Re: Pre-Breach Requirements - 18 States

["Solem, Vik P." <Vik.Solem () TUFTS EDU>]

Sounds like a question for Crowell & Moring, but for Massachusetts there are requirements that entities must meet 
before they take personal information.  (e.g. a Written Information Security Plan or WISP)

Mass does publish a checklist...  of course compliance != security, IANAL, and YMMV.

http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf

-Vik



On Jul 6, 2011, at 11:38 , Clifford Collins wrote:

> Hello Security Compatriots,
> I was searching the web for info on which states have laws require some kind of breach notification and encountered 
> this document from the law firm Crowell & Moring LLP:
>
>     http://www.crowell.com/pdf/securitybreachtable.pdf
>
> In the right-hand column is a yes/no section on required "pre-breach measures."  There are 18 states listed as having 
> them. Anybody aware of these requirements? Have you done something about it?  If so, what have you done? It would be 
> great to have a "template" to work from!
>
> Clifford A. Collins
> Information Security Officer
> Franklin University
> 201 South Grant Avenue
> Columbus, Ohio 43215
> "Security is a process, not a product"

Vik Solem, CISSP, Sr. Applications Risk Consultant
Tufts University, Information Security, vik.solem () tufts edu / 617-627-4326
InfoSec Team: information_security () tufts edu / 617-627-6070

Check Out the UIT Information Security Team blog
https://wikis.uit.tufts.edu/confluence/display/infosecteamblog