Educause Security Discussion mailing list archives
Re: Pre-Breach Requirements - 18 States
From: Clifford Collins <collinsc () FRANKLIN EDU>
Date: Thu, 15 Sep 2011 16:11:57 -0400
The notification component wasn't really what I was concerned about. As many have noted, it makes sense to notify all of the victims. My original posting was about the "pre-breach" requirements of several states. Franklin University is a private, non-profit university with students in all 50 states and in dozens of countries. We are not immune to the laws of other states the way public institutions are (or think they are). What has reduced my angst as of late regarding the "pre-breach" requirements is that most of the states on the original document I cited mention exemptions for institutions that are GLB or HIPAA regulated. Still, if we have to write up a plan and jump through hoops to be compliant just because we have 10 students taking online classes from the state of Catatonia, then maybe we don't want to offer online classes in that state anymore. And, am I not off the hook because any existing records I have of students from the state of Catatonia makes me subject to their requirement anyway? Clifford A. Collins Information Security Officer Franklin University 201 South Grant Avenue Columbus, Ohio 43215 "Security is a process, not a product" ----- Original Message ----- Sent: Monday, July 11, 2011 3:15:48 PM Subject: RE: Pre-Breach Requirements - 18 States HI Cliff, Well our attorneys have always taken the position that we are only subject to Kansas laws—we’re a public after all. I would suspect most other publics are the same in their position—subject to their own state laws. Sovereign immunity and all that. However I’ve been wondering of late if that makes sense. HITECH is applicable federally and it seems to me to be leading us toward what is reasonable and appropriate in many ways and perhaps a federal standard will result generally for notification. While identity theft is always an issue, healthcare information and identity theft and risk of loss is certainly an issue and is probably the most sensitive data-wise (regardless of identity theft issues). I guess the discussion will continue. We have students from all 50 states, but only a presence in Kansas (unless you factor in Distance Ed or if you factor in overseas study). It will continue to be fun for all. Take care, Jane _____________________ Jane E. Rosenthal Director | Privacy Office The University of Kansas Voice +1.785.864.9528 | Fax +1.785.864.4463 Email jer () ku edu | Web http://www.privacy.ku.edu The information transmitted by this email communication, including any additional pages or attachments, is only for the intended recipient and may contain confidential and/or privileged material. Any interception, review, retransmission, disclosure, dissemination, or other use and/or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at (785) 864-4904, and delete the communication from any computer or network system or dispose of the documents as directed. Thank you. From: Clifford Collins [mailto:collinsc () FRANKLIN EDU] Sent: Friday, July 08, 2011 2:53 PM Subject: Re: Pre-Breach Requirements - 18 States Hello Jane, Great question! We do not have in-house legal counsel. But senior leadership has access to a law firm that is on retainer for situations they feel justify it. My concern was raised because our online degree programs (which is larger than our face-to-face programs) deliver classes to thousands of students in nearly all 50 states and in several dozen countries. It was the overwhelming task of complying with the privacy laws of every state and my stumbling onto the Crowell & Moring document that caused me to ask the question of leadership: what should we do? The response I got was they agreed it was a concern and to go find out what everybody else is doing. So, here I am! Clifford A. Collins Information Security Officer Franklin University 201 South Grant Avenue Columbus, Ohio 43215 "Security is a process, not a product" ----- Original Message ----- From: "Jane E. Rosenthal" <jer () ku edu> To: "Clifford Collins" <collinsc () FRANKLIN EDU> Cc: SECURITY () LISTSERV EDUCAUSE EDU Sent: Friday, July 8, 2011 12:11:58 PM Subject: RE: Pre-Breach Requirements - 18 States Hi Cliff, Can you tell me if your attorneys have determined that you have to comply with all 50 (or 46) state requirements rather than merely your own state? This has been a discussion here and I’m interested in what EDUs are thinking on this. Jane _____________________ Jane E. Rosenthal Director | Privacy Office The University of Kansas Voice +1.785.864.9528 | Fax +1.785.864.4463 Email jer () ku edu | Web http://www.privacy.ku.edu The information transmitted by this email communication, including any additional pages or attachments, is only for the intended recipient and may contain confidential and/or privileged material. Any interception, review, retransmission, disclosure, dissemination, or other use and/or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at (785) 864-4904, and delete the communication from any computer or network system or dispose of the documents as directed. Thank you. From: Clifford Collins [mailto:collinsc () FRANKLIN EDU] Sent: Wednesday, July 06, 2011 10:39 AM Subject: Pre-Breach Requirements - 18 States Hello Security Compatriots, I was searching the web for info on which states have laws require some kind of breach notification and encountered this document from the law firm Crowell & Moring LLP: http://www.crowell.com/pdf/securitybreachtable.pdf In the right-hand column is a yes/no section on required "pre-breach measures." There are 18 states listed as having them. Anybody aware of these requirements? Have you done something about it? If so, what have you done? It would be great to have a "template" to work from! Clifford A. Collins Information Security Officer Franklin University 201 South Grant Avenue Columbus, Ohio 43215 "Security is a process, not a product"
Current thread:
- Re: Pre-Breach Requirements - 18 States, (continued)
- Re: Pre-Breach Requirements - 18 States Steve Bohrer (Jul 09)
- Re: Pre-Breach Requirements - 18 States Dan Han/HSC/VCU (Jul 12)
- Re: Pre-Breach Requirements - 18 States Allison F Dolan (Jul 09)
- Re: Pre-Breach Requirements - 18 States Jack Suess (Jul 09)
- Re: Pre-Breach Requirements - 18 States j.price (Aug 09)
- Re: Pre-Breach Requirements - 18 States j.price (Aug 02)
- Re: Pre-Breach Requirements - 18 States Irish, Adrian L (Aug 02)
- Re: Pre-Breach Requirements - 18 States David C Kovarik (Aug 03)
- Re: Pre-Breach Requirements - 18 States Steve Bohrer (Jul 09)