Cyber-security laws at the state level are a complexity every employer needs to understand, due to the reach of the legislation. We will explain how this works in this article.
First, every state has a statute concerning cyber-security and data privacy, as you can see from the chart below. The vast majority have a law that requires a notification to users if there is a breach of data. Many require a notification policy, which is not complicated to draft. We will soon have a sample notification policy for members to use. In the meantime, we have a sample security policy that has a section on notification. To see which states have a notification requirement, look at the “Notification Requirement for Data Breach” column. If a policy is required, you will see “(policy)” in the same column.
The law becomes more complicated when you consider that 22 states, including Colorado–but not including Arizona or Utah–have statutes that apply to employers who have any customers in their states. So, for example, in Colorado or Massachusetts, if your organization stores data of a customer or end-user who resides in Colorado or Massachusetts–even if your organization does not have any offices or employees in that state–you must follow its laws for that data. In the column labeled “Not Required To Do Business In The State For Data Breach Requirements To Apply,” you can see those states listed.
There are two additional complicating factors. First is that some state statutes protect data where there is no name attached, because the data could be used to identify an individual. This is in the “PII or No Name Requirement Included” column, where PII stands for personal identifying information. Colorado is one of those states, along with seven other states, and you must also follow the requirements in each statute when it comes to these data. In Colorado, this means having a security and data-disposal policy for this type of information.
Finally, there are 15 states that require a security policy, as you can see below. The state with the most comprehensive requirements for a security policy is Massachusetts, and we have used that law to create our security policy template, along with minor requirements from other states that have a check mark in the “Not Required To Do Business In The State For Data Breach Requirements To Apply” column.
The security policy not only includes Information Technology standards, but also discusses which employees are responsible for the work being done, required disciplinary action, and training employees on cybersecurity.
If you have any questions about the chart below or state laws on this topic, please contact us. We can help.