[Dataloss] They Take it Seriously? Oh, Sure - Criminally Liable?
Donald Aplin
DAplin at bna.com
Wed Jan 10 10:44:49 EST 2007
The vast majority of the 34 state-enacted data breach
consumer notification laws only require notice if there is
a breach of unencrypted data. A few of the newer ones added
that it's still a covered breach if the encryption key goes
missing at the same time encrypted data is lost. Perhaps
more important are the risk of harm threshold provisions in
many of the laws which do not require notification if after
a "reasonable" investigation by the covered entity there is
a determination that there was no actual damage or any
reasonable risk of future harm done by the breach (this is
consistent with the court examinations of breaches in which
they pretty much uniformly do not consider the threat of
potential ID theft to be actual damages). In short, the fox
gets to guard the henhouse.
Donald G. Aplin
Legal Editor
BNA's Privacy & Security Law Report
(202) 452-4688
More information about the Dataloss
mailing list