Viewpoint Home Viewpoint Home SAI Global Compliance

Lisa J. Sotto
Hunton & Williams

Ms. Sotto is a partner in the New York City office of Hunton & Williams. She concentrates her practice on privacy and information management issues. She assists clients in identifying, evaluating and managing risks associated with privacy and information security practices of companies and third parties and conducts all phases of privacy and data protection assessments and information security audits. She further advises clients on the Gramm-Leach-Bliley Act, HIPAA, COPPA, CAN-SPAM and other U.S. state and federal privacy requirements (including HR requirements); the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); and global data protection laws (including those in the EU and Latin America).
Lisa J. Sotto's Recent Entries





Learn more about other SAI Global advisors »

SAI Global Compliance

«
»


Nevada and New Hampshire Data Security and Privacy Laws Take Effect

by Lisa J. Sotto, Jan 29, 2010

On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire. The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.

Nevada’s law requires “data collectors,” including government agencies and businesses, that accept payment cards and are “doing business” in Nevada to comply with the Payment Card Industry Data Security Standard (“PCI DSS”). Nevada now becomes the only state to require compliance with PCI DSS in its entirety.

For businesses that do not accept payment cards, the new Nevada law prohibits electronically transmitting a customer’s personal information “outside of the secure system of the business” or moving any data storage device containing a customer’s personal information “beyond the logical or physical controls” of the business unless the transmission or data storage device is suitably encrypted, as defined by the statute.

It remains to be seen whether Nevada’s new law will create a nationwide domino effect similar to that which occurred after California’s 2003 enactment of the first information security breach notification statute led 44 other states to pass similar legislation.

New Hampshire law now requires health care providers and business associates to (1) obtain an authorization from individuals before using or disclosing their protected health information (“PHI”) for marketing, and (2) provide an opportunity for individuals to choose not to receive any fundraising communications that involve their PHI. This new law also requires health care providers and business associates to notify individuals in writing of any use or disclosure of their PHI that is not permitted by New Hampshire law, even if such use or disclosure is allowed under federal law.

New Hampshire’s new law adds to the list of state and federal laws regulating breaches of health information: in August 2009, Missouri’s information security breach notification statute, which applies to breaches of “medical information” and “health insurance information,” took effect, and in February 2010, the federal regulations addressing breaches of unsecured PHI will become effective.

Read the entire discussion in our firm’s January newsletter.

Have a comment?