Re: Details of New York Data Breach Bill?

[Walter Matystik <wmatysti () MANHATTAN EDU>]

Re: NY's Information Security Breach and Notifucation and prior comments:
"... does it not require notification of affected people that are not New
York residents?" - hopefully this will provide some helpful guidance (or
muddy the waters!)

The new law that becomes effective this Dec. 7th applies, among other NY
State public entities, to "any person that conducts business in New York
State". So, the legal question becomes: are you a covered entity?

According to a 10/25/05 article in the NY Law Journal by Mark Milone, senior
associate general counsel at the NY Mercantile Exchange and author of a
forthcoming book on Information Security Law: "...although the act's general
business amendments do not specify what constitutes 'conduct[ing] business
in New York State", any client that does business in cyberspace is well
advised to take proactive measures, regardless of whether the client
maintains a physical presence in New York..."

He goes on to say that information security policies and procedures should
be reviewed and provisions that address the protection of private
information should be revised and include language that addresses
notification in the event of a security breach.

While this is not the appropriate forum to discuss all of the intricacies of
the legal issues involved with this such as: what minimal contacts with
another state would subject one that that state's jurisdiction, due process,
doing business via cyberspace, isolated recruiting of students at NY state
based forums, allowing NY residents to apply online, etc etc., suffice it to
say that it's always better to alert the appropriate offices on your campus
and/or seek an opinion from college/university counsel.


Duck, here comes the disclaimer: While I am an attorney, I do not play one
and TV and this should not be construed as the providing of legal advice.
Happy Thanksgiving to all.

Walt



Walter F. Matystik, M.Eng.,J.D.
Asst. Provost
Faculty Research and
Computing, Policy & Planning
Adjunct Professor
Manhattan College
Riverdale, N.Y. 10471




-----Original Message-----
From: Jimmy Kuo [mailto:cjkuo () VERIZON NET]
Sent: Friday, November 18, 2005 2:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Details of New York Data Breach Bill?

The problem that you've discovered and what an earlier post alluded to is
the notion that you must understand ALL the individual state laws that
govern residents of their state.

So, you have to notify the residents of those states that have such laws.

But the reality is, it's simpler and easier (and safer, legally) to notify
all affected parties than determining the specific person's current
residency.

Also, some side-effects,

Because SSN has been used as an identifier for so long, they may exist in
records that you may not suspect!  One example, *old* sociology/psychology
theses that are being put online that document interviewees!  Specifically,
interviews of prison inmates.

Basically, it's not just about your own charges.  There are lots of studies
and research conducted by university personnel.  They document who they
talked to.  What did the researchers use to identify them?  And how easy is
it to get at that information?

Jimmy

----- Original Message -----
From: "Keith Schoenefeld" <schoenk () UTULSA EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Tuesday, November 15, 2005 10:08 AM
Subject: Re: [SECURITY] Details of New York Data Breach Bill?


> Am I reading this completely wrong, or does it not require notification
> of affected people that are not New York residents?
>
> -- KS
>
> Karl D. Hassler wrote:
>
> > Link to the New York State Technology Law:
> >
> > http://public.leginfo.state.ny.us/menugetf.cgi?COMMONQUERY=LAWS
> > Go to the link - you may have to try twice - its slow.
> >
> > Click on GBS for General Business Law
> > Click on Article 39-F;
> > Click on Section 899-aa. It says that "Any  person or business which
> > conducts business in New York state, and which owns or licenses
> > computerized  data  which  includes  private information shall  disclose
> >   any breach  of the security of the system following discovery or
> > notification of the breach in the security of the system to any resident
> > of New York state whose private information was, or is reasonably
> > believed to have been, acquired by a person without valid
authorization."
> > To me, you must be doing business in New York to fall under this section
> > of the law.
> >
> > To find section 208 of the State Technology Law (mentioned in both S3492
> > and A4254, from the above link:
> >
> > Click on STT for State Technology
> > Click on Article 2
> > Click on Section 208 - Notification
> >
> > Section 208 only references State entities.
>
>
> --
> Keith Schoenefeld
> Manager of College Computer Services
> ENS Computer Services (ECS)
> College of Engineering and Natural Sciences
> The University of Tulsa
> Phone: 918-631-2548
> Fax: 918-631-5089