Re: Pre-Breach Requirements - 18 States

[David C Kovarik <david-kovarik () NORTHWESTERN EDU>]

GO, MONTANA!!!
Dave Kovarik
Northwestern University
847-467-5930

Beware of Phishing asking you for your PASSWORD






On 8/2/11 2:39 PM, "Irish, Adrian L" <Adrian.Irish () MSO UMT EDU> wrote:

> Doesn't matter what "different sources" say, it only matters what MY
> legal counsel says; and my legal counsel says we follow Montana data
> breach law and no others (and yes, I have it in writing).
>
> Adrian Irish
> IT Security Officer
> The University of Montana
> SS 102
> Missoula, MT 59812
> (406) 243-6375
>
> adrian.irish () umontana edu
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of j.price
> Sent: Tuesday, August 02, 2011 1:17 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Pre-Breach Requirements - 18 States
>
> Hi all,
>
> From what I have learned through different sources is that you must
> follow the breach notification rules for each state that you provide
> distance learning to one of their residents.
>
> These laws apply whether you are an educational institution or a
> corporate entity. Each state's law can vary on who you have to report a
> breach to, time lines, how the notification letter is written and what
> details are provided.
>
> If you have a large breach, you are better off to contract with a company
> that handles breaches on a regular basis and avoid all the hassles.
>
> Regards,
> Janet
>
> *This is my opinion and might/might not agree with my institution.
>
> On 7/9/2011 4:29 AM, Allison F Dolan wrote:
> > My understanding is that compliance with the individual state
> > notification rules is generally expected - e.g. if you have a breach
> > involving residents of all states, you need to follow the different
> > state notification rules.
> > Compliance with data protection rules (a la the MA requirement to have
> > a written info security program) is much less clear, and seems
> > unworkable, which is one of the drivers behind having a Federal law.
> > Allison Dolan
> > ----------------------------------------------------------------------
> > --
> > *From:* The EDUCAUSE Security Constituent Group Listserv
> > [SECURITY () listserv educause edu] On Behalf Of Rosenthal, Jane E.
> > [jer () KU EDU]
> > *Sent:* Friday, July 08, 2011 12:11 PM
> > *To:* SECURITY () listserv educause edu
> > *Subject:* Re: [SECURITY] Pre-Breach Requirements - 18 States
> >
> > Hi Cliff,
> >
> > Can you tell me if your attorneys have determined that you have to
> > comply with all 50 (or 46) state requirements rather than merely your
> > own state? This has been a discussion here and I'm interested in what
> > EDUs are thinking on this.
> >
> > Jane
> >
> > _____________________
> >
> > Jane E. Rosenthal
> > Director | Privacy Office
> > The University of Kansas
> >
> > Voice +1.785.864.9528 | Fax +1.785.864.4463 Email jer () ku edu
> > <mailto:jer () ku edu> | Web http://www.privacy.ku.edu
> > <http://www.privacy.ku.edu/>
> >
> > ----------------------------------------------------------------------
> > --
> >
> > The information transmitted by this email communication, including any
> > additional pages or attachments, is only for the intended recipient
> > and may contain confidential and/or privileged material. Any
> > interception, review, retransmission, disclosure, dissemination, or
> > other use and/or taking of any action upon this information by persons
> > or entities other than the intended recipient is prohibited by law and
> > may subject them to criminal or civil liability. If you received this
> > communication in error, please contact us immediately at (785)
> > 864-4904, and delete the communication from any computer or network
> > system or dispose of the documents as directed. Thank you.
> >
> > ----------------------------------------------------------------------
> > --
> >
> > *From:* Clifford Collins [mailto:collinsc () FRANKLIN EDU]
> > *Sent:* Wednesday, July 06, 2011 10:39 AM
> > *Subject:* Pre-Breach Requirements - 18 States
> >
> > Hello Security Compatriots,
> > I was searching the web for info on which states have laws require
> > some kind of breach notification and encountered this document from
> > the law firm Crowell & Moring LLP:
> >
> > http://www.crowell.com/pdf/securitybreachtable.pdf
> >
> > In the right-hand column is a yes/no section on required "pre-breach
> > measures." There are 18 states listed as having them. Anybody aware of
> > these requirements? Have you done something about it? If so, what have
> > you done? It would be great to have a "template" to work from!
> >
> > Clifford A. Collins
> > Information Security Officer
> > Franklin University
> > 201 South Grant Avenue
> > Columbus, Ohio 43215
> > "Security is a process, not a product"
>
> --
> Janet Price, CIPP, CIPP/IT
> Information Security Analyst
> Information Technology Services
> Maricopa Community Colleges
> 2419 W 14th St
> Tempe Arizona, 85281
> (480)731-8730
>
> CONFIDENTIAL: This electronic mail (including any attachments) may
> contain information that is privileged, confidential, and/or otherwise
> protected from disclosure to anyone other than its intended recipient(s).
> Any dissemination or use of this electronic email or its contents
> (including any attachments) by persons other than the intended
> recipient(s) is strictly prohibited. If you have received this message in
> error, please notify me immediately by reply email so that I may correct
> my records. Please then delete the original message (including any
> attachments) in its entirety. Thank you.