Dark Reading is part of the Informa Tech Division of Informa PLC
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Delaware has become the latest state to enact legislation on computer security, joining at least 13 other states in setting specific requirements for companies doing business within their borders. Delaware's law is notable in two regards, the first involving the nature of Delaware and the second a critical provision within the law itself.
The bill itself requires that "...any person who conducts business in Delaware and maintains personal information must safeguard that information." It goes on to define what "breach" means and prescribes certain actions to be taken if private information -- like a Social Security number -- is disclosed.
The interesting provision within the law is that it defines "encryption" and then carves out a safe-harbor provision for companies that suffer a breach if the information exposed is encrypted. This safe harbor for encrypted data is likely to have a significant impact on the increase in enterprise encryption because of Delaware's status as a favored state for business incorporation in the US.
As of 2014, more than two thirds of the companies in the Fortune 500 are incorporated in Delaware. This means that at least two thirds of the United States' largest companies must now look at how they will respond in case of a data breach and whether greater encryption deployment for customer and employee records will be a worthwhile investment in order to provide a safe harbor.
States that have enacted data security laws for private entities have done so in a wide variety of ways, ranging from broad statements about providing reasonable protection for private information to very prescriptive laws dealing with the nature of protection and requirements for disclosure.
With Delaware joining the data protection and security fold, eyes will be on many more states in the upcoming legislative season to see whether the number of governments requiring specific data security steps will grow.
Related posts:
— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.
Everything You Need to Know About DNS AttacksIt's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask.
Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted.
Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Incident Readiness and Building Response Playbook
In this special report, learn the Xs and Os of any good security incident readiness and response playbook.
Tweet This
1 Comments
