(Click picture for larger view and better readability.)
Cyberspace and Communication Policy Timeline Picture from the
Week 2 Discussion Question
Describe federal laws that have helped form security practices.
According to McCrie, in Security Operations Management, laws have impacted the formation and operation of security departments withing organizations (McCrie, 2007).
In a report, released by the White House in July 2009, the State on Cybersecurity and U.S. Policy was summarized.
This diagram above is from that report was in an appendix of the Cyberspace Policy Review report that was released by the Obama Administration in July 2009. The top half of the diagram shows major historical events that have occurred related to communications, computers and the Internet. The bottom half of the diagram shows the corresponding history of legislation, regulation, etc, that have affected security and privacy since 1900. What is particularly interesting about this diagram is that it begins in 1900. As the reader will see, there were some very important developments that affected the state of laws today.
The tables in the appendices show the following:
Appendix A - A timeline that shows U.S. laws related to privacy and security.
Appendix B - A comprehensive list of State Laws that are related to data privacy.
As a whole, all of these laws have in help to form and influence the composition and operation of security practices in organizations. For it is the consequences of non-compliance that is described within these various laws that gives the leadership of organizations a sense of urgency to meet the obligations to protect assets, data, and people.
Also, it is important to note that federal laws are influenced by state laws and vice versa. On May 12, 2011, President Obama’s administration submitted a legislative proposal to Congress to request the creation of laws to provide greater security for Federal government entities under the Department of Homeland Security as well as mandating Federal legislation that will require all organizations that experience privacy data breaches to notify those that are affected.
References:
Ballard, Spahr, Andrews, Ingersoll, LLC. (2004) Privacy Law. [Electronic version.] Retrieved from the web on May 14, 2004 at http://www.virtualchase.com/resources/privacy.html.
Brancik, K. C. (2008). Insider Computer Fraud: An In-depth Framework for Detecting and Defending Against Insider IT Attacks. Boca Raton, FL: Auerbach Publications.
Davis, C.; Schiller, M.; and Wheeler, K. (2007). IT Auditing: Using Controls to Protect Information Assets. New York, NY: Osborne McGraw Hill.
Department of Homeland Security. (2009). (U//FOUO) Rightwing Extremism: Current Economic and Political Climate Fueling Resurgence in Radicalization and Recruitment. Retrieved from the web at
http://www.fas.org/irp/eprint/rightwing.pdf on December 24, 2011.
Department of Justice (2004). USA PATRIOT Act at Work. Retrieved from the web at
http://www.justice.gov/olp/pdf/patriot_report_from_the_field0704.pdf on December 24, 2011.
Doyle, C. (2002). USA PATRIOT Act: A sketch. Retrieved from the web at http://www.fas.org/irp/crs/RS21203.pdf on December 24, 2011.
Doyle, C. (2010). National Security Letters in Foreign Intelligence Investigations: A Glimpse of the Legal Background and Recent Amendments - a CRS Report Dated December 27, 2010. Retrieved from the web at http://www.fas.org/sgp/crs/intel/RS22406.pdf on December 24, 2011.
Electronic Privacy and Information Center Resources about the USA PATRIOT Act http://epic.org/privacy/terrorism/usapatriot/ .
EPIC. (2011). Information Related to the USA PATRIOT Act. Retreived from the web at http://epic.org/privacy/terrorism/usapatriot/ on December 9, 2011.
Frackman, A., Martin, R., and Ray, C. (2002). Internet and Online Privacy: A Legal and Business Guide. New York: ALM Publishing.
Galik, D. (1998). Defense in Depth: Security for Network-Centric Warfare. [Electronic version] Retrieved from the web on May 11, 2004 from http://www.chips.navy.mil/archives/98_apr/Galik.htm.
Gaskin, J. (1997). Corporate Politics and the Internet: Connection Without Controversy. Upper Saddle River, NJ: Prentice Hall.
