More states adding data breach notification laws

More states adding data breach notification laws

A new Missouri law went into effect on August 28 that affects all retailers who might store customer credit card information. With this law, Missouri becomes the 45th state to implement a data breach notification law, which requires merchants to inform customers when their data is illegally accessed, leading to a potential identity theft situation.

According to a quote in an article posted at StorefrontBacktalk.com, the new Missouri law "is similar to most other state laws dealing with data breach notifications, but it includes medical and health information, data the states usually don't mention because it is protected by the federal Health Insurance Portability and Accountability Act (HIPAA)."

With this new law, businesses who "own or license personal information" from residents of Missouri -- or those who do business in Missouri -- are required to inform said customers in the event of a data breach. Unlike other state laws (those in Illinois, for instance), which require immediate notification of any data breach, the new Missouri law only requires notification in the event that law enforcement has deemed identity theft as a likely outcome of the data breach.

This law, for those businesses not already taking stringent data-protection measures, will mean a new way of doing business. Part of this is due to the fact that being shown delinquent in notifying customers could lead to fines up to $150,000 per instance.

For other businesses, however, the new Missouri law will mean continuing business as usual, as many conscientious businesses are already taking strict care of their customer data. What does this involve? According to the new law, the customer's last name and full first name or first initial, in combination with the Social Security number, driver's license number or any other identifying number (such as credit cards, bank account number, routing codes) and passwords or access codes, must be protected, and if this data is breached, notification must be made in the event that identity theft is deemed a possibility.

Protecting this data has long been a concern of credit card companies, which have combined resources to form the PCI Security Standards Council, which is itself concerned with making sure merchants of all stripes are responsible for meeting certain data protection standards.

Those standards currently cover six large principles, and a total of 12 requirements to meet those principles, which the Council feels make a good security plan.

1. Build and maintain a secure network: First, a properly secure network will be firewalled, and any passwords included by the network security vendor will be changed.
2. Protect cardholder data: Any stored customer data must be protected, along with encrypting said data when it is transmitted across public networks.
3. Maintain a vulnerability management program: Anti-virus software must be used and kept up-to-date, as well developing secure systems and applications.
4. Implement strong access-control measures: Not all customer data is available to everyone in the business; instead, access is on a need-to-know basis. Also, everyone with access to sensitive data must be identified with a unique ID, and physical access to data must be controlled.
5. Regularly monitor and test networks: Networks must be properly tested for security and access, and cardholder data access must be monitored as well.
6. Maintain an information-security policy: A policy that addresses information security must be maintained.

Following the above measures not only helps ensure compatibility with the Security Council's goals, but makes your business a better citizen in protecting your customers' data.

Article by Eric Fleming

Published: September 11,2023