Data Privacy Risk Assessments

In case you are affected, 19 states now have data privacy laws, and 17 of those require that employers conduct data privacy assessments.

The states that require these assessments are

• California

• Colorado

• Connecticut

• Delaware

• Indiana

• Iowa

• Kentucky

• Maryland

• Minnesota

• Montana

• Nebraska

• New Hampshire

• New Jersey

• Oregon

• Rhode Island

• Tennessee

• Texas

• Utah

• Virginia.

Seven more states have this kind of legislation actively in progress in their legislatures: Maine, Massachusetts, Michigan, New York, North Carolina, Pennsylvania, and Vermont. Beyond those, a number of other states have at least considered such legislation, even though it has not been enacted (yet).

That kind of assessment is also required by any company subject to HIPAA.

Subject employers are strongly cautioned to have data assessment plans solidly in place prior to collection of any protected data from employees. It should be noted that these data privacy assessments are not simple checklists.

They involve detailed analyses that compare the risk of collecting and processing information against the benefit to the business in each case, taking into account any safeguards the business plans to implement.

Performing these assessments carries significant regulatory implications and potential litigation risks – as does not performing them if they are required.