Herrmann, D. S. (2007). Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI. Boca Raton, FL: Auerbach Publications.
Hoffman, L. J. (1977). Modern Methods for Computer Security and Privacy. Englewood Cliffs, NJ: Prentice-Hall.
Icove, D., et al. (1995). Computer Crime: A Crimefighter’s Handbook. Sebastopol, CA: O’Reilly & Associates.
Jacobs, S. (2011). Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance. Piscataway, NJ: IEEE Press.
Landy, G. K. (2008). the IT/Digital Legal Companion: A Comprehensive Business Guide to Software, IT, Internet, Media, and IP Law. Burlington, MA: Syngress.
Lane, C. A. (1997). Naked in Cyberspace. Wilton, CT: Pemberton, Press.
Legal Information Institute. (2004). Right of Privacy, An Overview. An article from Cornell Law School. [Electronic version.] Retrieved from the web on May 14, 2004 at http://www.law.cornell.edu/topics/privacy.html .
McCrie, R. D. (2007). Security Operations Management, second edition. Burlington, MA: Elsevier.
Miles, G., et al. (2004) Security Assessment: Case Studies for Implementing the NSA IAM. Burlington, MA: Syngress Publishing, Inc.
Olsen, J. E. (2003). Data Quality: The Accuracy Dimension. San Francisco, CA: Morgan Kaufmann Publishers.
Reynolds, G. W. (2012). Ethics in Information Tehnology, 4th edition. Boston, MA: Course Technology.
Riggs, M. (2011). Lee County Deputies Tied Suspect to a Chair, Gagged Him, and Pepper-Sprayed Him to Death. An article published at Reason.com on December 23, 2011. Retrieved from the web at http://reason.com/blog/2011/12/23/lee-county-deputies-tied-suspect-to-a-ch on December 23, 2011.
Senft, A. and Gallegos, F. (2009). Information Technology Control and Audit. Bocan Raton, FL: CRC Press.
The White House. (2009). Cyberspace Policy Review. A document published by the Obama Administration. Retrieved from the web at http://info.publicintelligence.net/cyberspace_policy_review_final.pdf on December 9, 2011.
U.S. Congress. (1987). The Computer Security Act of 1987. 101 STAT. 1724, Public Law 100-235, 100th Congress. Retrieved from the web http://www.nist.gov/cfo/legislation/Public%20Law%20100-235.pdf on December 9, 2011.
U.S. Government. (2009). American Recovery and Reinvestment Act of 2009. 101 STAT. 1724, Public Law 100-235, 100th Congress. Retrieved from the web http://www.opencongress.org/bill/111-s1/show on December 9, 2011.
U.S. Government. (2001). USA PATRIOT Act. Retrieved from the web at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ056.107.pdf on December 24, 2011.
U.S. Government. (1776). The Declaration of Independence. Retrieved from the web at http://www.billslater.com/tj1776.htm on November 6, 2011.
U.S. Government. (1791). U.S. Constitution. Retrieved from the web at
http://www.billslater.com/wfs_us_constitution.htm on November 6, 2011.
Whitman, M. E and Mattord, H. J. (2010). Management of Information Security, third edition: Indianapolis, IN: Course Technology.
Wikipedia. (2011). USA PATRIOT Act. A Wikipedia article retrieved from the web at
http://en.wikipedia.org/wiki/Usa_patriot_act on November 6, 2011.
