Re: Reporting Dataloss

[Al Mac Wheel <macwheel99 () wowway com>]

For most of the laws, it matters not where the data was located (MD), it 
matters where the people located whose identities put at risk (KY), but as 
a practical matter, if the vendor was outside the USA, it would be more 
difficult to get legal action.

If it is a crime in one nation, but not a crime in another nation, then 
extradition, enforcement, etc, can be impractical.

It also matters what kind of entity was responsible for safeguarding the data.
Most of the laws are directed against private corporations, not against 
government agencies, non-profits, private persons.

According to this site http://www.pirg.org/consumer/credit/statelaws.htm
in Kentucky, you have to wait until you have been victimized by ID theft, 
then you get some help after the fact. 
http://www.lrc.ky.gov/record/06RS/HB54.htm but it only applies to certain 
kinds of ID theft, such as credit fraud.

Similarly, the people protected are customers, or credit consumers, not 
students.
Exempting financial institutions kind of defeats the purpose of the 
Kentucky law.

In fact, nationwiide, children in school are not considered to have the 
kinds of consitutional rights that adult citizens enjoy.

> The state is KY.
>
> I believe the vendor (and thus the location of the breach) was in MD, 
> which complicates things a little more.


_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml