Organizations that breach regulations relating to data protection and privacy, watch out. It’s not just costly civil penalties that companies are incurring; severe criminal sanctions are also being levied against organizations that breach these laws.

For example, in Hong Kong, an insurance agent was sentenced to four weeks in prison for contacting clients of a former employer without their permission.

Meanwhile in the United States, California and Delaware are the latest states to impose more obligations on companies in relation to the collection, handling, storage and destruction of data.

Amendments to California Civil Code, effective Jan. 1, 2015, require organizations that breach data protection laws to offer to provide identity theft prevention and mitigation services to the person affected by the breach; and extend the requirement to maintain reasonable security practices and procedures, to businesses that maintain the personal information of California residents (i.e., data processors and service providers), not only those that own or license such information. There is also a prohibition on the sale, advertisement for sale, or offer to sell an individual’s Social Security number, other than as permitted by law.

Also effective Jan. 1, all Delaware companies are required to destroy securely any data that contains “personal identifying information.”

“This follows a trend globally towards the greater protection of personal data and privacy by the use of legislation backed by enforcement action,” says Fiona Coombe, director of legal and regulatory research, Staffing Industry Analysts.