Selecting the right initial project(s), determining outcomes and measures, and preparing the business case are important groundwork for your Information Governance initiative, as discussed in Part 1. But to secure resilient management support for an ongoing initiative, you’ll also want to tie the individual projects to strategic objectives for Information Governance at your organization.
Management support is crucial for success with Information Governance initiatives. This is not merely a question of initial project and budget approvals. Most Information Governance initiatives involve behavioral changes in how data is handled, and in many instances, aspects of organizational culture may be impacted. No matter the ultimate benefits, any initiative involving behavioral change
As we watch the tsunami of state comprehensive consumer privacy laws now spreading from California across the U.S., it’s time to revisit the flood zone of state-level PII breach notification statutes, which also flowed forth from California back in 2002. By 2018 that wave had reached every state, along with the District of Columbia, Puerto
In the real world, what to do has never been as impactful as why to do it. For the 2020s, the newest impetus for managing information retention and disposal is crystal clear – data privacy and security compliance
Continue Reading Less Data is Now Even More Than Ever
We’ve already seen how new FTC regulations for GLBA-regulated financial institutions require retention schedules and disposal of unnecessary data as essential data security controls. The FTC is now also taking that position for all businesses under Section 5 of the FTC Act, as seen in a slew of recent FTC data security enforcement actions.
Two
The FTC has updated its data security regulations for the financial institutions it regulates under the Gramm-Leach-Bliley Act (GLBA). The FTC’s revised requirements for information security programs, effective June 1, 2023, will now mandate data retention policies and disposal of unnecessary customer information.
To appreciate what this means, we must take a quick look at
Data security laws increasingly require disposal of unnecessary data, But will regulators take this seriously?
Continue Reading Less Data #1: State-level data security regulators are enforcing data disposal
Two years ago I made a prediction: “For the 2020s, the dots already connect clearly – the new impetus for managing information retention and disposal will be data privacy and security compliance. Buckle up.”
This was the last line of a 2021 blog series exploring then-recent developments in United States’ data privacy and security
It’s once again time for a summary round-up for the puzzling array of state PII breach notification laws.
Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached. By 2018 every state had followed suit, along with the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications (bold text below reflects changes since 2018).
These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when a business with employees and customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws.
Scope of PII
State PII breach notification laws generally apply to a state resident’s name combined with another identifier useful for traditional identity theft, such as the individual’s Social Security number, driver’s or state identification number, or financial account number with access information. But an ever-growing number of states include other combination elements in their PII definition:
Continue Reading The Puzzle of State PII Breach Notification Statutes
In this series we’ve looked at recent developments in United States’ data privacy and security laws, primarily at the state level, that are transforming retention schedules and data disposal from merely prudent practices into compliance requirements: