Re: Pre-Breach Requirements - 18 States

["j.price" <j.price () DOMAIL MARICOPA EDU>]

This question was raised last several weeks ago:

Can you tell me if your attorneys have determined that you have to
comply with all 50 (or 46) state requirements rather than merely your
own state? This has been a discussion here and I’m interested in what
EDUs are thinking on this.

I surveyed International Association of Privacy Professionals (IAPP)of 
which I am a member and these were some of the answers I received:

Answering from a higher education institution, we never thought to NOT 
notify everyone affected. Our standard procedure, from even before we 
had a state law, has us notifying all affected persons and all the same 
way. And we also over-notify, that is, we (one might say excessively) 
err on the side of notifying, so it is unlikely that we would not notify 
when another state thought we should have. We do not have the resources 
to study each state or country and alter our notices or procedures to 
make subsets of our notifications fit various state or foreign country 
requirements. But, we believe that by following standard best practices 
for breach notification we are meeting nearly all state law provisions.

Merri Beth Lavagnino, CIPP, CIPP/IT
Chief Privacy Officer and Compliance Coordinator
Public Safety and Institutional Assurance
Indiana University

We have handled our situations in the same manner described by Merri 
Beth.  The only caveat to this is that since the State Attorney 
General's Office is our legal counsel, that office has notified other 
entities as they believe appropriate (e.g., additional law enforcement, 
the Governor's Office, other Attorneys General, etc.).  Since we are so 
close to Massachusetts and a large number of our constituents reside 
there, we have tried to take their state law's language into account in 
drafting our notices, for example.  But we are short on resources as 
well, so we try to use one notice where we can.  We have also tried to 
get ahead of the game where we can and notify the local/regional media 
where appropriate.

Rachel Krinsky Rudnick, JD, CIPP
Assistant Director of Compliance/Privacy
Office of Audit, Compliance & Ethics
University of Connecticut

The breach notification laws each specify that notice is to be given to 
“affected residents” of the particular state, therefore state of 
residence of the student is determinative.   There are no exceptions for 
educational or non-profit institutions.

Cynthia J. Larose
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.


The answer from a LEGAL perspective is "It depends." Some state data 
breach notification laws have extraterritorial reach and some do not.
However, from a PRACTICAL perspective, is that if you determine that you 
have to send notice to some, you may want to consider sending notice to 
all - even if some of them live in the states that don't have data 
breach notification laws.

You don't really want to be in a position where you get a phone call 
from the Attorney General of a given state asking why you didn't notify 
the people from her state and your answer is, "Well, your state data 
breach notification law didn't require it, and [other state's] did."

John Nicholson | Counsel, Global Sourcing Practice Pillsbury Winthrop 
Shaw Pittman LLP

As a practical matter, it is less expensive to comply with the 
requirements of all 46 states than to pick a fight with an Attorney 
General and litigate the issue.

Philip L. Gordon,
Littler Mendelson


On 7/9/2011 11:52 AM, Jack Suess wrote:
> My understanding is that If you are a public institution it really
> doesn't matter what another state does, you should be covered by your
> local states laws. States generally don't have the power to enforce
> local laws in another state. In a situation where Mass. Is trying to
> enforce it's laws on a Maryland agency, this becomes a federal case and
> I just don't see that happening where a judge would rule that Maryland
> government agencies must observe Mass laws. That is the whole point of
> sovereign rights bestowed to states.
>
> A private institution may be in a different situation as would a public
> that sets up remote facilities in another state.
>
> I do agree we have a mess with the hodgepodge of state laws.
>
>
>
> Jack Suess
> UMBC Division of Information Technology (DoIT)
>
> On Jul 9, 2011, at 7:29 AM, Allison F Dolan <adolan () MIT EDU
> <mailto:adolan () MIT EDU>> wrote:
>
> > My understanding is that compliance with the individual state
> > notification rules is generally expected - e.g. if you have a breach
> > involving residents of all states, you need to follow the different
> > state notification rules.
> > Compliance with data protection rules (a la the MA requirement to have
> > a written info security program) is much less clear, and seems
> > unworkable, which is one of the drivers behind having a Federal law.
> > Allison Dolan
> > ------------------------------------------------------------------------
> > *From:* The EDUCAUSE Security Constituent Group Listserv
> > [SECURITY () listserv educause edu
> > <mailto:SECURITY () listserv educause edu>] On Behalf Of Rosenthal, Jane
> > E. [jer () KU EDU <mailto:jer () KU EDU>]
> > *Sent:* Friday, July 08, 2011 12:11 PM
> > *To:*
> > <mailto:SECURITY () listserv educause edu>SECURITY () listserv educause edu
> > <mailto:SECURITY () listserv educause edu>
> > *Subject:* Re: [SECURITY] Pre-Breach Requirements - 18 States
> >
> > Hi Cliff,
> >
> > Can you tell me if your attorneys have determined that you have to
> > comply with all 50 (or 46) state requirements rather than merely your
> > own state? This has been a discussion here and I’m interested in what
> > EDUs are thinking on this.
> >
> > Jane
> >
> > _____________________
> >
> > Jane E. Rosenthal
> > Director | Privacy Office
> > The University of Kansas
> >
> > Voice +1.785.864.9528 | Fax +1.785.864.4463
> > Email jer () ku edu <mailto:jer () ku edu> | Web http://www.privacy.ku.edu
> > <http://www.privacy.ku.edu/>
> >
> > ------------------------------------------------------------------------
> >
> > The information transmitted by this email communication, including any
> > additional pages or attachments, is only for the intended recipient
> > and may contain confidential and/or privileged material. Any
> > interception, review, retransmission, disclosure, dissemination, or
> > other use and/or taking of any action upon this information by persons
> > or entities other than the intended recipient is prohibited by law and
> > may subject them to criminal or civil liability. If you received this
> > communication in error, please contact us immediately at (785)
> > 864-4904, and delete the communication from any computer or network
> > system or dispose of the documents as directed. Thank you.
> >
> > ------------------------------------------------------------------------
> >
> > *From:* Clifford Collins [mailto:collinsc () FRANKLIN EDU]
> > *Sent:* Wednesday, July 06, 2011 10:39 AM
> > *Subject:* Pre-Breach Requirements - 18 States
> >
> > Hello Security Compatriots,
> > I was searching the web for info on which states have laws require
> > some kind of breach notification and encountered this document from
> > the law firm Crowell & Moring LLP:
> >
> > <http://www.crowell.com/pdf/securitybreachtable.pdf>http://www.crowell.com/pdf/securitybreachtable.pdf
> >
> > In the right-hand column is a yes/no section on required "pre-breach
> > measures." There are 18 states listed as having them. Anybody aware of
> > these requirements? Have you done something about it? If so, what have
> > you done? It would be great to have a "template" to work from!
> >
> > Clifford A. Collins
> > Information Security Officer
> > Franklin University
> > 201 South Grant Avenue
> > Columbus, Ohio 43215
> > "Security is a process, not a product"

--
Janet Price, CIPP, CIPP/IT
Information Security Analyst
Information Technology Services
Maricopa Community Colleges
2419 W 14th St
Tempe Arizona, 85281
(480)731-8730

CONFIDENTIAL: This electronic mail (including any attachments) may 
contain information that is privileged, confidential, and/or otherwise 
protected from disclosure to anyone other than its intended 
recipient(s). Any dissemination or use of this electronic email or its 
contents (including any attachments) by persons other than the intended 
recipient(s) is strictly prohibited. If you have received this message 
in error, please notify me immediately by reply email so that I may 
correct my records. Please then delete the original message (including 
any attachments) in its entirety. Thank you.