Encryption should be part of your plans
On October 1st, a new law in Nevada will require those transmitting personally identifiable information outside of a secure, closed network to send it encrypted. The law reads, in part:
"A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission."
Massachusetts has passed a similar, but more restrictive law that will go into effect on January 1, 2009. While the Nevada law focuses on electronic transmission of information, the Massachusetts law focuses on the portability of data. That means that any personally identifiable information data you have on a Massachusetts resident that is stored on a laptop, mobile device, thumbdrive, etc. must be encrypted.
I'm not sure how these states, particularly Massachusetts, will enforce their laws for those outside of the state. However, given that New York has invented a way to charge Amazon.com sales tax even though the company has no facilities in the state, inventive minds will likely prevail.
posted by Michael D. Osterman at
9/26/2008 04:54:00 PM
1 Comments:
My understanding is that one of the benefits of working with a billing / payment platform player (like Aria, Zuoria, etc.) is that you can have the "personal" info related to billing take place on their hosted site (thus making it their responsibility re. PCI compliance). It seems like for businesses that want to decrease their liability handling sensitive customer info, there are increasingly more options not to host the handshakes directly. Of course, this is assuming the vendor partner you choose to host your passing of personal info is competent.
October 2, 2008 2:56 PM
Post a Comment
<< Home