Educause Security Discussion mailing list archives
Re: Pre-Breach Requirements - 18 States
From: "j.price" <j.price () DOMAIL MARICOPA EDU>
Date: Mon, 8 Aug 2011 12:11:10 -0700
This question was raised last several weeks ago: Can you tell me if your attorneys have determined that you have to comply with all 50 (or 46) state requirements rather than merely your own state? This has been a discussion here and I’m interested in what EDUs are thinking on this.I surveyed International Association of Privacy Professionals (IAPP)of which I am a member and these were some of the answers I received:
Answering from a higher education institution, we never thought to NOT notify everyone affected. Our standard procedure, from even before we had a state law, has us notifying all affected persons and all the same way. And we also over-notify, that is, we (one might say excessively) err on the side of notifying, so it is unlikely that we would not notify when another state thought we should have. We do not have the resources to study each state or country and alter our notices or procedures to make subsets of our notifications fit various state or foreign country requirements. But, we believe that by following standard best practices for breach notification we are meeting nearly all state law provisions.
Merri Beth Lavagnino, CIPP, CIPP/IT Chief Privacy Officer and Compliance Coordinator Public Safety and Institutional Assurance Indiana UniversityWe have handled our situations in the same manner described by Merri Beth. The only caveat to this is that since the State Attorney General's Office is our legal counsel, that office has notified other entities as they believe appropriate (e.g., additional law enforcement, the Governor's Office, other Attorneys General, etc.). Since we are so close to Massachusetts and a large number of our constituents reside there, we have tried to take their state law's language into account in drafting our notices, for example. But we are short on resources as well, so we try to use one notice where we can. We have also tried to get ahead of the game where we can and notify the local/regional media where appropriate.
Rachel Krinsky Rudnick, JD, CIPP Assistant Director of Compliance/Privacy Office of Audit, Compliance & Ethics University of ConnecticutThe breach notification laws each specify that notice is to be given to “affected residents” of the particular state, therefore state of residence of the student is determinative. There are no exceptions for educational or non-profit institutions.
Cynthia J. Larose Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.The answer from a LEGAL perspective is "It depends." Some state data breach notification laws have extraterritorial reach and some do not. However, from a PRACTICAL perspective, is that if you determine that you have to send notice to some, you may want to consider sending notice to all - even if some of them live in the states that don't have data breach notification laws.
You don't really want to be in a position where you get a phone call from the Attorney General of a given state asking why you didn't notify the people from her state and your answer is, "Well, your state data breach notification law didn't require it, and [other state's] did."
John Nicholson | Counsel, Global Sourcing Practice Pillsbury Winthrop Shaw Pittman LLP
As a practical matter, it is less expensive to comply with the requirements of all 46 states than to pick a fight with an Attorney General and litigate the issue.
Philip L. Gordon, Littler Mendelson On 7/9/2011 11:52 AM, Jack Suess wrote:
My understanding is that If you are a public institution it really doesn't matter what another state does, you should be covered by your local states laws. States generally don't have the power to enforce local laws in another state. In a situation where Mass. Is trying to enforce it's laws on a Maryland agency, this becomes a federal case and I just don't see that happening where a judge would rule that Maryland government agencies must observe Mass laws. That is the whole point of sovereign rights bestowed to states. A private institution may be in a different situation as would a public that sets up remote facilities in another state. I do agree we have a mess with the hodgepodge of state laws. Jack Suess UMBC Division of Information Technology (DoIT) On Jul 9, 2011, at 7:29 AM, Allison F Dolan <adolan () MIT EDU <mailto:adolan () MIT EDU>> wrote:My understanding is that compliance with the individual state notification rules is generally expected - e.g. if you have a breach involving residents of all states, you need to follow the different state notification rules. Compliance with data protection rules (a la the MA requirement to have a written info security program) is much less clear, and seems unworkable, which is one of the drivers behind having a Federal law. Allison Dolan ------------------------------------------------------------------------ *From:* The EDUCAUSE Security Constituent Group Listserv [SECURITY () listserv educause edu <mailto:SECURITY () listserv educause edu>] On Behalf Of Rosenthal, Jane E. [jer () KU EDU <mailto:jer () KU EDU>] *Sent:* Friday, July 08, 2011 12:11 PM *To:* <mailto:SECURITY () listserv educause edu>SECURITY () listserv educause edu <mailto:SECURITY () listserv educause edu> *Subject:* Re: [SECURITY] Pre-Breach Requirements - 18 States Hi Cliff, Can you tell me if your attorneys have determined that you have to comply with all 50 (or 46) state requirements rather than merely your own state? This has been a discussion here and I’m interested in what EDUs are thinking on this. Jane _____________________ Jane E. Rosenthal Director | Privacy Office The University of Kansas Voice +1.785.864.9528 | Fax +1.785.864.4463 Email jer () ku edu <mailto:jer () ku edu> | Web http://www.privacy.ku.edu <http://www.privacy.ku.edu/> ------------------------------------------------------------------------ The information transmitted by this email communication, including any additional pages or attachments, is only for the intended recipient and may contain confidential and/or privileged material. Any interception, review, retransmission, disclosure, dissemination, or other use and/or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at (785) 864-4904, and delete the communication from any computer or network system or dispose of the documents as directed. Thank you. ------------------------------------------------------------------------ *From:* Clifford Collins [mailto:collinsc () FRANKLIN EDU] *Sent:* Wednesday, July 06, 2011 10:39 AM *Subject:* Pre-Breach Requirements - 18 States Hello Security Compatriots, I was searching the web for info on which states have laws require some kind of breach notification and encountered this document from the law firm Crowell & Moring LLP: <http://www.crowell.com/pdf/securitybreachtable.pdf>http://www.crowell.com/pdf/securitybreachtable.pdf In the right-hand column is a yes/no section on required "pre-breach measures." There are 18 states listed as having them. Anybody aware of these requirements? Have you done something about it? If so, what have you done? It would be great to have a "template" to work from! Clifford A. Collins Information Security Officer Franklin University 201 South Grant Avenue Columbus, Ohio 43215 "Security is a process, not a product"
-- Janet Price, CIPP, CIPP/IT Information Security Analyst Information Technology Services Maricopa Community Colleges 2419 W 14th St Tempe Arizona, 85281 (480)731-8730CONFIDENTIAL: This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify me immediately by reply email so that I may correct my records. Please then delete the original message (including any attachments) in its entirety. Thank you.
Current thread:
- Re: Pre-Breach Requirements - 18 States, (continued)
- Re: Pre-Breach Requirements - 18 States Solem, Vik P. (Jul 06)
- Re: Pre-Breach Requirements - 18 States SCHALIP, MICHAEL (Jul 06)
- Re: Pre-Breach Requirements - 18 States Doug Markiewicz (Jul 08)
- Re: Pre-Breach Requirements - 18 States Dexter Caldwell (Jul 06)
- Re: Pre-Breach Requirements - 18 States Rosenthal, Jane E. (Jul 08)
- Re: Pre-Breach Requirements - 18 States Clifford Collins (Jul 08)
- Re: Pre-Breach Requirements - 18 States Steve Bohrer (Jul 09)
- Re: Pre-Breach Requirements - 18 States Dan Han/HSC/VCU (Jul 12)
- Re: Pre-Breach Requirements - 18 States Allison F Dolan (Jul 09)
- Re: Pre-Breach Requirements - 18 States Jack Suess (Jul 09)
- Re: Pre-Breach Requirements - 18 States j.price (Aug 09)
- Re: Pre-Breach Requirements - 18 States j.price (Aug 02)
- Re: Pre-Breach Requirements - 18 States Irish, Adrian L (Aug 02)
- Re: Pre-Breach Requirements - 18 States David C Kovarik (Aug 03)
- Re: Pre-Breach Requirements - 18 States Solem, Vik P. (Jul 06)