Data security breach notification laws have been enacted by 45 U.S. states, the District of Columbia, Puerto Rico and the Virgin Islands to protect the Personally Identifiable Information (PII) of their residents.

In general, any person or agency that handles PII of residents in the states that have enacted these laws faces strict notification requirements if that data becomes compromised. For example, if your business operates in Kansas and does business with the citizens of California, any California resident PII you have is subject to California’s law; PII for Minnesota residents is subject to Minnesota’s law; and so on.

Notification is a disruptive and costly exercise – and can damage trust in your brand. And a growing number of states are enacting fines in addition to notification requirements.

However, many of the regulations also offer a “safe harbor” - if the breached data is encrypted, and the encryption key has not been compromised, no notice is required. The best practice to protect your brand and avoid costly notification requirements is to encrypt PII – then a breach becomes a non-event.

nuBridges Protect™ is the software solution that can quickly and easily cross this security concern off your list. It’s an integrated encryption, tokenization, key management and audit logging solution that is already proven in business-critical production environments – for example, it encrypts billions of credit card numbers every day around the world.

Contact us to discuss how nuBridges can help you take advantage of “safe harbors” and minimize the risk of a breach.

Introductory Information about State Data Security Breach Laws

Typically, the laws define "personal information" as an individual's first name or first initial and last name in combination with any one or more of the following data elements:

1. Social Security number;

2. driver's license number or state identification card number; or

3. account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (in some states)

4. Medical information.

Notification of a breach is generally required when (a) the data element was not secured by encryption or another method of technology that makes electronic data unreadable or unusable, or (b) was secured and the encryption key, password, or other means necessary for reading or using the data was also acquired.

It’s also interesting to note that many laws specify that even if a third party maintains customer data for you, you are still liable if the data is breached.

Here is a handy source of information about specific state data breach notification laws that may be useful to you: http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm