BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A data security breach legislation question

From: Chris Walsh <chris () cwalsh org>
Date: Wed, 12 Mar 2008 15:00:50 -0500
On Wed, Mar 12, 2008 at 04:30:23AM -0800, Rob Shavell wrote:


following from this: what is the importance to an organization of
reading through particulars of state by state legislation when they
can just follow California, notify everyone, and be in compliance?


There are substantial differences among the state laws.

In NC, the data needn't be computerized.  In several (not CA) states, a report must be made 
to the state as well as to impacted parties.  In some states, encryption gets you off the hook,
in others, redaction is good enough.  In others, even a password(!) is good enough.

I understand the "meet the strictest requirement" philosophy, but California isn't it.

Until there is consistency across states, a la the uniform commercial code, it behooves you
to be up on what each state requires.

That said, "somebody" should just offer this as a service.  IANAL, but it seems like the kind
of thing that would be quite easy to do.

cw
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
Previous By Date Next
Previous By Thread Next

Current thread: