Forward of moderated message

[dataloss-bounces () attrition org]

> --- Begin Message ---
>
>
> From: "Miller, Terry" <Terry.Miller () finra org>
>
> Date: Wed, 12 Mar 2008 13:24:03 -0400
>
> If you're really interested, here is a link to the webcast of the
> Chairman's comments.  Click on "Regulation S-P: Privacy of Consumer
> Financial Information" under March 4.
>
> http://www.sec.gov/news/openmeetings.shtml
>
> -----Original Message-----
> From: Mark Simon [mailto:msimon2 () eclipsecurityllc com] 
> Sent: Wednesday, March 12, 2008 12:31 PM
> To: Miller, Terry; Rob Shavell; dataloss () attrition org
> Subject: SEC Regulation S-P: Privacy of Consumer Financial Information
> and Safeguarding Personal Information
>
> Terry-
>
> Thanks for calling to our attention proposed amendments to SEC
> Regulation S-P: Privacy of Consumer Financial Information and
> Safeguarding Personal Information.  I have some additional information
> I'd like to add to your posting.
>
> The SEC is seeking comments on its proposed amendments at
> http://www.sec.gov/cgi-bin/ruling-comments?ruling=s70608&rule_path=/comm
> ents/s7-06-08&file_num=S7-06-08&action=Show_Form&title=Part%20248%20-%20
> Regulation%20S-P:%20Privacy%20of%20Consumer%20Financial%20Information%20
> and%20Safeguarding%20Personal%20Information
>
> The amendments are expected to affect more than 17,000 covered
> institutions.  The proposal is at
> http://www.sec.gov/rules/proposed/2008/34-57427.pdf  Prompting the
> proposal is the following finding by the SEC:
>
> "We have become concerned with the significant increase in the number of
> information security breaches that have come to light in recent years
> and the potential created by such breaches for misuse of personal
> financial information, including identity theft. We are concerned that
> some firms do not regularly reevaluate and update their safeguarding
> programs to deal with increasingly sophisticated methods of attack. To
> help prevent and address security breaches at covered institutions, we
> propose to require more specific standards for safeguarding personal
> information, including standards for responding to data security
> breaches." 
>
> The SEC has yet to publish its proposed regulatory amendments in the
> Federal Register.  Once publication occurs, there will be a 60-day
> comment period.  The regulation amendments could take effect shortly
> thereafter.
>
> --
> Mark S. Simon, Director of Regulatory Compliance Consulting 
> Eclipsecurity, LLC
> Mobile: (224) 612-3101
> Office: (847) 850-5088
> Toll Free: (877) 369-5331
>
> www.eclipsecurityLLC.com
>
>
> Lock-in success.  Because information travels...
>
>
> The information contained in this message may be CONFIDENTIAL and is for
> the intended addressee only. Any unauthorized use, dissemination of the
> information or copying of this message is prohibited. If you are not the
> intended addressee, please notify the sender immediately and delete this
> message. 
>
>  
>
>
> -----Original Message-----
> From: dataloss-bounces () attrition org
> [mailto:dataloss-bounces () attrition org] On Behalf Of Miller, Terry
> Sent: Wednesday, March 12, 2008 9:16 AM
> To: Rob Shavell; dataloss () attrition org
> Subject: Re: [Dataloss] A data security breach legislation question
>
> Note that on March 4 the SEC proposed expanding privacy Regulation S-P
> which is based on GLBA.  The proposed expansion, which is based in large
> part on existing banking and FTC regulations, would include a national
> notification requirement.  The requirement may preempt certain state
> laws which allow for such preemption.    
>
> Here is the proposal, which is now out for comment.
>
> http://www.sec.gov/rules/proposed/2008/34-57427.pdf
>
> Terry
>
> -----Original Message-----
> From: dataloss-bounces () attrition org
> [mailto:dataloss-bounces () attrition org] On Behalf Of Rob Shavell
> Sent: Wednesday, March 12, 2008 8:30 AM
> To: dataloss () attrition org
> Subject: Re: [Dataloss] A data security breach legislation question
>
> hi all,
> the question i have around US data breach notification legislation is
> this:
>
> "why are we counting states?"
>
> if most legislation applies to affected record-holders if they are
> residents and 95% of breaches already either happen in a state with a
> law or include records of persons residing in such states, then...
> hasn't this basically become a necessity?
>
> in other words, organizations had better just notify to be in
> compliance.
>
> following from this: what is the importance to an organization of
> reading through particulars of state by state legislation when they can
> just follow California, notify everyone, and be in compliance?
>
> bonus question: in your opinion, why are so many companies choosing to
> include credit monitoring services for those affected?  a) altruism b)
> just not that costly c) concern about downstream law-suits d) ?
>
> rgds,
> rob
>
>
>
>
> On 10/03/2008, Susan Orr <susan () susanorrconsulting com> wrote:
> > I was just looking at the various states the other day, and there are
>
> > some differences - some exempt encrypted information, some exclude  
> > financial institutions and others that are covered under other
> existing
> >  federal and state laws like GLBA.  One state I believe exempts "state
>
> > agencies" Oklahoma I think.
> >
> >  Didn't know it was up to 40, last I saw was 38.  I'll have to check
> it
> >  out, thanks.
> >
> >
> >  Rebecca Herold wrote:
> >  > Counting the District of Columbia, as of the end of October it was
> 40; see
> >  >
> http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07
> .pdf
> >  >
> >  > Best regards,
> >  >
> >  > Rebecca Herold
> >  > ----- Original Message -----
> >  > From: "Kalter, Sarah " <skalter () affiniongroup com>  > To: "lyger" 
> > <lyger () attrition org>; <dataloss () attrition org>  > Sent: Monday, March
>
> > 10, 2008 10:07 AM  > Subject: [Dataloss] A data security breach 
> > legislation question  >  >  >  >> Hi All,  >>  >> Does anyone happen 
> > to know how many states have enacted data
> security
> >  >> breach laws/legislation? And if so, which states?
> >  >>
> >  >> Thank you so much!
> >  >>
> >  >> Best,
> >  >> Sarah
> >  >> _______________________________________________
> >  >> Dataloss Mailing List (dataloss () attrition org)  >> 
> > http://attrition.org/dataloss  >>  >> Tenable Network Security offers 
> > data leakage and compliance
> monitoring
> >  >> solutions for large and small networks. Scan your network and
> monitor your
> >  >> traffic to find the data needing protection before it leaks out!
> >  >> http://www.tenablesecurity.com/products/compliance.shtml
> >  >>
> >  >
> >  > _______________________________________________
> >  > Dataloss Mailing List (dataloss () attrition org)  > 
> > http://attrition.org/dataloss  >  > Tenable Network Security offers 
> > data leakage and compliance
> monitoring
> >  > solutions for large and small networks. Scan your network and
> monitor your
> >  > traffic to find the data needing protection before it leaks out!
> >  > http://www.tenablesecurity.com/products/compliance.shtml
> >  >
> >
> > _______________________________________________
> >  Dataloss Mailing List (dataloss () attrition org)  
> > http://attrition.org/dataloss
> >
> >  Tenable Network Security offers data leakage and compliance
> monitoring
> >  solutions for large and small networks. Scan your network and monitor
> your
> >  traffic to find the data needing protection before it leaks out!
> >  http://www.tenablesecurity.com/products/compliance.shtml
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor
> your traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>
> This email, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity to
> which it is addressed.  If the reader of this email is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this email is
> prohibited. If you have received this email in error, please notify the
> sender by replying to this message and delete this email immediately.
>
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor
> your traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>
> This email, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed.  If the reader of this email is not the 
> intended recipient or his or her authorized agent, the reader is 
> hereby notified that any dissemination, distribution or copying of this 
> email is prohibited. If you have received this email in error, 
> please notify the sender by replying to this message and delete this 
> email immediately.
>
>
>
> --- End Message ---