[Dataloss] New mandatory reporting laws & FOIA requests?

[Chris Walsh]

I have considered this.

The thing is, w/out some requirement that breaches be reported to the  
government, I dont see how the government would have breach  
information except about the government itself. As we have seen in  
the situation with the federal govt, there can be a great deal of  
this. but I personally haven't seen the value in trying it,  
especially since it would be necessary to send out umpteen requests  
to the various departments in each of the states.  You could easily  
have hundreds of requests in flight.  Way beyond my means, but as a  
project by, say, a journalism or law school, totally doable.  Hint,  
Hint :^)

You are correct that I asked NC for records.  They responded quickly  
and disappointingly.  However, after my request they published a  
breach reporting form which -- if it is actually used -- would  
contain great information.  NY responded to my most recent request,  
and I should be receiving 1289 pages (!) of breach-related records  
soon.  My plan is to scan them all in and make them available.  I'll  
fire off a foia request to North Carolina for any and breach  
reporting forms they have.  Hopefully, they wont put up a fight over  
it.  I already foia'ed NJ.  Their law mandates central reporting, but  
to the state police.  As a result, they are calling these  
investigatory records that are exempt from disclosure.  Maine also  
requires central reporting if the breached entity is regulated by  
Maine's dept of professional and financial regulation.  Other than  
for data brokers, the maine law kicks in on 1/31/2007.  I'll probably  
get around to asking them for their records after NY and NC.

Chris

On Jan 5, 2007, at 3:01 PM, B.K. DeLong wrote:
> I know you did some FOIAing of NC. I'd be
> curious what it would take to do all the other states and TRULY get a
> better insight into what's happening. Maybe we need to find a Privacy
> Rights Clearinghouse type org that can manage a FOIA project.