[Dataloss] A data security breach legislation question

Rebecca Herold rebeccaherold at rebeccaherold.com
Wed Mar 12 14:31:34 UTC 2008 

Hi Rob,

True, privacy breach notification is basically a necessity that all organizations must now be prepared for since the majority of states already have breach notice laws in place, and more are coming along all the time.  In fact, all organizations handling personally identifiable information (PII) should create a privacy breach response plan, that is tied in with the information security response plan, and not wait to try and handle a privacy breach ad hoc.

However, choosing just one state privacy breach notice law, such as California, to follow would be a risky proposition; there are some very subtle, but important differences within each of the separate laws.  For example, there are distinct differences in how the different laws:

  a.. Define encryption (some have technical specifications, others have vague descriptions)
  b.. Define a breach (some name specific situations, others give a vague description)
  c.. Define when notification is required (yes, again some provide some details while others are vague)
  d.. Etc...several more...
In general, I recommend to the businesses I work with that they identify the most most stringent requirements across the board, and then build their privacy breach response plans to meet compliance with those.

I just wrote a couple of papers; one about making the "reasonable belief" decision for when a privacy breach has occurred, and one about deprivacy breach notification decisions.  (If interested you can download them from http://nexus.realtimepublishers.com/rtitc.htm).

Regarding credit monitoring...
I have seen companies choosing to provide credit monitoring for individuals impacted by breaches, even if not legally required, largely because of precedents set by companies who experienced breaches early on (e.g., Wells Fargo a few years ago) and chose to provide credit monitoring to the impacted individuals to help mitigate customer loss that could have resulted.  When companies start providing such services, and it is well publicized that they are doing so, it sets the bar high for all other companies; it establishes a type of defacto expectation in the public.  

Best regards,

Rebecca

Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI
Rebecca Herold & Associates LLC

rebeccaherold at rebeccaherold.com
http://www.privacyguidance.com
Blog: http://www.realtime-itcompliance.com
Professor at:  http://www3.norwich.edu/msia
http://www.informationshield.com/protectinginformation.html
http://www.informationshield.com/privacy_main.html
 

----- Original Message ----- 
From: "Rob Shavell" <slvrspoon at gmail.com>
To: <dataloss at attrition.org>
Sent: Wednesday, March 12, 2008 7:30 AM
Subject: Re: [Dataloss] A data security breach legislation question


> hi all,
> the question i have around US data breach notification legislation is this:
> 
> "why are we counting states?"
> 
> if most legislation applies to affected record-holders if they are
> residents and 95% of breaches already either happen in a state with a
> law or include records of persons residing in such states, then...
> hasn't this basically become a necessity?
> 
> in other words, organizations had better just notify to be in compliance.
> 
> following from this: what is the importance to an organization of
> reading through particulars of state by state legislation when they
> can just follow California, notify everyone, and be in compliance?
> 
> bonus question: in your opinion, why are so many companies choosing to
> include credit monitoring services for those affected?  a) altruism b)
> just not that costly c) concern about downstream law-suits d) ?
> 
> rgds,
> rob
> 
> 
> 
> 
> On 10/03/2008, Susan Orr <susan at susanorrconsulting.com> wrote:
>> I was just looking at the various states the other day, and there are
>>  some differences - some exempt encrypted information, some exclude
>>  financial institutions and others that are covered under other existing
>>  federal and state laws like GLBA.  One state I believe exempts "state
>>  agencies" Oklahoma I think.
>>
>>  Didn't know it was up to 40, last I saw was 38.  I'll have to check it
>>  out, thanks.
>>
>>
>>  Rebecca Herold wrote:
>>  > Counting the District of Columbia, as of the end of October it was 40; see
>>  > http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07.pdf
>>  >
>>  > Best regards,
>>  >
>>  > Rebecca Herold
>>  > ----- Original Message -----
>>  > From: "Kalter, Sarah " <skalter at affiniongroup.com>
>>  > To: "lyger" <lyger at attrition.org>; <dataloss at attrition.org>
>>  > Sent: Monday, March 10, 2008 10:07 AM
>>  > Subject: [Dataloss] A data security breach legislation question
>>  >
>>  >
>>  >
>>  >> Hi All,
>>  >>
>>  >> Does anyone happen to know how many states have enacted data security
>>  >> breach laws/legislation? And if so, which states?
>>  >>
>>  >> Thank you so much!
>>  >>
>>  >> Best,
>>  >> Sarah
>>  >> _______________________________________________
>>  >> Dataloss Mailing List (dataloss at attrition.org)
>>  >> http://attrition.org/dataloss
>>  >>
>>  >> Tenable Network Security offers data leakage and compliance monitoring
>>  >> solutions for large and small networks. Scan your network and monitor your
>>  >> traffic to find the data needing protection before it leaks out!
>>  >> http://www.tenablesecurity.com/products/compliance.shtml
>>  >>
>>  >
>>  > _______________________________________________
>>  > Dataloss Mailing List (dataloss at attrition.org)
>>  > http://attrition.org/dataloss
>>  >
>>  > Tenable Network Security offers data leakage and compliance monitoring
>>  > solutions for large and small networks. Scan your network and monitor your
>>  > traffic to find the data needing protection before it leaks out!
>>  > http://www.tenablesecurity.com/products/compliance.shtml
>>  >
>>
>> _______________________________________________
>>  Dataloss Mailing List (dataloss at attrition.org)
>>  http://attrition.org/dataloss
>>
>>  Tenable Network Security offers data leakage and compliance monitoring
>>  solutions for large and small networks. Scan your network and monitor your
>>  traffic to find the data needing protection before it leaks out!
>>  http://www.tenablesecurity.com/products/compliance.shtml
>>
>>
>>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> 
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080312/21ee4dc0/attachment.html

More information about the Dataloss mailing list