Re: Pre-Breach Requirements - 18 States

[Clifford Collins <collinsc () FRANKLIN EDU>]

The notification component wasn't really what I was concerned about. As many have noted, it makes sense to notify all 
of the victims. My original posting was about the "pre-breach" requirements of several states. Franklin University is a 
private, non-profit university with students in all 50 states and in dozens of countries. We are not immune to the laws 
of other states the way public institutions are (or think they are). 

What has reduced my angst as of late regarding the "pre-breach" requirements is that most of the states on the original 
document I cited mention exemptions for institutions that are GLB or HIPAA regulated. Still, if we have to write up a 
plan and jump through hoops to be compliant just because we have 10 students taking online classes from the state of 
Catatonia, then maybe we don't want to offer online classes in that state anymore. And, am I not off the hook because 
any existing records I have of students from the state of Catatonia makes me subject to their requirement anyway? 

Clifford A. Collins 
Information Security Officer 
Franklin University 
201 South Grant Avenue 
Columbus, Ohio 43215 
"Security is a process, not a product" 

----- Original Message -----
Sent: Monday, July 11, 2011 3:15:48 PM 
Subject: RE: Pre-Breach Requirements - 18 States 




HI Cliff, 

Well our attorneys have always taken the position that we are only subject to Kansas laws—we’re a public after all. I 
would suspect most other publics are the same in their position—subject to their own state laws. Sovereign immunity and 
all that. 



However I’ve been wondering of late if that makes sense. HITECH is applicable federally and it seems to me to be 
leading us toward what is reasonable and appropriate in many ways and perhaps a federal standard will result generally 
for notification. While identity theft is always an issue, healthcare information and identity theft and risk of loss 
is certainly an issue and is probably the most sensitive data-wise (regardless of identity theft issues). 



I guess the discussion will continue. We have students from all 50 states, but only a presence in Kansas (unless you 
factor in Distance Ed or if you factor in overseas study). It will continue to be fun for all. 



Take care, 

Jane 




_____________________ 








Jane E. Rosenthal 
Director | Privacy Office 
The University of Kansas 

Voice +1.785.864.9528 | Fax +1.785.864.4463 
Email jer () ku edu | Web http://www.privacy.ku.edu 





The information transmitted by this email communication, including any additional pages or attachments, is only for the 
intended recipient and may contain confidential and/or privileged material. Any interception, review, retransmission, 
disclosure, dissemination, or other use and/or taking of any action upon this information by persons or entities other 
than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received 
this communication in error, please contact us immediately at (785) 864-4904, and delete the communication from any 
computer or network system or dispose of the documents as directed. Thank you. 
















From: Clifford Collins [mailto:collinsc () FRANKLIN EDU] 
Sent: Friday, July 08, 2011 2:53 PM 
Subject: Re: Pre-Breach Requirements - 18 States 




Hello Jane, 

Great question! We do not have in-house legal counsel. But senior leadership has access to a law firm that is on 
retainer for situations they feel justify it. My concern was raised because our online degree programs (which is larger 
than our face-to-face programs) deliver classes to thousands of students in nearly all 50 states and in several dozen 
countries. It was the overwhelming task of complying with the privacy laws of every state and my stumbling onto the 
Crowell & Moring document that caused me to ask the question of leadership: what should we do? The response I got was 
they agreed it was a concern and to go find out what everybody else is doing. So, here I am! 

Clifford A. Collins 
Information Security Officer 
Franklin University 
201 South Grant Avenue 
Columbus, Ohio 43215 
"Security is a process, not a product" 
----- Original Message -----


From: "Jane E. Rosenthal" <jer () ku edu> 
To: "Clifford Collins" <collinsc () FRANKLIN EDU> 
Cc: SECURITY () LISTSERV EDUCAUSE EDU 
Sent: Friday, July 8, 2011 12:11:58 PM 
Subject: RE: Pre-Breach Requirements - 18 States 




Hi Cliff, 



Can you tell me if your attorneys have determined that you have to comply with all 50 (or 46) state requirements rather 
than merely your own state? This has been a discussion here and I’m interested in what EDUs are thinking on this. 

Jane 




_____________________ 








Jane E. Rosenthal 
Director | Privacy Office 
The University of Kansas 

Voice +1.785.864.9528 | Fax +1.785.864.4463 
Email jer () ku edu | Web http://www.privacy.ku.edu 






The information transmitted by this email communication, including any additional pages or attachments, is only for the 
intended recipient and may contain confidential and/or privileged material. Any interception, review, retransmission, 
disclosure, dissemination, or other use and/or taking of any action upon this information by persons or entities other 
than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received 
this communication in error, please contact us immediately at (785) 864-4904, and delete the communication from any 
computer or network system or dispose of the documents as directed. Thank you. 

















From: Clifford Collins [mailto:collinsc () FRANKLIN EDU] 
Sent: Wednesday, July 06, 2011 10:39 AM 
Subject: Pre-Breach Requirements - 18 States 




Hello Security Compatriots, 
I was searching the web for info on which states have laws require some kind of breach notification and encountered 
this document from the law firm Crowell & Moring LLP: 

http://www.crowell.com/pdf/securitybreachtable.pdf 

In the right-hand column is a yes/no section on required "pre-breach measures." There are 18 states listed as having 
them. Anybody aware of these requirements? Have you done something about it? If so, what have you done? It would be 
great to have a "template" to work from! 

Clifford A. Collins 
Information Security Officer 
Franklin University 
201 South Grant Avenue 
Columbus, Ohio 43215 
"Security is a process, not a product"