Appendix A - Federal Legislation that has Influenced Security Practices - From the Beginning to 2011- |
Timeframe
|
Law
|
Author(s)
|
Comments
|
1788 – 1789
|
First Amendment to the U.S. Constitution – Freedom of Speech, Freedom of Assembly, Freedom of Worship.
|
James Madison, et al
| |
1788 – 1789
|
Fourth Amendment to the U.S. Constitution – Freedom from unreasonable search and seizure.
|
James Madison, et al
| |
1974
|
Privacy Act of 1974 (Public Law 93-579, 5 U.S. Code 552a). – sets limits on the collection and transfer of personal data by government agencies and lets citizens sue agencies that violate the act (Lane, 1997).
|
Congress of the U.S.
| |
1984
|
“Computer Fraud and Abuse Act – originally enacted as part of the Crime Control Act and was the first statute to specifically address computer crime. In 1990, this was amended it “to coverall computers used in interstate commerce or communications” and to prohibit forms of computer abuse which arise in connection with, and have a significant effect upon, interstate or foreign commerce. (Frackman, Martin and Ray, 2002).”
|
Congress of the U.S.
|
People were prohibited from accessing computers without authorization.
|
Timeframe
|
Law
|
Author(s)
|
Comments
|
1986
|
“Electronic Communications Privacy Act of 1986 – the most comprehensive piece of federal legislation dealing with the interception of and access to electronic communications such as e-mail and voice mail (Frackman, Martin and Ray, 2002).”
|
Congress of the U.S.
|
“Enacted to amend Title III of the Omnibus Crime Control and Safe Streets Act of 1968. This act provided protection from traditional means of communication, such as the telephone, by placing restrictions on the wiretapping and eavesdropping of these means of communication. The ECPA modernized the 1968 Act to expand upon all forms of electronic communication. It exposes violators to civil penalties and sets out specific exceptions. However, employers have been able to circumvent any constraints imposed by the ECPA by obtaining consent of employees. Courts have uniformly upheld such consent of employees. (Frackman, Martin and Ray, 2002).”
|
1987
|
The Computer Security Act of 1987
|
101 STAT. 1724, Public Law 100-235, 100th Congress
|
This was the first federal law that was exclusively related to computer security.
|
1996
|
“Health Insurance Portability and Accountability Act (HIPAA) of 1996 – required the Department of Health and Human Services to promulgate regulations governing the disclosure of health information (Frackman, Martin and Ray, 2002).”
|
Congress of the U.S.
|
Purpose was to safeguard PII and NPPI data in transit, and in storage, whether it is used for financial transactions or a patient’s medical records.
|
1999
|
“Gramm-Leach-Bliley Act – for the purpose of implementing the congressional policy that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers to protect the security and confidentiality of those customers’ nonpublic personal information… (Frackman, Martin and Ray, 2002).”
|
Senators Gramm, Leach and Bliley
|
President Clinton was on record as being reluctant to sign this into law, because he didn’t believe it was a good law.
Purpose was to safeguard PII and NPPI data in transit, and in storage, whether it is used for financial transactions or a patient’s medical records.
|
Timeframe
|
Law
|
Author(s)
|
Comments
|
2001
|
USA PATRIOT Act, H.R. 3162
|
Frank James Sensenbrenner, Jr.
(EPIC, 2011)
|
The USA PATRIOT ACT essentially nullified 5 of the first 10 Amendments to the U.S. Constitution.
Many citizens feel strongly that the powers now granted to the Executive branch of government and its agents are in direct conflict with the 1st, 4th, 5th, 6th and 8th Amendments in the Bill of Rights to the U.S. Constitution (see Bill of Rights, below.). In other words, we now live in such times that many of the rights to privacy that we thought we were guaranteed under the U.S. Constitution, are now preempted, at least temporarily by the PATRIOT Act. In fact, the only way that the PATRIOT Act could be successfully passed in both chambers of Congress was to include a “Sunset Clause,” which caused many of the more far-reaching provisions of the Act to expire automatically, unless they were again reviewed and approved by both chambers of Congress. Though there was a “Sunset Clause" the PATRIOT Act has now been renewed TWICE, once under President Bush and once under President Obama.
|
Timeframe
|
Law
|
Author(s)
|
Comments
|
2005
|
H.R. 4127 – Data Acountability and Trust Act (DATA)
|
House of Representatives - By Rep. Clifford Stearns [R-FL
|
Never passed by the Senate. The goal of this legislation was to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information and to provide for nationwide notice in the event of a security breach.
|
2005 - 2011
|
Breach Notification Act(s)
|
Various State Legislatures
|
As of 2011, over 42 states in the U.S. have laws that protect the privacy of NPPI and PII.
