William Slater's CYBR 510

William Slater's CYBR 510
CYBR 510 - Physical, Operations, and Personnel Security

Friday, December 9, 2011

Post 005 - CYBR 510


Week 2 Discussion Question

Describe federal laws that have helped form security practices.
According to McCrie, in Security Operations Management, laws have impacted the formation and operation of security departments withing organizations (McCrie, 2007).
In a report, released by the White House in July 2009, the State on Cybersecurity and U.S. Policy was summarized.
This diagram above is from that report was in an appendix of the Cyberspace Policy Review report that was released by the Obama Administration in July 2009. The top half of the diagram shows major historical events that have occurred related to communications, computers and the Internet. The bottom half of the diagram shows the corresponding history of legislation, regulation, etc, that have affected security and privacy since 1900. What is particularly interesting about this diagram is that it begins in 1900. As the reader will see, there were some very important developments that affected the state of laws today.
The tables in the appendices show the following:
Appendix A - A timeline that shows U.S. laws related to privacy and security.
Appendix B - A comprehensive list of State Laws that are related to data privacy.
As a whole, all of these laws have in help to form and influence the composition and operation of security practices in organizations. For it is the consequences of non-compliance that is described within these various laws that gives the leadership of organizations a sense of urgency to meet the obligations to protect assets, data, and people.
Also, it is important to note that federal laws are influenced by state laws and vice versa. On May 12, 2011, President Obama’s administration submitted a legislative proposal to Congress to request the creation of laws to provide greater security for Federal government entities under the Department of Homeland Security as well as mandating Federal legislation that will require all organizations that experience privacy data breaches to notify those that are affected.


References:

Ballard, Spahr, Andrews, Ingersoll, LLC. (2004) Privacy Law. [Electronic version.] Retrieved from the web on May 14, 2004 at http://www.virtualchase.com/resources/privacy.html.

Brancik, K. C. (2008). Insider Computer Fraud: An In-depth Framework for Detecting and Defending Against Insider IT Attacks. Boca Raton, FL: Auerbach Publications.

Davis, C.; Schiller, M.; and Wheeler, K. (2007). IT Auditing: Using Controls to Protect Information Assets. New York, NY: Osborne McGraw Hill.

Department of Homeland Security. (2009).  (U//FOUO) Rightwing Extremism:  Current Economic and Political Climate Fueling Resurgence in Radicalization and Recruitment.   Retrieved from the web at
http://www.fas.org/irp/eprint/rightwing.pdf    on December 24, 2011.

Department of Justice (2004).  USA PATRIOT Act at Work.  Retrieved from the web at

Doyle, C. (2002).  USA PATRIOT Act: A sketch.  Retrieved from the web at http://www.fas.org/irp/crs/RS21203.pdf  on December 24, 2011.

Doyle, C. (2010).  National Security Letters in Foreign Intelligence Investigations: A Glimpse of the Legal Background and Recent Amendments - a CRS Report Dated December 27, 2010.  Retrieved from the web at  http://www.fas.org/sgp/crs/intel/RS22406.pdf  on December 24, 2011.

Electronic Privacy and Information Center Resources about the USA PATRIOT Act http://epic.org/privacy/terrorism/usapatriot/ .

EPIC. (2011). Information Related to the USA PATRIOT Act. Retreived from the web at http://epic.org/privacy/terrorism/usapatriot/  on December 9, 2011.

Frackman, A., Martin, R., and Ray, C. (2002). Internet and Online Privacy: A Legal and Business Guide. New York: ALM Publishing.

Galik, D. (1998). Defense in Depth: Security for Network-Centric Warfare. [Electronic version] Retrieved from the web on May 11, 2004 from http://www.chips.navy.mil/archives/98_apr/Galik.htm.

Gaskin, J. (1997). Corporate Politics and the Internet: Connection Without Controversy. Upper Saddle River, NJ: Prentice Hall.

Herrmann, D. S. (2007). Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI. Boca Raton, FL: Auerbach Publications.

