Re: Details of New York Data Breach Bill?

[Jimmy Kuo <cjkuo () VERIZON NET>]

The problem that you've discovered and what an earlier post alluded to is
the notion that you must understand ALL the individual state laws that
govern residents of their state.

So, you have to notify the residents of those states that have such laws.

But the reality is, it's simpler and easier (and safer, legally) to notify
all affected parties than determining the specific person's current
residency.

Also, some side-effects,

Because SSN has been used as an identifier for so long, they may exist in
records that you may not suspect!  One example, *old* sociology/psychology
theses that are being put online that document interviewees!  Specifically,
interviews of prison inmates.

Basically, it's not just about your own charges.  There are lots of studies
and research conducted by university personnel.  They document who they
talked to.  What did the researchers use to identify them?  And how easy is
it to get at that information?

Jimmy

----- Original Message -----
From: "Keith Schoenefeld" <schoenk () UTULSA EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Tuesday, November 15, 2005 10:08 AM
Subject: Re: [SECURITY] Details of New York Data Breach Bill?


> Am I reading this completely wrong, or does it not require notification
> of affected people that are not New York residents?
>
> -- KS
>
> Karl D. Hassler wrote:
>
> > Link to the New York State Technology Law:
> >
> > http://public.leginfo.state.ny.us/menugetf.cgi?COMMONQUERY=LAWS
> > Go to the link - you may have to try twice - its slow.
> >
> > Click on GBS for General Business Law
> > Click on Article 39-F;
> > Click on Section 899-aa. It says that "Any  person or business which
> > conducts business in New York state, and which owns or licenses
> > computerized  data  which  includes  private information shall  disclose
> >   any breach  of the security of the system following discovery or
> > notification of the breach in the security of the system to any resident
> > of New York state whose private information was, or is reasonably
> > believed to have been, acquired by a person without valid
authorization."
> > To me, you must be doing business in New York to fall under this section
> > of the law.
> >
> > To find section 208 of the State Technology Law (mentioned in both S3492
> > and A4254, from the above link:
> >
> > Click on STT for State Technology
> > Click on Article 2
> > Click on Section 208 - Notification
> >
> > Section 208 only references State entities.
>
>
> --
> Keith Schoenefeld
> Manager of College Computer Services
> ENS Computer Services (ECS)
> College of Engineering and Natural Sciences
> The University of Tulsa
> Phone: 918-631-2548
> Fax: 918-631-5089