Purpose was to safeguard PII and NPPI data in transit, and in storage, whether it is used for financial transactions or a patient’s medical records.
On May 12, 2011, President Obama’s administration submitted a legislative proposal to Congress to request the creation of laws to provide greater security for Federal government entities under the Department of Homeland Security as well as mandating Federal legislation that will require all organizations that experience privacy data breaches to notify those that are affected.
|
2009
|
HITECH Act
|
U.S. Congress
|
Passed as a provision of the American Recovery and Reinvestment Act of 2009. It imposes stiff penalties for HIPAA violations.
The ARRA is a bill to create jobs, restore economic growth, and strengthen America's middle class through measures that modernize the nation's infrastructure, enhance America's energy independence, expand educational opportunities, preserve and improve affordable health care, provide tax relief, and protect those in greatest need, and for other purposes. (U.S. Congress, 2009)
|
Appendix B – State Privacy Laws as of 2010 |
State
|
Legislation or State Law
|
Requires
|
A.S. 45.48.010 (July 1, 2009)
|
Notice to consumers of breach in the security of unencrypted, unredacted personal information in physical or electronic form, or encrypted information where the encryption key may also have been compromised. No notice if a reasonable investigation determines there is no reasonable likelihood of harm to consumers. Written documentation of the investigation must be kept for 5 years. Entities subject to compliance with the Gramm-Leach-Bliley Act are exempt.
| |
A.R.S. 44-7501 (December 31, 2006)
|
Notice to consumers of breach in the security of unencrypted, unredacted computerized personal information. No notice if a reasonable investigation determines there is no reasonable likelihood of harm to consumers. If entity complies with federal rules, then it is deemed to be in compliance with
| |
Notice to consumers of breach in the security of unencrypted, computerized personal information and medical information in electronic or physical form. Notice is not required if no reasonable likelihood of harm to consumers. If entity complies with state or federal law that provides greater protection, and at least as thorough disclosure and in compliance with the state or federal law, then it is deemed in compliance.
| ||
Civil Code Sec. 1798.80-1798.82 (July 1, 2003)
|
Notice to consumers of breach in the security, confidentiality, or integrity of unencrypted, computerized personal information held by a business or a government agency. If the person or business has own notification procedures consistent with timing requirements and provides notice in accordance with its policies or if the person or business abides by state or federal law provides greater protection and disclosure, then it is deemed in compliance.
| |
Notice to consumers of breach in the security of unencrypted, unredacted computerized personal information. Notice given unless investigation determines misuse of information has not occurred or is not reasonably likely to occur. If entity is regulated by state or federal law and maintains procedures pursuant to laws, rules, regulations or guidelines, it is deemed in compliance.
| ||
699 Gen. Stat.
|
Notice of security breach by persons who conduct business in the state and have a breach of the security of unencrypted computerized data, electronic media or electronic files, containing personal information. Notice is not required if the breached entity determines in consultation with federal, state, and local law enforcement agencies that the breach will not likely result in harm to the individuals. Governmental entities not required to provide notice under this section. Entities are also deemed compliant if notification is in compliance with rules or guidelines established by the primary function of the regulator under the Gramm-Leach Bliley Act.
| |
Del. Code Ann. Title 6 Section 12B-101 to 12-B-106 (June 28, 2005)
|
Notice to consumers of breach in the security of unencrypted computerized personal information if the investigation determines that misuse of information about a
| |
DC Code Sec 28-3851 et seq. (January 1, 2007)
|
Notice to consumers of breach in the security, confidentiality, or integrity of unencrypted computerized or other electronic personal information held by a business or a government agency. This section does not pertain to person or entity subject to the Gramm-Leach Bliley Act. This section also does not apply to a person or business with its own notification procedures with consistent timing requirements in compliance with notification requirements of this section and the person or business provides notice in accordance with its policies and which is reasonably calculated to give actual notice.
