Re: Pre-Breach Requirements - 18 States

[Clifford Collins <collinsc () FRANKLIN EDU>]

Hello Jane, 

Great question! We do not have in-house legal counsel. But senior leadership has access to a law firm that is on 
retainer for situations they feel justify it. My concern was raised because our online degree programs (which is larger 
than our face-to-face programs) deliver classes to thousands of students in nearly all 50 states and in several dozen 
countries. It was the overwhelming task of complying with the privacy laws of every state and my stumbling onto the 
Crowell & Moring document that caused me to ask the question of leadership: what should we do? The response I got was 
they agreed it was a concern and to go find out what everybody else is doing. So, here I am! 

Clifford A. Collins 
Information Security Officer 
Franklin University 
201 South Grant Avenue 
Columbus, Ohio 43215 
"Security is a process, not a product" 

----- Original Message -----
From: "Jane E. Rosenthal" <jer () ku edu> 
To: "Clifford Collins" <collinsc () FRANKLIN EDU> 
Cc: SECURITY () LISTSERV EDUCAUSE EDU 
Sent: Friday, July 8, 2011 12:11:58 PM 
Subject: RE: Pre-Breach Requirements - 18 States 




Hi Cliff, 



Can you tell me if your attorneys have determined that you have to comply with all 50 (or 46) state requirements rather 
than merely your own state? This has been a discussion here and I’m interested in what EDUs are thinking on this. 

Jane 




_____________________ 








Jane E. Rosenthal 
Director | Privacy Office 
The University of Kansas 

Voice +1.785.864.9528 | Fax +1.785.864.4463 
Email jer () ku edu | Web http://www.privacy.ku.edu 





The information transmitted by this email communication, including any additional pages or attachments, is only for the 
intended recipient and may contain confidential and/or privileged material. Any interception, review, retransmission, 
disclosure, dissemination, or other use and/or taking of any action upon this information by persons or entities other 
than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received 
this communication in error, please contact us immediately at (785) 864-4904, and delete the communication from any 
computer or network system or dispose of the documents as directed. Thank you. 
















From: Clifford Collins [mailto:collinsc () FRANKLIN EDU] 
Sent: Wednesday, July 06, 2011 10:39 AM 
Subject: Pre-Breach Requirements - 18 States 




Hello Security Compatriots, 
I was searching the web for info on which states have laws require some kind of breach notification and encountered 
this document from the law firm Crowell & Moring LLP: 

http://www.crowell.com/pdf/securitybreachtable.pdf 

In the right-hand column is a yes/no section on required "pre-breach measures." There are 18 states listed as having 
them. Anybody aware of these requirements? Have you done something about it? If so, what have you done? It would be 
great to have a "template" to work from! 

Clifford A. Collins 
Information Security Officer 
Franklin University 
201 South Grant Avenue 
Columbus, Ohio 43215 
"Security is a process, not a product"