Re: Pre-Breach Requirements - 18 States

[Dan Han/HSC/VCU <s2dhan () VCU EDU>]

For now, our take is that we have to comply only with only our State laws, 
in addition to the Federal and industry regulations, etc. I am not sure if 
a State can impose its laws on another State. I am interested to see how 
the Mass. law holds up in court though. It may set a precedence...

Dan Han
Virginia Commonwealth University





From:   Steve Bohrer <skbohrer () SIMONS-ROCK EDU>
To:     SECURITY () LISTSERV EDUCAUSE EDU
Date:   07/09/2011 03:54 AM
Subject:        Re: [SECURITY] Pre-Breach Requirements - 18 States
Sent by:        The EDUCAUSE Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU>



On 7/8/2011 12:11 PM, Rosenthal, Jane E. wrote: 
Hi Cliff,
 
Can you tell me if your attorneys have determined that you have to comply 
with all 50 (or 46) state requirements rather than merely your own state?  
This has been a discussion here and I’m interested in what EDUs are 
thinking on this.
Jane

FWIW, the Mass data breech regulations claim to apply to anyone who has 
data about Mass residents: "The provisions of this regulation apply to all 
persons that own or license personal information about a resident of the 
Commonwealth." (from 
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf ) Thus, if you 
have any students from MA, our regs may apply. I'm not sure how much that 
idea has been tested (seems kinda unfair that Mass Legislature can set 
rules for "all persons" everywhere), but if it holds up and if other 
states follow suit, seems that most EDUs will need to be prepared to deal 
with many state laws.

(We definitely have to follow at least the MA regs, because it's our home 
turf, but I'm not sure how many additional state's regulations to watch 
out for.)

Steve Bohrer
Network Admin, Bard College at Simon's Rock