Alicia Granstedt, a Las Vegas-based hair stylist who works for private clients and on movie sets, never worried about conducting most of her business through email.Ms. Granstedt regularly receives emails from customers containing payment details, such as credit-card numbers and bank-account transfers. Since she travels frequently, she often stores the emails on her iPhone.
But a Nevada law that took effect this month requires all businesses there to encrypt personally-identifiable customer data, including names and credit-card numbers, that are transmitted electronically.
After hearing about the new law, Ms. Granstedt started using email-encryption software, which requires her clients to enter a password to read her messages and send responses. It is a hassle, "but I can't afford to be responsible for someone having their identity stolen," she said.
Nevada is the first of several states adopting new laws that will force businesses -- from hair stylists to hospitals -- to revamp the way they protect customer data. Starting in January, Massachusetts will require businesses that collect information about that state's residents to encrypt sensitive data stored on laptop computers and other portable devices. Michigan and Washington state are considering similar regulations.
While just a few states have adopted such measures so far, the new patchwork of regulations is something many businesses will have to navigate, since the laws apply to out-of-state companies with operations or customers in those states.
That's one reason the Massachusetts law has the attention of Andrew Speirs, information security officer for National Life Group, an insurance company based in Montpelier, Vt. "We do business in all 50 states so we're definitely reviewing it," he said. Mr. Speirs said that National Life has a program in place to protect data, but that the Massachusetts law "is a little more particular" than other state laws. He is checking his company's program for any holes.
While it isn't clear if state authorities intend to crack down on mom-and-pop businesses -- the attorney general in Massachusetts is still developing an enforcement policy, a spokeswoman said -- the laws establish a liability that could be used in civil suits against businesses following a data breach, privacy lawyers said.
In Nevada, companies that suffer a security breach but comply with the new law would cap their damages at $1,000 per customer for each occurrence. Those that don't comply would be subject to unlimited civil penalties under the proposed enforcement plan, said James Earl, executive director of the state's task force for technological crime.
Some businesses have already started buying security technology in anticipation of the new laws. Papa Gino's Inc., a Dedham, Mass.-based pizza and sandwich chain, began purchasing laptops with encrypted hard drives from Dell Inc. for its workers last year. Dell sells these computers for about $100 more than those with unencrypted drives. So far, the company has bought about 80 of the computers.
Papa Gino's is also purchasing encryption software -- which costs about $50 per computer -- to protect files containing sensitive information on the 170 or so laptops that don't have encrypted drives, said Chris Cahalin, manager of network operations for the company, which has 370 locations.
The new regulations mean "anybody in IT has to become a security guy," he said.
Getting compliant with the new laws will require most businesses to open their wallets. According to Forrester Research, about 31% of large corporations and 22% of small- and medium-size firms currently have at least some laptops with encrypted hard drives, a way of protecting information on a computer if it is lost or stolen.
The Massachusetts government estimates that a business with 10 employees will need to spend $3,000 up front, plus an additional $500 a month in order to comply. Security executives at larger firms said they expect to spend a similar amount per employee.
Partners HealthCare System Inc., a Boston-based hospital operator, will have to spend more than $100,000 to comply with the new regulations, said Karen Grant, the company's chief privacy officer. Partners is looking into encryption for laptops and technology that can trace lost or stolen devices.
The company may need to reprioritize its current projects in order to get the new technology in place by January, said Ms. Grant. "It's a burden," she added, "but it's something you have to do."
The new state data-security laws are stricter than past regulations, which only required businesses to notify people whose personal information they lost. The new laws establish a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent, said Miriam Wugmeister, an attorney with Morrison & Foerster LLP.
The so-called breach-notification laws, which were enacted in more than 40 states, ended up doing little to tamp down security breaches.
So far this year, more than 500 organizations have publicly disclosed a breach, up from the 446 disclosed in all of 2007, according to the Identity Theft Resource Center, a San Diego nonprofit group. In a September study, researchers at Carnegie Mellon University found that notification laws only reduce identity theft by around 2%.
"Breach-notification laws deal with what happens after the horse leaves the barn," said Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation. The new regulation in his state "is intended to prevent the horse from getting out of the barn in the first place."
