3 in connection with the sales of goods or services, to comply with certain standards or to use encryption to protect information that is transmitted electronically or that is moved beyond the control of the data collector.4 The Nevada law relies heavily on industry standards, and the amendments require data collectors that accept a payment card in connection with the sale of goods or services to also comply with the Payment Card Industry (“PCI”) Data Security Standard, as adopted by the PCI Security Standards Council— no later than the date for compliance set forth in the PCI Data Security Standard or the date adopted by the PCI Security Standards Council.5 PCI-covered entities are just the beginning of the Nevada law. Now, a data collector who is not covered by PCI may not transfer personal information through an electronic non-voice transmission, other than by facsimile6, to a person outside of the data collector’s secure system, unless the data collector uses encryption to ensure the security of the electronic transmission.7 Data collectors may also not move any data storage devices8 beyond the logical or physical controls of the data collector or its data storage contractor, unless the data collector uses encryption to ensure the security of the information.9 One question that has arisen is whether companies that are compliant with PCI must also encrypt non-PCI covered data. While the law appears to lend support to the thought that PCI-covered entities may not need to encrypt data other than that covered under PCI (information related to credit and other payment cards), this does not appear to be the intent of the law. PCI-covered entities should examine their compliance burdens for other forms of data as well. Another ambiguity that exists is whether information regarding Nevada residents must be encrypted once it is transferred outside the state. If the law applies to data once it is outside of Nevada, Federal Level The Federal Trade Commission (FTC) has attempted to mandate data security through its “unfairness authority,” as well as under certain rules promulgated under the Fair and Accurate Credit Transaction (FACT) Act. More than 30 states have data security or data destruction laws—certain states have pushed the envelope further than others. Data security, perhaps more than any other issue, could place your company on a regulator’s radar screen, as well as a plaintiff ’s class action lawyer. The FTC stands as the main privacy watchdog at the federal level, and an enforcement action against DSW (a discount shoe retailer) underscores this point. In one of the first high profile data security incidents, DSW was alleged to have failed to have adequate data security, related to its collection of customer’s credit card information, and a general lack of security on its network. While DSW had not made a promise to customers regarding data security, the FTC still brought an enforcement action against them, alleging that the lack of data security in and of itself was an unfair practice under the FACT Act. At the federal level, the FTC also has promulgated document destruction rules under the FACT Act, which require businesses to implement data destruction programs for certain forms of information—information typically Developments • October 2009

October 2009 Developments

Table of Contents for the Digital Edition of October 2009 Developments

October 2009 Developments - 1
October 2009 Developments - C1
October 2009 Developments - I1
October 2009 Developments - I2
October 2009 Developments - I3
October 2009 Developments - I4
October 2009 Developments - 4
October 2009 Developments - 5
October 2009 Developments - 6
October 2009 Developments - 7
October 2009 Developments - 8
October 2009 Developments - 9
October 2009 Developments - 10
October 2009 Developments - 11
October 2009 Developments - 12
October 2009 Developments - 13
October 2009 Developments - 14
October 2009 Developments - 15
October 2009 Developments - 16
October 2009 Developments - 17
October 2009 Developments - 18
October 2009 Developments - 19
October 2009 Developments - 20
October 2009 Developments - 21
October 2009 Developments - 22
October 2009 Developments - 23
October 2009 Developments - 24
October 2009 Developments - 25
October 2009 Developments - 26
October 2009 Developments - 27
October 2009 Developments - 28
October 2009 Developments - 29
October 2009 Developments - 30
October 2009 Developments - 31
October 2009 Developments - 32
October 2009 Developments - 33
October 2009 Developments - 34
October 2009 Developments - 35
October 2009 Developments - 36
October 2009 Developments - 37
October 2009 Developments - 38
October 2009 Developments - 39
October 2009 Developments - 40
October 2009 Developments - 41
October 2009 Developments - 42
October 2009 Developments - 43
October 2009 Developments - 44
October 2009 Developments - 45
October 2009 Developments - 46
October 2009 Developments - 47
October 2009 Developments - 48
October 2009 Developments - 49
October 2009 Developments - 50
October 2009 Developments - 51
October 2009 Developments - 52
October 2009 Developments - 53
October 2009 Developments - 54
October 2009 Developments - 55
October 2009 Developments - 56
October 2009 Developments - 57
October 2009 Developments - 58
October 2009 Developments - 59
October 2009 Developments - 60
October 2009 Developments - 61
October 2009 Developments - 62
https://www.nxtbookmedia.com