<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16608" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV><FONT face=Arial size=2>Hi Rob,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>True, privacy breach notification is basically a
necessity that all organizations must now be prepared for since the majority of
states already have breach notice laws in place, and more are coming along all
the time. In fact, all organizations handling personally identifiable
information (PII) should create a privacy breach response plan, that is
tied in with the information security response plan, and not wait to try and
handle a privacy breach ad hoc.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>However, choosing just one state privacy breach
notice law, such as California, to follow would be a risky proposition; there
are some very subtle, but important differences within each of the separate
laws. For example, there are distinct differences in how the different
laws:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<UL>
<LI><FONT face=Arial size=2>Define encryption (some have technical
specifications, others have vague descriptions)</FONT></LI>
<LI><FONT face=Arial size=2>Define a breach (some name specific situations,
others give a vague description)</FONT></LI>
<LI><FONT face=Arial size=2>Define when notification is required (yes,
again some provide some details while others are vague)</FONT></LI>
<LI><FONT face=Arial size=2>Etc...several more...</FONT></LI></UL>
<DIV><FONT face=Arial size=2><STRONG><EM>In general</EM></STRONG>, I recommend
to the businesses I work with that they identify the most most stringent
requirements across the board, and then build their privacy breach response
plans to meet compliance with those.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I just wrote a couple of papers; one about
making the "reasonable belief" decision for when a privacy breach has
occurred, and one about deprivacy breach notification decisions. (If
interested you can download them from <A
href="http://nexus.realtimepublishers.com/rtitc.htm">http://nexus.realtimepublishers.com/rtitc.htm</A>).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Regarding credit monitoring...</FONT></DIV>
<DIV><FONT face=Arial size=2>I have seen companies choosing to provide credit
monitoring for individuals impacted by breaches, even if not legally
required, largely because of precedents set by companies who experienced
breaches early on (e.g., Wells Fargo a few years ago) and chose to provide
credit monitoring to the impacted individuals to help mitigate customer loss
that could have resulted. When companies start providing such services,
and it is well publicized that they are doing so, it sets the bar high for
all other companies; it establishes a type of defacto expectation in the
public. </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Best regards,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Rebecca</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Rebecca Herold, CISSP, CIPP, CISM, CISA,
FLMI<BR>Rebecca Herold & Associates LLC<BR></FONT></DIV>
<DIV><FONT face=Arial size=2><A
href="mailto:rebeccaherold@rebeccaherold.com">rebeccaherold@rebeccaherold.com</A><BR><A
href="http://www.privacyguidance.com">http://www.privacyguidance.com</A><BR>Blog:
<A
href="http://www.realtime-itcompliance.com">http://www.realtime-itcompliance.com</A><BR>Professor
at: <A
href="http://www3.norwich.edu/msia">http://www3.norwich.edu/msia</A><BR><A
href="http://www.informationshield.com/protectinginformation.html">http://www.informationshield.com/protectinginformation.html</A><BR><A
href="http://www.informationshield.com/privacy_main.html">http://www.informationshield.com/privacy_main.html</A><BR> </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>----- Original Message ----- </FONT></DIV>
<DIV><FONT face=Arial size=2>From: "Rob Shavell" <</FONT><A
href="mailto:slvrspoon@gmail.com"><FONT face=Arial
size=2>slvrspoon@gmail.com</FONT></A><FONT face=Arial size=2>></FONT></DIV>
<DIV><FONT face=Arial size=2>To: <</FONT><A
href="mailto:dataloss@attrition.org"><FONT face=Arial
size=2>dataloss@attrition.org</FONT></A><FONT face=Arial
size=2>></FONT></DIV>
<DIV><FONT face=Arial size=2>Sent: Wednesday, March 12, 2008 7:30
AM</FONT></DIV>
<DIV><FONT face=Arial size=2>Subject: Re: [Dataloss] A data security breach
legislation question</FONT></DIV>
<DIV><FONT face=Arial><BR><FONT size=2></FONT></FONT></DIV><FONT face=Arial
size=2>> hi all,<BR>> the question i have around US data breach
notification legislation is this:<BR>> <BR>> "why are we counting
states?"<BR>> <BR>> if most legislation applies to affected record-holders
if they are<BR>> residents and 95% of breaches already either happen in a
state with a<BR>> law or include records of persons residing in such states,
then...<BR>> hasn't this basically become a necessity?<BR>> <BR>> in
other words, organizations had better just notify to be in compliance.<BR>>
<BR>> following from this: what is the importance to an organization
of<BR>> reading through particulars of state by state legislation when
they<BR>> can just follow California, notify everyone, and be in
compliance?<BR>> <BR>> bonus question: in your opinion, why are so many
companies choosing to<BR>> include credit monitoring services for those
affected? a) altruism b)<BR>> just not that costly c) concern about
downstream law-suits d) ?<BR>> <BR>> rgds,<BR>> rob<BR>> <BR>>
<BR>> <BR>> <BR>> On 10/03/2008, Susan Orr <</FONT><A
href="mailto:susan@susanorrconsulting.com"><FONT face=Arial
size=2>susan@susanorrconsulting.com</FONT></A><FONT face=Arial size=2>>
wrote:<BR>>> I was just looking at the various states the other day, and
there are<BR>>> some differences - some exempt encrypted
information, some exclude<BR>>> financial institutions and others
that are covered under other existing<BR>>> federal and state laws
like GLBA. One state I believe exempts "state<BR>>> agencies"
Oklahoma I think.<BR>>><BR>>> Didn't know it was up to 40,
last I saw was 38. I'll have to check it<BR>>> out,
thanks.<BR>>><BR>>><BR>>> Rebecca Herold
wrote:<BR>>> > Counting the District of Columbia, as of the end
of October it was 40; see<BR>>> > </FONT><A
href="http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07.pdf"><FONT
face=Arial
size=2>http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07.pdf</FONT></A><BR><FONT
face=Arial size=2>>> ><BR>>> > Best
regards,<BR>>> ><BR>>> > Rebecca
Herold<BR>>> > ----- Original Message -----<BR>>>
> From: "Kalter, Sarah " <</FONT><A
href="mailto:skalter@affiniongroup.com"><FONT face=Arial
size=2>skalter@affiniongroup.com</FONT></A><FONT face=Arial
size=2>><BR>>> > To: "lyger" <</FONT><A
href="mailto:lyger@attrition.org"><FONT face=Arial
size=2>lyger@attrition.org</FONT></A><FONT face=Arial size=2>>; <</FONT><A
href="mailto:dataloss@attrition.org"><FONT face=Arial
size=2>dataloss@attrition.org</FONT></A><FONT face=Arial
size=2>><BR>>> > Sent: Monday, March 10, 2008 10:07
AM<BR>>> > Subject: [Dataloss] A data security breach legislation
question<BR>>> ><BR>>> ><BR>>>
><BR>>> >> Hi All,<BR>>>
>><BR>>> >> Does anyone happen to know how many states
have enacted data security<BR>>> >> breach laws/legislation?
