California started it’s version in 2003, followed by Arkansas in 2005. Now 45 states have laws that require companies to notify residents of the respective states if their Personally Identifiable Information (PII) has been breached.

What’s next? - there are two current bills on the Senate floor in DC - both federal laws (meaning, they will supersede the state laws and that all companies nationally have to comply). One of them, by Leahy-VT, actually will permit more pervasive state laws to be in effect (for example, the far reaching Mass Privacy Law CMR 201 17) while the other, by Feinstein-CA, allows for “Safe Harbors” (meaning, if the breach was not malicious, then notification is not necessary).

Follow to this blog over the coming months for more information on such laws and how to comply with them.

Encouraging you to embrace obfuscation (TM),

Rajesh

MENTIS Software

Obfuscation, in the context of my discussons, means data masking - the substitution of sensitive information by similar and realistic looking information. Data Masking is a much worthy alternative to encryption - in terms of efficiency, time to implement, changes to existing process, etc.

Look for a posting that discusses Encryption vs Masking.

 Over the next several posts, I will talk about the need, the business case, lessons learned, and what to look for when selecting a masking product/ solution.

Your comments, suggestions, thoughts, critiques are most welcome!

Best,

Rajesh Parthasarathy

Data Masking advocate