Another piece of meat for the compliance stew

The Personal Data Privacy and Protection Act made it through the US Senate and some form of it will probably become law next year. Its a lot like SB1386 in that it requires notification when unauthorized access to personal data occurs. But the most interesting sections are Title III and Title IV. Title III give people a right to access and correct the personal information held by data brokers. Title IV requires all organizations that hold information for more the 10 thousand customers to develop and maintain a comprehensive data security plan... it doesn't just apply to public companies, but to every company with >10K entries in their customer database. Financial companies and health care companies already covered by GLBA and HIPAA are exempted.

Each company has to:

  • Perform a threat assessment and risk evaluation
  • Evaluate the existing control structure and identifiy deficiencies
  • Implement access controls on the PII
  • Detect actual and attempted unauthorized access to the PII
  • Use encryption or other means to protect PII in transit and in storage

The interesting part will be sorting out how this law will relate to existing state laws like SB1386. In some cases the states have precedence, and in other cases the federal law has precedence.

Without having dug into the details, it looks like a pretty reasonable regulation. In any case, its going to cost people money, and provide security consultants and auditors with another revenue source