California Data Privacy Laws: Is Compliance Good Enough?

California SB 1386, which went into effect in July 2003, is the granddaddy of all state data protection laws. It requires that businesses protect customers’ personal information and provide notification if there is a security breach which reveals these data to unauthorized people. Since this California law was passed, 50 of 55 States and Territories have followed suit, enacting some sort of data protection and/or breach notification law. And not all of these laws apply only within State boundaries; for instance, the Massachusetts data protection law (201 CMR 17.00) applies to every organization which obtains personal information on residents of the Commonwealth. In addition to these state laws, there are today numerous federal data privacy, data protection and data breach notification regulations which impact specific industries – such as those included in the HIPAA / HITECH Acts in the healthcare arena. And on top of this, there are industry-specific regulations which apply – such as those in PCI-DSS which impact every organization which takes credit cards. As a result, we are left with a patchwork of confusing and sometimes contradictory statutes and regulations which impact almost every business in the US.