. (NYSE: IMN), a global scalable storage and data security company, today released results of research into state data breach notification laws and associated penalties. The analysis shows that current state data breach notification laws are strikingly similar but vary in compliance requirements for businesses, with all laws highlighting the need for companies to deploy methods for closely storing, protecting and controlling sensitive information. Imation used publicly available sites (including information obtained via the
National Conference of State Legislatures
) to analyze state compliance laws in the 46 U.S. states that have such laws, as well as in Puerto Rico, the District of Columbia and the U.S. Virgin Islands.
Imation created a “Compliance Heat Map” to depict the strictness of data breach laws and resulting penalties for breaches. The Compliance Heat Map provides a visual snapshot of the strictness of regulations by state, using a color scale ranging from light yellow (less strict) to dark red (more strict). To view the compliance heat map, click here:
“What the compliance heat map tells us is that data security needs to be at top of mind for all IT pros, as there are rules in place for nearly all states and territories and non-compliance could mean serious penalties,” said David Duncan, software & security solutions marketing director, Imation. “Yet, companies also are challenged by explosive data growth and state and federal requirements that mandate active archiving, long-term retention and accessibility of that data. Businesses need resources to help navigate laws and develop secure and scalable infrastructures for data storage and protection.”
IT pros today are responsible for managing data, which includes ensuring security, business continuity and regulatory compliance. For small- to mid-sized businesses, the challenge is often to meet compliance requirements with limited resources, which leads to higher risk. In fact, the 2011 Verizon Data Breach report found that businesses with between 11 and 100 employees reported more than six times as many data breaches than businesses with between 101 and 1,000 employees, according to the online website
. Further, the loss or theft of an unencrypted notebook, flash drive or removable hard disk drive can expose gigabytes, or even terabytes, of private information. IT professionals should implement strategies to protect their data through network security, data encryption and enforcement of information security policies, while staying well-informed of state compliance laws in the not-unlikely event that a data breach does occur.
Compliance Heat Map Findings
Imation’s research found most state data breach notification laws to offer similar definitions of personally identifiable information and requirements regarding the notification of affected parties. Among the research’s noteworthy findings:
Compliance Heat Map Methodology
- Four states have yet to enact a data breach notification law: Alabama, Kentucky, New Mexico and South Dakota.
- According to Imation’s analysis, Virginia has the most strict law in the nation. The law provides specific requirements on what is to be included in a breach notification, requires government and credit reporting agency notification, and includes a large financial penalty relative to other states.
- A few states, including Virginia, require notification even if breached data is encrypted—if the encrypted data was stolen along with the encryption keys.
To conduct the research, Imation applied to the laws a series of questions, organized to evaluate the laws’ requirements regarding encryption, data that is within scope of the laws, notification of data loss and destruction of data, as well as penalties for non-compliance with the laws. Imation also considered other germane laws, such as those dictating data destruction or allowing for consumer freezing of credit report requests. Imation used publicly available information about the laws, including the legislation itself.