[Dataloss] A data security breach legislation question

Chris Walsh chris at cwalsh.org
Wed Mar 12 20:00:50 UTC 2008


On Wed, Mar 12, 2008 at 04:30:23AM -0800, Rob Shavell wrote:
> 
> following from this: what is the importance to an organization of
> reading through particulars of state by state legislation when they
> can just follow California, notify everyone, and be in compliance?

There are substantial differences among the state laws.

In NC, the data needn't be computerized.  In several (not CA) states, a report must be made 
to the state as well as to impacted parties.  In some states, encryption gets you off the hook,
in others, redaction is good enough.  In others, even a password(!) is good enough.

I understand the "meet the strictest requirement" philosophy, but California isn't it.

Until there is consistency across states, a la the uniform commercial code, it behooves you
to be up on what each state requires.

That said, "somebody" should just offer this as a service.  IANAL, but it seems like the kind
of thing that would be quite easy to do.

cw


More information about the Dataloss mailing list