New State Privacy Laws Clamp Down on Data
May 4, 2010 Alex Woodie
Companies that do business in the states of Nevada, Massachusetts, and Washington are some of the first to come under the jurisdiction of new data security laws that require the use of encryption. Backup data that leaves the data center for the purpose of disaster recovery is a big concern for these companies, and SafeData, which provides options for on-site and cloud-based back up, says it can provide the necessary level of encryption for System i shops.
Washington is the latest state to enact a data security and payment card law covering companies that do business with citizens in the state. The law, which was signed into law in early April and goes into effect July 1, requires companies that originate or process debit or credit card transactions to take “reasonable steps” to prevent a data breach. Experts say this requires the use of encryption technology.
The Massachusetts Privacy Law, which went into effect January 1, 2010, is expected to become a model law followed by other states. This law, which was enacted because of the continued high rate of identity theft caused by corporate data breaches, requires companies to use encryption when personally identifiable information (PII) is taken outside of a company’s internal systems.
One state has gone further than any other state: Nevada. The Silver State has taken a leadership position in regards to data security with two laws. The first, called the Nevada Electronic Transmission Encryption Law, went into effect October 1, 2008, and requires the use of encryption for all PII that is transmitted electronically (except for fax). A second Nevada law, which went into effect January 1, 2010, requires all companies in Nevada to comply with the provisions of the Payment Card Industry (PCI) Data Security Standard (DSS), when it comes to card transactions.
However, Nevada’s second law goes further than PCI DSS and requires the use of encryption technology that is compliant with the National Institute of Standards and Technology (NIST). The PCI standards council is strongly leaning toward requiring NIST-certified encryption software as part of its PCI DSS standard, security experts say.
SafeData welcomes the new laws, and is ready to help customers comply with them. The vendor, which provides disaster recovery (DR) and high availability (HA) hosting and services for organizations that use the System i server, recently announced that it provides the necessary level of encryption to comply with the new state laws.
“These laws are essential steps to ensuring the protection of personally identifiable information and I believe more states will pass similar laws in months to come,” states SafeData president Peter Briggs in a press release. “Our SafeData/DR solution ensures that our clients’ data is double encrypted and in compliance with these laws. Our clients can sleep well at night knowing that their data is not at risk of being lost or stolen and maliciously used.”
SafeData stores backup data from all customers, including System i shops, on its Windows-based SAN infrastructure. The encryption utilized on the SAN is NIST certified, a company spokesperson confirmed.