News & Resources

Publications & Media

“Navigating rules and regulations across U.S. borders”

Safe and Sound By Margaret Utterback

Do you know your data’s zip code? If not, you should figure it out, because those five digits will help determine which rules are at play.

As we discussed in our last post, the United States has no central authority governing all data. Lawmakers at every level have created a patchwork regulatory landscape that can be extremely complicated to follow. In many cases, the states have been far more active in enacting data protection rules than the federal government. This is especially true in states like California and Massachusetts, which favor consumer protection. These states have taken the lead on many fronts of data privacy and security law.

In general, the states have also been more aggressive in enforcement, often because attorneys general — elected officials who tend to take activist consumer-protection positions — are carrying out the enforcement.

All of this creates a challenging, and potentially expensive, task for corporate data managers. The only way to know which laws (there will likely be several) govern their data is to know where the data and their consumers and employees live. In the internet age, of course, it’s quite likely that a single business has consumers in many locations (or has no idea where they are), and data can easily be spread around to servers and vendors across multiple jurisdictions as well. Similarly, even if your business is located in just one state, your employees and customers could be in multiple states.

To many company executives, this doesn’t sound like a problem — until there’s a breach or other legal question which arises. Then, executives are confronted with the task of assessing what they’re required to do, and where. It is a lengthy, expensive and difficult task. As of today, 47 states have passed security-breach notification statutes, dictating certain procedures that companies must take when their customers’ (or employees’) personal data is hacked. The procedures vary widely by state — as does the definition of what constitutes “personally identifiable” data (we’ll elaborate on that in another post).

In some cases, a company can comply across every state by abiding by the strictest regime. But that approach has some limitations, since some states require specific statements that may conflict with requirements in other states.

A number of states have also passed laws that apply specifically to health-related data and financial information. The latter also applies to any retail or e-commerce enterprise that’s collecting credit-card data.

Once again, we’re merely scratching the surface here. In future posts we’ll elaborate on many of these topics. For now, the important thing to remember is that, at least in the United States, the authority on data privacy and security is nowhere and everywhere at once.