And if so, which states?<BR>>> >><BR>>> >>
Thank you so much!<BR>>> >><BR>>> >>
Best,<BR>>> >> Sarah<BR>>> >>
_______________________________________________<BR>>> >>
Dataloss Mailing List (</FONT><A href="mailto:dataloss@attrition.org"><FONT
face=Arial size=2>dataloss@attrition.org</FONT></A><FONT face=Arial
size=2>)<BR>>> >> </FONT><A
href="http://attrition.org/dataloss"><FONT face=Arial
size=2>http://attrition.org/dataloss</FONT></A><BR><FONT face=Arial
size=2>>> >><BR>>> >> Tenable Network
Security offers data leakage and compliance monitoring<BR>>>
>> solutions for large and small networks. Scan your network and monitor
your<BR>>> >> traffic to find the data needing protection
before it leaks out!<BR>>> >> </FONT><A
href="http://www.tenablesecurity.com/products/compliance.shtml"><FONT face=Arial
size=2>http://www.tenablesecurity.com/products/compliance.shtml</FONT></A><BR><FONT
face=Arial size=2>>> >><BR>>>
><BR>>> >
_______________________________________________<BR>>> > Dataloss
Mailing List (</FONT><A href="mailto:dataloss@attrition.org"><FONT face=Arial
size=2>dataloss@attrition.org</FONT></A><FONT face=Arial
size=2>)<BR>>> > </FONT><A
href="http://attrition.org/dataloss"><FONT face=Arial
size=2>http://attrition.org/dataloss</FONT></A><BR><FONT face=Arial
size=2>>> ><BR>>> > Tenable Network Security
offers data leakage and compliance monitoring<BR>>> > solutions
for large and small networks. Scan your network and monitor
your<BR>>> > traffic to find the data needing protection before
it leaks out!<BR>>> > </FONT><A
href="http://www.tenablesecurity.com/products/compliance.shtml"><FONT face=Arial
size=2>http://www.tenablesecurity.com/products/compliance.shtml</FONT></A><BR><FONT
face=Arial size=2>>> ><BR>>><BR>>>
_______________________________________________<BR>>> Dataloss
Mailing List (</FONT><A href="mailto:dataloss@attrition.org"><FONT face=Arial
size=2>dataloss@attrition.org</FONT></A><FONT face=Arial
size=2>)<BR>>> </FONT><A href="http://attrition.org/dataloss"><FONT
face=Arial size=2>http://attrition.org/dataloss</FONT></A><BR><FONT face=Arial
size=2>>><BR>>> Tenable Network Security offers data leakage
and compliance monitoring<BR>>> solutions for large and small
networks. Scan your network and monitor your<BR>>> traffic to find
the data needing protection before it leaks out!<BR>>> </FONT><A
href="http://www.tenablesecurity.com/products/compliance.shtml"><FONT face=Arial
size=2>http://www.tenablesecurity.com/products/compliance.shtml</FONT></A><BR><FONT
face=Arial size=2>>><BR>>><BR>>><BR>>
_______________________________________________<BR>> Dataloss Mailing List
(</FONT><A href="mailto:dataloss@attrition.org"><FONT face=Arial
size=2>dataloss@attrition.org</FONT></A><FONT face=Arial size=2>)<BR>>
</FONT><A href="http://attrition.org/dataloss"><FONT face=Arial
size=2>http://attrition.org/dataloss</FONT></A><BR><FONT face=Arial size=2>>
<BR>> Tenable Network Security offers data leakage and compliance
monitoring<BR>> solutions for large and small networks. Scan your network and
monitor your<BR>> traffic to find the data needing protection before it leaks
out!<BR>> </FONT><A
href="http://www.tenablesecurity.com/products/compliance.shtml"><FONT face=Arial
size=2>http://www.tenablesecurity.com/products/compliance.shtml</FONT></A></BODY></HTML>