Educause Security Discussion mailing list archives

Re: Pre-Breach Requirements - 18 States

From: "j.price" <j.price () DOMAIL MARICOPA EDU>
Date: Tue, 2 Aug 2011 12:16:48 -0700

Hi all,

From what I have learned through different sources is that you mustfollow the breach notification rules for each state that you providedistance learning to one of their residents.

These laws apply whether you are an educational institution or acorporate entity. Each state's law can vary on who you have to report abreach to, time lines, how the notification letter is written and whatdetails are provided.

If you have a large breach, you are better off to contract with acompany that handles breaches on a regular basis and avoid all the hassles.


Regards,
Janet

*This is my opinion and might/might not agree with my institution.

On 7/9/2011 4:29 AM, Allison F Dolan wrote:

My understanding is that compliance with the individual state
notification rules is generally expected - e.g. if you have a breach
involving residents of all states, you need to follow the different
state notification rules.
Compliance with data protection rules (a la the MA requirement to have a
written info security program) is much less clear, and seems unworkable,
which is one of the drivers behind having a Federal law.
Allison Dolan
------------------------------------------------------------------------
*From:* The EDUCAUSE Security Constituent Group Listserv
[SECURITY () listserv educause edu] On Behalf Of Rosenthal, Jane E.
[jer () KU EDU]
*Sent:* Friday, July 08, 2011 12:11 PM
*To:* SECURITY () listserv educause edu
*Subject:* Re: [SECURITY] Pre-Breach Requirements - 18 States

Hi Cliff,

Can you tell me if your attorneys have determined that you have to
comply with all 50 (or 46) state requirements rather than merely your
own state? This has been a discussion here and I’m interested in what
EDUs are thinking on this.

Jane

_____________________

Jane E. Rosenthal
Director | Privacy Office
The University of Kansas

Voice +1.785.864.9528 | Fax +1.785.864.4463
Email jer () ku edu <mailto:jer () ku edu> | Web http://www.privacy.ku.edu
<http://www.privacy.ku.edu/>

------------------------------------------------------------------------

The information transmitted by this email communication, including any
additional pages or attachments, is only for the intended recipient and
may contain confidential and/or privileged material. Any interception,
review, retransmission, disclosure, dissemination, or other use and/or
taking of any action upon this information by persons or entities other
than the intended recipient is prohibited by law and may subject them to
criminal or civil liability. If you received this communication in
error, please contact us immediately at (785) 864-4904, and delete the
communication from any computer or network system or dispose of the
documents as directed. Thank you.

------------------------------------------------------------------------

*From:* Clifford Collins [mailto:collinsc () FRANKLIN EDU]
*Sent:* Wednesday, July 06, 2011 10:39 AM
*Subject:* Pre-Breach Requirements - 18 States

Hello Security Compatriots,
I was searching the web for info on which states have laws require some
kind of breach notification and encountered this document from the law
firm Crowell & Moring LLP:

http://www.crowell.com/pdf/securitybreachtable.pdf

In the right-hand column is a yes/no section on required "pre-breach
measures." There are 18 states listed as having them. Anybody aware of
these requirements? Have you done something about it? If so, what have
you done? It would be great to have a "template" to work from!

Clifford A. Collins
Information Security Officer
Franklin University
201 South Grant Avenue
Columbus, Ohio 43215
"Security is a process, not a product"


--
Janet Price, CIPP, CIPP/IT
Information Security Analyst
Information Technology Services
Maricopa Community Colleges
2419 W 14th St
Tempe Arizona, 85281
(480)731-8730

CONFIDENTIAL: This electronic mail (including any attachments) maycontain information that is privileged, confidential, and/or otherwiseprotected from disclosure to anyone other than its intendedrecipient(s). Any dissemination or use of this electronic email or itscontents (including any attachments) by persons other than the intendedrecipient(s) is strictly prohibited. If you have received this messagein error, please notify me immediately by reply email so that I maycorrect my records. Please then delete the original message (includingany attachments) in its entirety. Thank you.

Current thread:

Re: Pre-Breach Requirements - 18 States, (continued)
- - Re: Pre-Breach Requirements - 18 States SCHALIP, MICHAEL (Jul 06)
- Re: Pre-Breach Requirements - 18 States Doug Markiewicz (Jul 08)
- Re: Pre-Breach Requirements - 18 States Dexter Caldwell (Jul 06)
- Re: Pre-Breach Requirements - 18 States Rosenthal, Jane E. (Jul 08)
  - Re: Pre-Breach Requirements - 18 States Clifford Collins (Jul 08)
  - Re: Pre-Breach Requirements - 18 States Steve Bohrer (Jul 09)
    - Re: Pre-Breach Requirements - 18 States Dan Han/HSC/VCU (Jul 12)
  - Re: Pre-Breach Requirements - 18 States Allison F Dolan (Jul 09)
    - Re: Pre-Breach Requirements - 18 States Jack Suess (Jul 09)
    - Re: Pre-Breach Requirements - 18 States j.price (Aug 09)
    - Re: Pre-Breach Requirements - 18 States j.price (Aug 02)
    - Re: Pre-Breach Requirements - 18 States Irish, Adrian L (Aug 02)
    - Re: Pre-Breach Requirements - 18 States David C Kovarik (Aug 03)
- Re: Pre-Breach Requirements - 18 States Dexter Caldwell (Jul 08)
- Re: Pre-Breach Requirements - 18 States Dexter Caldwell (Jul 09)
- Re: Pre-Breach Requirements - 18 States Clifford Collins (Sep 15)