Educause Security Discussion mailing list archives

Re: Pre-Breach Requirements - 18 States

From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Fri, 8 Jul 2011 08:49:05 -0400

Based on some of their other published documentation, pre-breach measures is referring primarily to safeguard and 
disposal requirements that many states have.

http://www.crowell.com/documents/DOCASSOCFKTYPE_PRESENTATIONS_862.pdf

Kind of a strange way to refer to these requirements if you ask me. In any case, many states passed such requirements 
in conjunction with or shortly following their breach notification laws. Just as a random example, Arkansas included 
provisions for safeguarding data, data disposal and breach notification in their Personal Information Protection Act. 
See Title 4 Subtitle 7 Chapter 110 of the Arkansas Code.

http://www.lexisnexis.com/hottopics/arcode/

We don't have any such provisions in PA that I'm aware of, but we still try to keep an eye on things. Most are vague 
enough that our existing security program addresses any concerns. We keep a closer eye on California and Massachusetts 
since they seem to be paving the way and, to my knowledge, have the most stringent requirements.

The National Conference of State Legislatures has a list of states who have data disposal laws. According to them, 
there are currently 29.

http://www.ncsl.org/default.aspx?tabid=21075

Unfortunately I've not seen any NCSL publications that list all states with data safeguard requirements. 

Hope that helps.

Cheers,
Doug

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On
Behalf Of Clifford Collins
Sent: Wednesday, July 06, 2011 11:39 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Pre-Breach Requirements - 18 States

Hello Security Compatriots,
I was searching the web for info on which states have laws require some kind of breach notification
and encountered this document from the law firm Crowell & Moring LLP:

    http://www.crowell.com/pdf/securitybreachtable.pdf

In the right-hand column is a yes/no section on required "pre-breach measures."  There are 18 states
listed as having them. Anybody aware of these requirements? Have you done something about it?  If so,
what have you done? It would be great to have a "template" to work from!

Clifford A. Collins
Information Security Officer
Franklin University
201 South Grant Avenue
Columbus, Ohio 43215
"Security is a process, not a product"

Current thread:

Pre-Breach Requirements - 18 States Clifford Collins (Jul 06)
- Re: Pre-Breach Requirements - 18 States Solem, Vik P. (Jul 06)
  - Re: Pre-Breach Requirements - 18 States SCHALIP, MICHAEL (Jul 06)
- Re: Pre-Breach Requirements - 18 States Doug Markiewicz (Jul 08)
- <Possible follow-ups>
- Re: Pre-Breach Requirements - 18 States Dexter Caldwell (Jul 06)
- Re: Pre-Breach Requirements - 18 States Rosenthal, Jane E. (Jul 08)
  - Re: Pre-Breach Requirements - 18 States Clifford Collins (Jul 08)
  - Re: Pre-Breach Requirements - 18 States Steve Bohrer (Jul 09)
    - Re: Pre-Breach Requirements - 18 States Dan Han/HSC/VCU (Jul 12)
  - Re: Pre-Breach Requirements - 18 States Allison F Dolan (Jul 09)
    - Re: Pre-Breach Requirements - 18 States Jack Suess (Jul 09)
    - Re: Pre-Breach Requirements - 18 States j.price (Aug 09)
    - Re: Pre-Breach Requirements - 18 States j.price (Aug 02)
    - Re: Pre-Breach Requirements - 18 States Irish, Adrian L (Aug 02)

(Thread continues...)