Re: Pre-Breach Requirements - 18 States

["Irish, Adrian L" <Adrian.Irish () MSO UMT EDU>]

Doesn't matter what "different sources" say, it only matters what MY legal counsel says; and my legal counsel says we 
follow Montana data breach law and no others (and yes, I have it in writing).

Adrian Irish
IT Security Officer
The University of Montana
SS 102
Missoula, MT 59812
(406) 243-6375
 
adrian.irish () umontana edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of j.price
Sent: Tuesday, August 02, 2011 1:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Pre-Breach Requirements - 18 States

Hi all,

 From what I have learned through different sources is that you must follow the breach notification rules for each 
state that you provide distance learning to one of their residents.

These laws apply whether you are an educational institution or a corporate entity. Each state's law can vary on who you 
have to report a breach to, time lines, how the notification letter is written and what details are provided.

If you have a large breach, you are better off to contract with a company that handles breaches on a regular basis and 
avoid all the hassles.

Regards,
Janet

*This is my opinion and might/might not agree with my institution.

On 7/9/2011 4:29 AM, Allison F Dolan wrote:
> My understanding is that compliance with the individual state 
> notification rules is generally expected - e.g. if you have a breach 
> involving residents of all states, you need to follow the different 
> state notification rules.
> Compliance with data protection rules (a la the MA requirement to have 
> a written info security program) is much less clear, and seems 
> unworkable, which is one of the drivers behind having a Federal law.
> Allison Dolan
> ----------------------------------------------------------------------
> --
> *From:* The EDUCAUSE Security Constituent Group Listserv 
> [SECURITY () listserv educause edu] On Behalf Of Rosenthal, Jane E.
> [jer () KU EDU]
> *Sent:* Friday, July 08, 2011 12:11 PM
> *To:* SECURITY () listserv educause edu
> *Subject:* Re: [SECURITY] Pre-Breach Requirements - 18 States
>
> Hi Cliff,
>
> Can you tell me if your attorneys have determined that you have to 
> comply with all 50 (or 46) state requirements rather than merely your 
> own state? This has been a discussion here and I'm interested in what 
> EDUs are thinking on this.
>
> Jane
>
> _____________________
>
> Jane E. Rosenthal
> Director | Privacy Office
> The University of Kansas
>
> Voice +1.785.864.9528 | Fax +1.785.864.4463 Email jer () ku edu 
> <mailto:jer () ku edu> | Web http://www.privacy.ku.edu 
> <http://www.privacy.ku.edu/>
>
> ----------------------------------------------------------------------
> --
>
> The information transmitted by this email communication, including any 
> additional pages or attachments, is only for the intended recipient 
> and may contain confidential and/or privileged material. Any 
> interception, review, retransmission, disclosure, dissemination, or 
> other use and/or taking of any action upon this information by persons 
> or entities other than the intended recipient is prohibited by law and 
> may subject them to criminal or civil liability. If you received this 
> communication in error, please contact us immediately at (785) 
> 864-4904, and delete the communication from any computer or network 
> system or dispose of the documents as directed. Thank you.
>
> ----------------------------------------------------------------------
> --
>
> *From:* Clifford Collins [mailto:collinsc () FRANKLIN EDU]
> *Sent:* Wednesday, July 06, 2011 10:39 AM
> *Subject:* Pre-Breach Requirements - 18 States
>
> Hello Security Compatriots,
> I was searching the web for info on which states have laws require 
> some kind of breach notification and encountered this document from 
> the law firm Crowell & Moring LLP:
>
> http://www.crowell.com/pdf/securitybreachtable.pdf
>
> In the right-hand column is a yes/no section on required "pre-breach 
> measures." There are 18 states listed as having them. Anybody aware of 
> these requirements? Have you done something about it? If so, what have 
> you done? It would be great to have a "template" to work from!
>
> Clifford A. Collins
> Information Security Officer
> Franklin University
> 201 South Grant Avenue
> Columbus, Ohio 43215
> "Security is a process, not a product"

--
Janet Price, CIPP, CIPP/IT
Information Security Analyst
Information Technology Services
Maricopa Community Colleges
2419 W 14th St
Tempe Arizona, 85281
(480)731-8730

CONFIDENTIAL: This electronic mail (including any attachments) may contain information that is privileged, 
confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any 
dissemination or use of this electronic email or its contents (including any attachments) by persons other than the 
intended
recipient(s) is strictly prohibited. If you have received this message in error, please notify me immediately by reply 
email so that I may correct my records. Please then delete the original message (including any attachments) in its 
entirety. Thank you.