| |
Fla. Stat. Ann. 817.5681 et seq. (July 1, 2005)
|
Notice to consumers of breach in the security, confidentiality or integrity of computerized, unencrypted personal information held by a person who conducts business in the state. Notice not required if, after appropriate investigation or consultation with law enforcement, person reasonably determines breach has not and will not likely result in harm to individuals. Determination must be documented in writing and maintained for five years. Deemed in compliance if person’s own notification procedure is otherwise consistent with the timing requirements of this section, or “maintaining” notification procedures established by person’s primary or functional federal regulator.
| |
Ga. Code Ann. 10-1-910 et seq. (May 24, 2007. Covers “information brokers and data collectors”)
|
Notice of breach that compromises the security, confidentiality, or integrity of computerized personal information held by an info broker or data collector.
| |
Hawaii
|
HRS Sec 487N-1 et seq. (January 1, 2007)
|
Notice when unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person. Notice under this section not required by a financial institution subject to Federal Interagency Guidance on Response Programs for Unauthorized Access to Consumer Information and Consumer Notice or by any health plan or healthcare provider under HIPAA.
|
Notice to consumers of breach in the security of unencrypted, computerized personal information if after a reasonable investigation, the agency, individual or entity determines that misuse of information of Idaho resident has occurred or is reasonably likely to occur. Notice under this section not required by a person regulated by state or federal law and who complies with procedures under that law.
| ||
Illinois
|
ILCS Sec. 530/1 et seq. (January 1, 2006)
|
Notice to consumers of breach in the security, confidentiality, or integrity of personal information of the system data held by a person or a government agency. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this Act.
|
Indiana
|
Ind. Code Sec. 4-1-11 et seq. (June 30, 2006)
|
Notice to consumers of breach in the security, confidentiality, or integrity of computerized personal information held by a government agency.
|
Indiana
|
Ind. Code Sec. 24-2-9 et seq). (June 30, 2006)
|
Notice when a data collector knows, should know, or should have known that the unauthorized acquisition of computerized data, including computerized data that has been transferred to another medium, constituting the breach has resulted in or could result in identity deception, ID theft or fraud. Notice not required under this section if entity maintains own disclosure procedures, is under federal USA Patriot Act, Exec. Order 13224, FCRA, Financial Modernization Act, HIPAA or financial institutions that comply with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice.
|
Notice to consumers of breach in the security of unencrypted, unredacted personal information electronic form. No notice if a reasonable investigation determines there is no reasonable likelihood of harm to consumers. Written documentation of the investigation must be kept for 5 years. Exempted are those with own notification procedures or procedures under state or federal law providing at least greater protection to personal information and at least as thorough disclosure requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by primary regulator, or state or federal laws. Entities subject to compliance with the Gramm-Leach-Bliley Act are exempt.
| ||
Notice to consumers about a breach in the security of unencrypted, unredacted computerized personal information if investigation determines misuse has occurred or is reasonably likely occur.
| ||
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. No notice if, after a reasonable investigation, the data holder determines that there is no reasonable likelihood of harm to customers. Notice not required by financial institutions in compliance with federal guidance.
| ||
Me. Rev. Stat. Ann. 10-21-B-1346 to 1349 (January 31, 2006. Covers only information brokers)
|
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information if the personal information has been or is reasonably believed to have been acquired by an unauthorized person. Notice under this section is not required by persons regulated by state or federal law and which complies with procedures under that law.
| |
201 CMR 17.00 (March 1, 2010)
|
Notice of a breach unauthorized acquisition of unencrypted data, or encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality or integrity of the personal information that creates a significant risk of identity theft or fraud.
