Wednesday, April 11, 2007
State Enforcement Actions
While federal laws such as Gramm-Leach-Bliley and HIPAA are often the focus of concern for organizations seeking to maintain regulatory compliance, it is important to remember that many states have put in place requirements which must be observed as well. Case in point: Texas, where the attorney general took action against Radio Shack for violating that state's 2005 Identity Theft Enforcement and Protection Act and section 35.581 of Chapter 35 of Texas' Business and Commerce Code. According to the attorney general's press release Radio Shack had failed to properly protect and dispose of their customers' by simply dumping bulk records in a garbage receptacle behind a store. The dumped records included, ironically, a receipt from a woman who purchased a shredder from Radio Shack to protect herself from identity theft - just the kind of potential victim the media loves to focus on. Thus, the Radio Shack prosecution should serve as a reminder to businesses everywhere that Federal Law isn't the only source of data privacy and information security law, and it is necessary to be mindful of state statutes as well.