Missouri’s new Data Protection Disclosure Law
- Monday, September 21, 2009, 15:18
- Threat Research
Although maybe unnoticed, a month ago Missouri finally joined that heady club called “states which have Data Privacy Laws.”On 28th August, the “Missouri Data Breach Notification Law,” or House Bill 62 took effect, not protecting, but at least enforcing care and attention of residents personal information (Social Security Numbers, Driver’s Licence Numbers, and information which could be used to access a residents financial accounts). Note I use the word “resident,” because, as with the other 47 or so state laws, this one applies to the Residents of Missouri, not to the businesses. If you have Missouri resident information in your datacenter in Timbuktu, you are still required (under civil and actual damages) to comply.The full text of the law can be found on the excellent HuschBlackwell site, but the interesting points are: This law applies to Personal Health Information (PHI) as well as Personally Identifiable Information (PII)The law applies to both “customer” data, as well as “employee” data – it basically applies to every resident of Missouri. If you loose more than 1000 individual records, you need to tell the Attorney General. Non compliance means civil damages. If you determine that the exposure of data is “unlikely” due to protective measures (or you believe the device was destroyed etc), you can elect not to disclose, but you MUST fully document the investigation and keep records for 5 Continue reading...