Florida recently put a tough new cyber-breach notification law into effect, replacing its older statute with more stringent demands upon any company that interacts with consumers there. The state is hardly alone. Lacking a comprehensive federal law to guide the notification process, 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands each have their own rules on what companies must do when customer data is stolen or mishandled, many of them unique. In this Compliance Week article, Alisa Chestler comments on the patchwork of state laws.
Meeting all the various state requirements makes compliance "almost like playing whack-a-mole," says Ms. Chestler. "If you compare it to the European Union, where the law is comprehensive and overarching, at least you have a one-stop shop," she says. "While legislators are going to argue that what they have put in place is good security practice, it still presents all companies with a burden on making sure they understand it, know it, and comply with it."
Read the Article (subscription required)