| |
2006-PA-0566 (July 2, 2007)
|
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. Notice under this section required unless person/agency determines security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft. Does not apply to financial institutions or HIPAA entities.
| |
Minn. Stat. 324E.61 et seq. (January 1, 2006)
|
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. Does not apply to financial institutions or HIPAA entities.
| |
Notice to consumers of breach in security, confidentiality, or integrity of computerized personal information held by a person or business if the breach causes or is reasonably believed to have caused loss or injury to a
| ||
Notice to consumers of a breach in the security of unencrypted, computerized personal information if an investigation determines use of information has occurred or is reasonably likely to occur. Deemed in compliance if person’s own notification procedure is otherwise consistent with the timing requirements of this section, or if notification procedures established by person’s primary or functional federal regulator.
| ||
Nev. Rev. Stat. 607A.010 et seq. (January 1, 2006)
|
Notice of breach of the security, confidentiality, or integrity of unencrypted computerized personal information by data collectors, which are defined to include government, business entities and associations who handle, collect, disseminate or otherwise deal with nonpublic personal information. Notice under this section is not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, or is subject to compliance with the Gramm-Leach-Bliley Act.
| |
New Hampshire
|
NH RS 359-C: 19 et seq. (January 1, 2007)
|
Notice of unauthorized acquisition if determined likelihood information has been or will be misused. Notice must be given if there is a determination that misuse of information has occurred or is reasonably likely to occur or if a determination cannot be made. Notice under this section not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section or if the entity is a person engaged in trade or commerce under RSA 358-A:3 and maintains notification procedures established by its primary or functional regulator.
|
NJ Stat 56:8-163 (July 2, 2006)
|
Notice of breach of security of unencrypted computerized personal information held by a business or public entity. No notice if a thorough investigation finds misuse of the information is not reasonably possible. Written documentation of the investigation must be kept for 5 years. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
| |
NY Bus. Law Sec. 899-aa. (December 8, 2005)
|
Notice of breach of security of computerized unencrypted, or encrypted with acquired encryption key, personal information held by both public and private entities.
| |
N.C. Gen. Stat. 75-65 (December 1, 2005)
|
Notice of breach of security of unencrypted and unredacted written, drawn, spoken, visual or electromagnetic personal information, and encrypted personal information with the confidential process or key held by a private business if the breach causes, is reasonably likely to cause, or creates a material risk of harm to residents of North Carolina. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
| |
N.D. Cent. Code 51-30 (June 1, 2005)
|
Notice of a breach of the security of unencrypted, computerized, personal information by persons doing business in the state. Includes an expanded list of sensitive personal information, including date of birth, mother’s maiden name, employee ID number, and electronic signature. Exception for those financial institutions which are in compliance with federal guidance.
| |
Ohio
|
O.R.C. Ann. 1349.19 et seq. (February 17, 2006)
|
Notice of breach of the security or confidentiality of computerized personal information, held by a state agency, political subdivision or business where reasonably believed it will cause a material risk of identity theft or fraud to a person or property of a resident of
|
Requires state government agencies to give notice of breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of
| ||
O.R.S. 646A.604 (October 1, 2007)
|
Notice when unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person. Notice not required if after an appropriate investigation or after consultation with federal, state or local agencies responsible for law enforcement, the person determines no reasonable likelihood of harm to consumers whose personal info has been acquired has resulted or will result from the breach. Determination must be in writing and kept for 5 years. Exempted are those with own notification procedures under state or federal law providing at least greater protection to personal information and at least as thorough disclosure requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by primary regulator, or state or federal laws, and financial institutions which are in compliance with federal guidance.
| |
73
|
Notice of breach of the security or confidentiality of computerized personal information, held by a state agency, political subdivision or business and is reasonably believed to have been accessed or acquired by an unauthorized person. Notice under this section not required if entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
| |
Puerto Rico
|
10 L.P.R.A. 4051 et seq. (January 5, 2006)
|
Notice of breach of the security, confidentiality and integrity of unencrypted personal information, where access has been permitted to unauthorized persons or it is known or reasonably suspected that authorized persons have accessed the information with intent to use it for illegal purposes.
