Hunton & Williams LLP write:
On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire. The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.
Nevada’s law requires “data collectors,” including government agencies and businesses, that accept payment cards and are “doing business” in Nevada to comply with the Payment Card Industry Data Security Standard (“PCI DSS”). Although Minnesota has codified the PCI DSS requirement that prohibits businesses from retaining certain credit or debit card data after a transaction, Nevada now becomes the only state to require compliance with PCI DSS in its entirety.
[…]
The new law in New Hampshire requires health care providers and business associates to (1) obtain an authorization from individuals before using or disclosing their protected health information (“PHI”) for marketing, and (2) provide an opportunity for individuals to choose not to receive any fundraising communications that involve their PHI.
Read more on Privacy and Information Security Law Blog.