Lock Up Your Servers! Inspired by Europe, U.S. States Enact New Data Protection Statutes
Data protection law is quickly becoming a legal-compliance headache for many companies. As companies and their customers have continued to store more data in the cloud, that data has become a valuable target for hackers. The risks to personal and financial information are not new and businesses have been grappling with these issues for some time, while data protection laws have been slower to catch up. However, the pace of legal developments in this area is now quickening.
Regulatory efforts came to the forefront for many companies with the passage and implementation of the European Union’s General Data Protection Regulation (“GDPR”). Implemented last year, the GDPR is one of the broadest data privacy statutes to date with broad jurisdictional reach. A U.S.-based company could, for example, still be covered by GDPR if it handles data relating to EU-based individuals even if the business itself has no offices, assets or other operations in the EU.
Not to be outdone, many U.S. states have started passing or strengthening current data protection laws. Most of these new laws simply require companies to notify individuals affected by data breaches, but a growing number of states have enacted laws requiring entities to implement data security and data disposal policies and procedures. For example, the Alabama, Colorado (see our previous post here), Nebraska, and Vermont statutes all require covered entities to implement and maintain reasonable security policies and procedures designed to protect covered information from data breaches. Other states, such as California, have gone a step further by implementing comprehensive data privacy laws in the image of GDPR (see our previous post here).
This is a rapidly changing area of the law. Companies that conduct business on the internet across state lines or that utilize cloud storage for company data should determine whether these laws apply to them. Similar to GDPR, many if not all of these data protection laws have the potential to be applied to entities based outside the physical boundaries of the state if that entity handles data relating to individuals residing in that state. Businesses (and particularly those for which personal data is key to their operations) need to make sure that they understand which laws apply to them within the U.S. and internationally and to confirm that their data protection practices comply with the applicable legal obligations.
Subscribe to Managing the Modern Workplace to receive weekly email updates.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.