[Dataloss] SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information

Mark Simon msimon2 at eclipsecurityllc.com
Wed Mar 12 16:30:50 UTC 2008 

Terry-

Thanks for calling to our attention proposed amendments to SEC
Regulation S-P: Privacy of Consumer Financial Information and
Safeguarding Personal Information.  I have some additional information
I'd like to add to your posting.

The SEC is seeking comments on its proposed amendments at
http://www.sec.gov/cgi-bin/ruling-comments?ruling=s70608&rule_path=/comm
ents/s7-06-08&file_num=S7-06-08&action=Show_Form&title=Part%20248%20-%20
Regulation%20S-P:%20Privacy%20of%20Consumer%20Financial%20Information%20
and%20Safeguarding%20Personal%20Information

The amendments are expected to affect more than 17,000 covered
institutions.  The proposal is at
http://www.sec.gov/rules/proposed/2008/34-57427.pdf  Prompting the
proposal is the following finding by the SEC:

"We have become concerned with the significant increase in the number of
information security breaches that have come to light in recent years
and the potential created by such breaches for misuse of personal
financial information, including identity theft. We are concerned that
some firms do not regularly reevaluate and update their safeguarding
programs to deal with increasingly sophisticated methods of attack. To
help prevent and address security breaches at covered institutions, we
propose to require more specific standards for safeguarding personal
information, including standards for responding to data security
breaches." 

The SEC has yet to publish its proposed regulatory amendments in the
Federal Register.  Once publication occurs, there will be a 60-day
comment period.  The regulation amendments could take effect shortly
thereafter.

--
Mark S. Simon, Director of Regulatory Compliance Consulting 
Eclipsecurity, LLC
Mobile: (224) 612-3101
Office: (847) 850-5088
Toll Free: (877) 369-5331

www.eclipsecurityLLC.com


Lock-in success.  Because information travels...


The information contained in this message may be CONFIDENTIAL and is for
the intended addressee only. Any unauthorized use, dissemination of the
information or copying of this message is prohibited. If you are not the
intended addressee, please notify the sender immediately and delete this
message. 

 


-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Miller, Terry
Sent: Wednesday, March 12, 2008 9:16 AM
To: Rob Shavell; dataloss at attrition.org
Subject: Re: [Dataloss] A data security breach legislation question

Note that on March 4 the SEC proposed expanding privacy Regulation S-P
which is based on GLBA.  The proposed expansion, which is based in large
part on existing banking and FTC regulations, would include a national
notification requirement.  The requirement may preempt certain state
laws which allow for such preemption.    

Here is the proposal, which is now out for comment.

http://www.sec.gov/rules/proposed/2008/34-57427.pdf

Terry

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Rob Shavell
Sent: Wednesday, March 12, 2008 8:30 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] A data security breach legislation question

hi all,
the question i have around US data breach notification legislation is
this:

"why are we counting states?"

if most legislation applies to affected record-holders if they are
residents and 95% of breaches already either happen in a state with a
law or include records of persons residing in such states, then...
hasn't this basically become a necessity?

in other words, organizations had better just notify to be in
compliance.

following from this: what is the importance to an organization of
reading through particulars of state by state legislation when they can
just follow California, notify everyone, and be in compliance?

bonus question: in your opinion, why are so many companies choosing to
include credit monitoring services for those affected?  a) altruism b)
just not that costly c) concern about downstream law-suits d) ?

rgds,
rob




On 10/03/2008, Susan Orr <susan at susanorrconsulting.com> wrote:
> I was just looking at the various states the other day, and there are

> some differences - some exempt encrypted information, some exclude  
> financial institutions and others that are covered under other
existing
>  federal and state laws like GLBA.  One state I believe exempts "state

> agencies" Oklahoma I think.
>
>  Didn't know it was up to 40, last I saw was 38.  I'll have to check
it
>  out, thanks.
>
>
>  Rebecca Herold wrote:
>  > Counting the District of Columbia, as of the end of October it was
40; see
>  >
http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07
.pdf
>  >
>  > Best regards,
>  >
>  > Rebecca Herold
>  > ----- Original Message -----
>  > From: "Kalter, Sarah " <skalter at affiniongroup.com>  > To: "lyger" 
> <lyger at attrition.org>; <dataloss at attrition.org>  > Sent: Monday, March

> 10, 2008 10:07 AM  > Subject: [Dataloss] A data security breach 
> legislation question  >  >  >  >> Hi All,  >>  >> Does anyone happen 
> to know how many states have enacted data
security
>  >> breach laws/legislation? And if so, which states?
>  >>
>  >> Thank you so much!
>  >>
>  >> Best,
>  >> Sarah
>  >> _______________________________________________
>  >> Dataloss Mailing List (dataloss at attrition.org)  >> 
> http://attrition.org/dataloss  >>  >> Tenable Network Security offers 
> data leakage and compliance
monitoring
>  >> solutions for large and small networks. Scan your network and
monitor your
>  >> traffic to find the data needing protection before it leaks out!
>  >> http://www.tenablesecurity.com/products/compliance.shtml
>  >>
>  >
>  > _______________________________________________
>  > Dataloss Mailing List (dataloss at attrition.org)  > 
> http://attrition.org/dataloss  >  > Tenable Network Security offers 
> data leakage and compliance
monitoring
>  > solutions for large and small networks. Scan your network and
monitor your
>  > traffic to find the data needing protection before it leaks out!
>  > http://www.tenablesecurity.com/products/compliance.shtml
>  >
>
> _______________________________________________
>  Dataloss Mailing List (dataloss at attrition.org)  
> http://attrition.org/dataloss
>
>  Tenable Network Security offers data leakage and compliance
monitoring
>  solutions for large and small networks. Scan your network and monitor
your
>  traffic to find the data needing protection before it leaks out!
>  http://www.tenablesecurity.com/products/compliance.shtml
>
>
>
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


This email, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity to
which it is addressed.  If the reader of this email is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this email is
prohibited. If you have received this email in error, please notify the
sender by replying to this message and delete this email immediately.

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

More information about the Dataloss mailing list