U.S. Laws Governing Data Security
The Gramm-Leach-Bliley Act ("GLBA") and the Health Insurance Portability and Accountability Act ("HIPAA") require that financial and health care providers take steps to ensure that personal information is secure. Consult an attorney to determine if you are covered by these laws, as the government considers many small businesses "financial institutions" or "health care providers" even when the business might not consider itself to be involved in financial services or health care.
At least twenty states have passed laws requiring small businesses to implement procedures to prevent personal information from being disclosed or improperly used. Some states specifically require that small businesses encrypt personal information that is sent over the Internet. Unlike federal laws, these state laws apply to all small businesses — not just those that are financial institutions or health care providers. Additionally, almost every state has passed legislation requiring disclosure of any incidents involving the loss of consumer information.
Small businesses that accept credit and debit card payments are contractually required to take certain steps to secure the payment card information they collect. Contact the bank or the company that manages your payment card processing for details or visit http://pcisecuritystandards.org for more details on the Payment Card Industry Data Security Standard requirements for protecting payment card data.