Re: Pre-Breach Requirements - 18 States

[Jack Suess <jack () UMBC EDU>]

My understanding is that If you are a public institution it really doesn't matter what another state does, you should 
be covered by your local states laws. States generally don't have the power to enforce local laws in  another state. In 
a situation where Mass. Is trying to enforce it's laws on a Maryland agency, this becomes a federal case and I just 
don't see that happening where a judge would rule that Maryland government agencies must observe Mass laws. That is the 
whole point of sovereign rights bestowed to states.

A private institution may be in a different situation as would a public that sets up remote facilities in another state.

I do agree we have a mess with the hodgepodge of state laws.



Jack Suess
UMBC Division of Information Technology (DoIT)

On Jul 9, 2011, at 7:29 AM, Allison F Dolan <adolan () MIT EDU> wrote:

> My understanding is that compliance with the individual state notification rules is generally expected - e.g. if you 
> have a breach involving residents of all states, you need to follow the different state notification rules.
>  
> Compliance with data protection rules (a la the MA requirement to have a written info security program) is much less 
> clear, and seems unworkable, which is one of the drivers behind having a Federal law.
>  
> Allison Dolan
>  
> From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () listserv educause edu] On Behalf Of Rosenthal, 
> Jane E. [jer () KU EDU]
> Sent: Friday, July 08, 2011 12:11 PM
> To: SECURITY () listserv educause edu
> Subject: Re: [SECURITY] Pre-Breach Requirements - 18 States
>
> Hi Cliff,
>
>  
>
> Can you tell me if your attorneys have determined that you have to comply with all 50 (or 46) state requirements 
> rather than merely your own state?  This has been a discussion here and I’m interested in what EDUs are thinking on 
> this.
>
> Jane
>
>  
>
> _____________________ 
>
> Jane E. Rosenthal
> Director | Privacy Office
> The University of Kansas
>
> Voice +1.785.864.9528 | Fax +1.785.864.4463 
> Email jer () ku edu | Web http://www.privacy.ku.edu
>
> The information transmitted by this email communication, including any additional pages or attachments, is only for 
> the intended recipient and may contain confidential and/or privileged material. Any interception, review, 
> retransmission, disclosure, dissemination, or other use and/or taking of any action upon this information by persons 
> or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil 
> liability. If you received this communication in error, please contact us immediately at (785) 864-4904, and delete 
> the communication from any computer or network system or dispose of the documents as directed. Thank you.
>
>  
>
> From: Clifford Collins [mailto:collinsc () FRANKLIN EDU] 
> Sent: Wednesday, July 06, 2011 10:39 AM
> Subject: Pre-Breach Requirements - 18 States
>
>  
>
> Hello Security Compatriots,
> I was searching the web for info on which states have laws require some kind of breach notification and encountered 
> this document from the law firm Crowell & Moring LLP:
>
>     http://www.crowell.com/pdf/securitybreachtable.pdf
>
> In the right-hand column is a yes/no section on required "pre-breach measures."  There are 18 states listed as having 
> them. Anybody aware of these requirements? Have you done something about it?  If so, what have you done? It would be 
> great to have a "template" to work from!
>
> Clifford A. Collins
> Information Security Officer
> Franklin University
> 201 South Grant Avenue
> Columbus, Ohio 43215
> "Security is a process, not a product"