Re: Pre-Breach Requirements - 18 States

[Steve Bohrer <skbohrer () SIMONS-ROCK EDU>]

On 7/8/2011 12:11 PM, Rosenthal, Jane E. wrote:
> Hi Cliff,
>
> Can you tell me if your attorneys have determined that you have to 
> comply with all 50 (or 46) state requirements rather than merely your 
> own state?  This has been a discussion here and I’m interested in what 
> EDUs are thinking on this.
>
> Jane

FWIW, the Mass data breech regulations claim to apply to anyone who has 
data about Mass residents: "The provisions of this regulation apply to 
all persons that own or license personal information about a resident of 
the Commonwealth." (from 
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf ) Thus, if you 
have any students from MA, our regs may apply. I'm not sure how much 
that idea has been tested (seems kinda unfair that Mass Legislature can 
set rules for "all persons" everywhere), but if it holds up and if other 
states follow suit, seems that most EDUs will need to be prepared to 
deal with many state laws.

(We definitely have to follow at least the MA regs, because it's our 
home turf, but I'm not sure how many additional state's regulations to 
watch out for.)

Steve Bohrer
Network Admin, Bard College at Simon's Rock