|
RI Gen. Law 11-49.2-3 to 11.49.2-7 (March 1, 2006)
|
Notice of a breach of the security, confidentiality or integrity of unencrypted, computerized, personal information by persons and by state agencies if breach poses significant risk of identity theft when unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. No notice is required if after an appropriate investigation or after consultation with relevant federal, state, and local law enforcement agencies, determine the breach has not and will not likely result in harm to individuals. Does not apply to HIPAA entities or financial institutions in compliance with Federal Interagency Guidelines. Entities covered by another state or federal law are exempt only if that other law provides greater protection to consumers.
| |
South Carolina
|
SC Code §1-11-490 et seq. (January 1, 2009)
|
Notice of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a "material risk of harm" to the consumer. Notice under this section is not required if entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
|
Notice of the unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information. Does not apply to persons subject to Title V of the Gramm-Leach-Bliley Act.
| ||
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons who conduct businesses in the state. Notice under this section not required if the entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
| ||
Utah
|
Utah Code 13-44-101 et seq. (January 1, 2007)
|
Notice of a breach of the security of computerized personal information that is not protected by a method that makes the information unusable. Entities covered by another state or federal law are exempt if the person notifies each affected
|
Vt. Stat. Tit 9 Sec. 2435 (January 1, 2007)
|
Notice if investigation reveals misuse of personal information for identity theft or fraud has occurred, or is reasonably likely to occur. Notice is not required if the data collector establishes that misuse of personal information is not reasonably possible. Must provide notice and explanation to the Attorney General or department of banking, insurance, securities and health care administration in the event data collector is a person/entity licensed with that department. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
| |
Virgin Islands
|
14 V.I.C. 2208 et seq. (October 17, 2005)
|
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information reasonably believed to have been acquired by unauthorized persons. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
|
VA Code 18.2-186.6 (July 1, 2008)
|
Notice of any breach of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, if an individual or entity reasonably believes such information has been accessed and acquired by an unauthorized person and has caused or will cause identity theft or other fraud. Notice under this section is not required if an entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, or if the entity has notification procedures established by a federal regulator. This section does not apply to any entity that is subject to compliance with the Gramm-Leach-Bliley Act.
| |
RCW 42.17 et seq. (July 24, 2005)
|
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons, businesses and government agencies. Notice is not required when there is a technical breach of the security of the system which does not seem reasonably likely to subject customers to a risk of criminal activity. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
| |
WV Code 46A-2A-101 et seq. (June 26, 2008)
|
Notice of any breach of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, reasonably believed to have been accessed and acquired by an unauthorized person and has caused, or will cause, identity theft or other fraud. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
| |
Notice to the consumer when personal information is taken in a security breach that is not encrypted, redacted or altered in any manner rendering the information unreadable. This includes DNA and biometric data. Notice not required if the acquisition of personal information does not create a material risk of ID theft or fraud.
| ||
W.S. 40-12-501 to 509 (July 1, 2007)
|
Notice of the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal identifying information of an investigation determines misuse of the personal identifying information has occurred or is reasonably likely to occur. Financial institutions subject to the Gramm-Leach-Bliley Act or credit unions under 12 USC §1752 are exempt from providing notice under this section.
|
(Jacobs, 2011)
= = = = = = = = = = = = = = = = = = = = = = =
= = = = = = = = = = = = = = = = = = = = = = =
William Favre Slater, III
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
M.S. in Cybersecurity Program at Bellevue University
CIS 537 Introduction to Cyber Ethics
CIS 608 Information Security Management
CYBR 515 - Security Architecture and Design
CYBR 510 Physical, Operations, and Personnel Security
Career
Certifications
Credentials
ISO 27001
Chicago, IL
United States of America
No comments:
Post a Comment