With identity fraud reaching unprecedented levels, lawmakers appear to be taking a cue from payment companies and implementing data security rules that closely resemble the PCI DSS.

The latest example is Massachusetts, where new data security regulations that took effect March 1, 2010, mandate that every company with customers in the state have plans in place to protect the private information of these customers from identity thieves. Security measures prescribed by the new regulations include data encryption, employee training and a written plan that details how data will be protected from theft or loss.

The state's chief consumer affairs advocate said the new law was prompted by a recent surge in identity thefts involving residents of the state. "In two years, over one million pieces of information belonging to Massachusetts residents were lost or stolen," said Barbara Anthony, Undersecretary of State for Consumer Affairs and Business Regulation. "What these regulations do is create a culture of security."

"This is leading-edge legislation," said Eduard Goodman, Chief Privacy officer at Identity Theft 911, a Scottsdale, Ariz., firm specializing in identity management and data breach remediation services. From a lawyer's perspective, it helps to have laws like these on the books when aggrieved parties are seeking damage awards, Goodman added.

Codification of best practices

The new Massachusetts law follows a Nevada law that became effective Jan. 1, 2010. That law codifies the PCI DSS, making it a violation of state law for any company accepting credit cards in Nevada not to be in compliance with the PCI DSS. Nevada companies that don't accept card payments, but otherwise collect customer data, are required under the new law to encrypt all stored and transmitted customer information.

"What we're seeing is a basic codification of security best practices 101," Goodman said. Goodman believes that, taken together, the Massachusetts and Nevada laws are a big deal - as momentous as the first state data breach notification statute enacted by California in 2002. Today, all but a handful of states have similar data breach notification laws in place.

Goodman described this first batch of data security legislation as useful but "reactive." The trend set into motion by Massachusetts and Nevada is all about "prescriptive security," he noted. "I think it's a game changer," he said of the new Massachusetts law. "This is not the last state that will pass something like this. This is a nonpartisan issue."

ID theft concerns

The Federal Trade Commission reported last month that identity theft topped the list of consumer complaints to the agency's offices last year. About one in five of the 1.3 million complaints received involved identity frauds, the FTC said. Shortly, FTC Chairman Jon Leibowitz and Illinois Attorney General Lisa Madigan are slated to announce a major federal-state initiative to combat identity fraud.