Educause Security Discussion mailing list archives
Re: Details of New York Data Breach Bill?
From: Jimmy Kuo <cjkuo () VERIZON NET>
Date: Fri, 18 Nov 2005 11:16:39 -0800
The problem that you've discovered and what an earlier post alluded to is the notion that you must understand ALL the individual state laws that govern residents of their state. So, you have to notify the residents of those states that have such laws. But the reality is, it's simpler and easier (and safer, legally) to notify all affected parties than determining the specific person's current residency. Also, some side-effects, Because SSN has been used as an identifier for so long, they may exist in records that you may not suspect! One example, *old* sociology/psychology theses that are being put online that document interviewees! Specifically, interviews of prison inmates. Basically, it's not just about your own charges. There are lots of studies and research conducted by university personnel. They document who they talked to. What did the researchers use to identify them? And how easy is it to get at that information? Jimmy ----- Original Message ----- From: "Keith Schoenefeld" <schoenk () UTULSA EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Tuesday, November 15, 2005 10:08 AM Subject: Re: [SECURITY] Details of New York Data Breach Bill?
Am I reading this completely wrong, or does it not require notification of affected people that are not New York residents? -- KS Karl D. Hassler wrote:Link to the New York State Technology Law: http://public.leginfo.state.ny.us/menugetf.cgi?COMMONQUERY=LAWS Go to the link - you may have to try twice - its slow. Click on GBS for General Business Law Click on Article 39-F; Click on Section 899-aa. It says that "Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid
authorization."
To me, you must be doing business in New York to fall under this section of the law. To find section 208 of the State Technology Law (mentioned in both S3492 and A4254, from the above link: Click on STT for State Technology Click on Article 2 Click on Section 208 - Notification Section 208 only references State entities.-- Keith Schoenefeld Manager of College Computer Services ENS Computer Services (ECS) College of Engineering and Natural Sciences The University of Tulsa Phone: 918-631-2548 Fax: 918-631-5089
Current thread:
- Details of New York Data Breach Bill? Karl D. Hassler (Nov 15)
- <Possible follow-ups>
- Re: Details of New York Data Breach Bill? Keith Schoenefeld (Nov 15)
- Re: Details of New York Data Breach Bill? Jimmy Kuo (Nov 18)
- Re: Details of New York Data Breach Bill? Walter Matystik (Nov 18)