Merchant Account Types
Merchant Account Providers
News & Advice
Merchant Account Tools
More states adding data breach notification laws
A new Missouri law went into effect on August 28 that affects all retailers who might store customer credit card information. With this law, Missouri becomes the 45th state to implement a data breach notification law, which requires merchants to inform customers when their data is illegally accessed, leading to a potential identity theft situation.
According to a quote in an article posted at StorefrontBacktalk.com, the new Missouri law "is similar to most other state laws dealing with data breach notifications, but it includes medical and health information, data the states usually don't mention because it is protected by the federal Health Insurance Portability and Accountability Act (HIPAA)."
With this new law, businesses who "own or license personal information" from residents of Missouri -- or those who do business in Missouri -- are required to inform said customers in the event of a data breach. Unlike other state laws (those in Illinois, for instance), which require immediate notification of any data breach, the new Missouri law only requires notification in the event that law enforcement has deemed identity theft as a likely outcome of the data breach.
This law, for those businesses not already taking stringent data-protection measures, will mean a new way of doing business. Part of this is due to the fact that being shown delinquent in notifying customers could lead to fines up to $150,000 per instance.
For other businesses, however, the new Missouri law will mean continuing business as usual, as many conscientious businesses are already taking strict care of their customer data. What does this involve? According to the new law, the customer's last name and full first name or first initial, in combination with the Social Security number, driver's license number or any other identifying number (such as credit cards, bank account number, routing codes) and passwords or access codes, must be protected, and if this data is breached, notification must be made in the event that identity theft is deemed a possibility.
Protecting this data has long been a concern of credit card companies, which have combined resources to form the PCI Security Standards Council, which is itself concerned with making sure merchants of all stripes are responsible for meeting certain data protection standards.
Those standards currently cover six large principles, and a total of 12 requirements to meet those principles, which the Council feels make a good security plan.
Following the above measures not only helps ensure compatibility with the Security Council's goals, but makes your business a better citizen in protecting your customers' data.
Article by Eric Fleming
Published: September 11,2020