Educause Security Discussion mailing list archives
Re: Pre-Breach Requirements - 18 States
From: David C Kovarik <david-kovarik () NORTHWESTERN EDU>
Date: Wed, 3 Aug 2011 13:43:26 +0000
GO, MONTANA!!! Dave Kovarik Northwestern University 847-467-5930 Beware of Phishing asking you for your PASSWORD On 8/2/11 2:39 PM, "Irish, Adrian L" <Adrian.Irish () MSO UMT EDU> wrote:
Doesn't matter what "different sources" say, it only matters what MY legal counsel says; and my legal counsel says we follow Montana data breach law and no others (and yes, I have it in writing). Adrian Irish IT Security Officer The University of Montana SS 102 Missoula, MT 59812 (406) 243-6375 adrian.irish () umontana edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of j.price Sent: Tuesday, August 02, 2011 1:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Pre-Breach Requirements - 18 States Hi all, From what I have learned through different sources is that you must follow the breach notification rules for each state that you provide distance learning to one of their residents. These laws apply whether you are an educational institution or a corporate entity. Each state's law can vary on who you have to report a breach to, time lines, how the notification letter is written and what details are provided. If you have a large breach, you are better off to contract with a company that handles breaches on a regular basis and avoid all the hassles. Regards, Janet *This is my opinion and might/might not agree with my institution. On 7/9/2011 4:29 AM, Allison F Dolan wrote:My understanding is that compliance with the individual state notification rules is generally expected - e.g. if you have a breach involving residents of all states, you need to follow the different state notification rules. Compliance with data protection rules (a la the MA requirement to have a written info security program) is much less clear, and seems unworkable, which is one of the drivers behind having a Federal law. Allison Dolan ---------------------------------------------------------------------- -- *From:* The EDUCAUSE Security Constituent Group Listserv [SECURITY () listserv educause edu] On Behalf Of Rosenthal, Jane E. [jer () KU EDU] *Sent:* Friday, July 08, 2011 12:11 PM *To:* SECURITY () listserv educause edu *Subject:* Re: [SECURITY] Pre-Breach Requirements - 18 States Hi Cliff, Can you tell me if your attorneys have determined that you have to comply with all 50 (or 46) state requirements rather than merely your own state? This has been a discussion here and I'm interested in what EDUs are thinking on this. Jane _____________________ Jane E. Rosenthal Director | Privacy Office The University of Kansas Voice +1.785.864.9528 | Fax +1.785.864.4463 Email jer () ku edu <mailto:jer () ku edu> | Web http://www.privacy.ku.edu <http://www.privacy.ku.edu/> ---------------------------------------------------------------------- -- The information transmitted by this email communication, including any additional pages or attachments, is only for the intended recipient and may contain confidential and/or privileged material. Any interception, review, retransmission, disclosure, dissemination, or other use and/or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at (785) 864-4904, and delete the communication from any computer or network system or dispose of the documents as directed. Thank you. ---------------------------------------------------------------------- -- *From:* Clifford Collins [mailto:collinsc () FRANKLIN EDU] *Sent:* Wednesday, July 06, 2011 10:39 AM *Subject:* Pre-Breach Requirements - 18 States Hello Security Compatriots, I was searching the web for info on which states have laws require some kind of breach notification and encountered this document from the law firm Crowell & Moring LLP: http://www.crowell.com/pdf/securitybreachtable.pdf In the right-hand column is a yes/no section on required "pre-breach measures." There are 18 states listed as having them. Anybody aware of these requirements? Have you done something about it? If so, what have you done? It would be great to have a "template" to work from! Clifford A. Collins Information Security Officer Franklin University 201 South Grant Avenue Columbus, Ohio 43215 "Security is a process, not a product"-- Janet Price, CIPP, CIPP/IT Information Security Analyst Information Technology Services Maricopa Community Colleges 2419 W 14th St Tempe Arizona, 85281 (480)731-8730 CONFIDENTIAL: This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify me immediately by reply email so that I may correct my records. Please then delete the original message (including any attachments) in its entirety. Thank you.
Current thread:
- Re: Pre-Breach Requirements - 18 States, (continued)
- Re: Pre-Breach Requirements - 18 States Dexter Caldwell (Jul 06)
- Re: Pre-Breach Requirements - 18 States Rosenthal, Jane E. (Jul 08)
- Re: Pre-Breach Requirements - 18 States Clifford Collins (Jul 08)
- Re: Pre-Breach Requirements - 18 States Steve Bohrer (Jul 09)
- Re: Pre-Breach Requirements - 18 States Dan Han/HSC/VCU (Jul 12)
- Re: Pre-Breach Requirements - 18 States Allison F Dolan (Jul 09)
- Re: Pre-Breach Requirements - 18 States Jack Suess (Jul 09)
- Re: Pre-Breach Requirements - 18 States j.price (Aug 09)
- Re: Pre-Breach Requirements - 18 States j.price (Aug 02)
- Re: Pre-Breach Requirements - 18 States Irish, Adrian L (Aug 02)
- Re: Pre-Breach Requirements - 18 States David C Kovarik (Aug 03)