Nevada and Massachusetts have become the forerunners for data security recently.  With the current data security regulation (1.0), businesses are required to notify individuals if there is a potential personal information breach which could lead to identity theft.  This law is used mostly to set standards in responding to incidents but not in actually preventing them from occurring in the first place.  As many may remember, the reason for the regulation in the first place was due mainly to the data breach that companies such as TJX, ChoicePoint, DSW and BJ’s Wholesale suffered.  With TJX as their guinea pig, the Federal Trade Commission conducted a new wave of security referred to as Data Security Regulation 1.5.  This made higher standards for business security that penalized any data breaches.  However, it lacked an implementation of any technology to fight against this.  Which brings us to Data Security Regulation 2.0.

New laws in the states of Nevada and Mass are looking to set specific standards which include the use of encryption when collecting and transmitting hte personal information of its buyers. On October 1, 2008 the Nevada law was effective saying that information was not allowed to be transmitted other than via fax unless encrypted which is defined as “requiring the use of cryptographic keys to decipher data.”  Although Nevada is certainly a leader for security, it has nothing on the programs that Massachusetts is looking to install.  They are bearing down on all levels of companies and considering each to be on the level of banks and their need for information security.  Going much further than simply encrypting data, business must undergo operational requirements such as a developing a written information security program which must be approved by the standards of the Commonwealth of Massachusetts.  Encryption according to Mass is more narrowly defined as “the transformation of data through the use of algorithmic process, or an alternative method at least as secure, into a form which meaning cannot be assigned whithout the use of a confidential process or key.”  Due to the complexity of the law and complaints from business owners it will not be authorized until January 1st of 2010.  Businesses that store personal information in electronic or paper from must abide by these laws and any violations carry a heavy fee of $5000.

These new laws are just the beginning of information security practices.  It will be difficult to employ them, however, if all the standard vary state-to-state.  It is the best interest of the businesses everywhere to begin to implement security measures that comply with Massachusetts since it is the strictest.  Many enterprise leveled businesses and beyond have since begun to protect their name brand as well as their customer information by using ws_ftp and other file transfer products, which are in compliance with the law.   Until there is one standard law for all businesses, every company from McDonald’s to the local icecream store should start encrypting.