New State Laws Create Challenges for Retailers in Safeguarding Customer Data


Retailing Today
by Edwin Lavergne
April 6, 2009

Data security breaches are on the rise, and nearly 20 million American consumers have been affected by identity fraud. In the absence of a federal policy, 45 individual states have enacted laws to safeguard the privacy of their residents. Businesses that collect and store personal information on customers, such as retailers, must comply with a patchwork of regulations that vary from state to state. The stakes are high, since failing to adequately safeguard personal information can result in fines as high as $750,000 and class-action lawsuits for negligence. As businesses scramble to revamp the way they protect personal data, a more comprehensive law is on the horizon. This law will require businesses to implement risk assessment analyses, restricted access policies, disciplinary measures, new documentation practices, and computer security measures. Massachusetts took the lead in this area, with a law scheduled to take effect in May 2009. However, in response to concerns regarding compliance, implementation was postponed until Jan. 1, 2010. This law will affect any retailer that collects data on Massachusetts residents, irrespective of where the retailer is physically located.