Numerous states have adopted laws mandating the protection and disposal of personal information. Under those laws, businesses are required to implement and maintain reasonable security procedures and practices appropriate to the nature of the information in order to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Although the definition of “personal information” varies from state to state, “personal information” is generally defined as an individual’s first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (1) Social Security number; (2) driver’s license number or other state-issued identification card number; or (3) account number, credit or debit card number, or another account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. The scope of these state laws may be broad, imposing a duty not only on a business that is physically located in one of those states but also extends to any business located outside of the state that obtains personal information from residents of those states. Certain states’ laws not only require that the business undertake sufficient measures to protect personal information in its possession, but, to the extent that personal information is provided to third parties, those laws require that the business contractually require the third parties to implement and maintain reasonable security measures to safeguard the personal information that has been disclosed to third parties. The nature and extent of these requirements vary greatly from state to state.
Bruce Radke & Michael Waters, Selected State Laws Governing the Safeguarding and Disposing of Personal Information, 31 J. Marshall J. Info. Tech. & Privacy L. 487 (2015)