Hoffman, L. J. (1977). Modern Methods for Computer Security and Privacy. Englewood Cliffs, NJ: Prentice-Hall.

Icove, D., et al. (1995). Computer Crime: A Crimefighter’s Handbook. Sebastopol, CA: O’Reilly & Associates.

Jacobs, S. (2011). Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance. Piscataway, NJ: IEEE Press.

Landy, G. K. (2008). the IT/Digital Legal Companion: A Comprehensive Business Guide to Software, IT, Internet, Media, and IP Law.  Burlington, MA: Syngress.

Lane, C. A. (1997). Naked in Cyberspace. Wilton, CT: Pemberton, Press.

Legal Information Institute. (2004). Right of Privacy, An Overview. An article from Cornell Law School. [Electronic version.] Retrieved from the web on May 14, 2004 at http://www.law.cornell.edu/topics/privacy.html .

McCrie, R. D. (2007). Security Operations Management, second edition. Burlington, MA: Elsevier.

Miles, G., et al. (2004) Security Assessment: Case Studies for Implementing the NSA IAM. Burlington, MA: Syngress Publishing, Inc.

Olsen, J. E. (2003). Data Quality: The Accuracy Dimension. San Francisco, CA: Morgan Kaufmann Publishers.

Reynolds, G. W. (2012). Ethics in Information Tehnology, 4th edition. Boston, MA: Course Technology.

Riggs, M. (2011).  Lee County Deputies Tied Suspect to a Chair, Gagged Him, and Pepper-Sprayed Him to Death.  An article published at Reason.com on December 23, 2011. Retrieved from the web at http://reason.com/blog/2011/12/23/lee-county-deputies-tied-suspect-to-a-ch on December  23, 2011.

Senft, A. and Gallegos, F. (2009). Information Technology Control and Audit. Bocan Raton, FL: CRC Press.

The White House. (2009). Cyberspace Policy Review. A document published by the Obama Administration. Retrieved from the web at http://info.publicintelligence.net/cyberspace_policy_review_final.pdf on December 9, 2011.

U.S. Congress. (1987). The Computer Security Act of 1987. 101 STAT. 1724, Public Law 100-235, 100th Congress. Retrieved from the web http://www.nist.gov/cfo/legislation/Public%20Law%20100-235.pdf on December 9, 2011.

U.S. Government. (2009). American Recovery and Reinvestment Act of 2009. 101 STAT. 1724, Public Law 100-235, 100th Congress. Retrieved from the web http://www.opencongress.org/bill/111-s1/show on December 9, 2011.

U.S. Government.  (2001).  USA PATRIOT Act.  Retrieved from the web at  http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ056.107.pdf   on December 24, 2011.

U.S. Government. (1776). The Declaration of Independence. Retrieved from the web at http://www.billslater.com/tj1776.htm  on November 6, 2011.

U.S. Government. (1791). U.S. Constitution. Retrieved from the web at

Whitman, M. E and Mattord, H. J. (2010). Management of Information Security, third edition: Indianapolis, IN: Course Technology.

Wikipedia. (2011). USA PATRIOT Act. A Wikipedia article retrieved from the web at





Appendix A - Federal Legislation that has Influenced Security Practices - From the Beginning to 2011-

Timeframe
Law
Author(s)
Comments
1788 – 1789
First Amendment to the U.S. Constitution – Freedom of Speech, Freedom of Assembly, Freedom of Worship.
James Madison, et al
1788 – 1789
Fourth Amendment to the U.S. Constitution – Freedom from unreasonable search and seizure.
James Madison, et al
1974
Privacy Act of 1974 (Public Law 93-579, 5 U.S. Code 552a). – sets limits on the collection and transfer of personal data by government agencies and lets citizens sue agencies that violate the act (Lane, 1997).
Congress of the U.S.
1984
“Computer Fraud and Abuse Act – originally enacted as part of the Crime Control Act and was the first statute to specifically address computer crime. In 1990, this was amended it “to coverall computers used in interstate commerce or communications” and to prohibit forms of computer abuse which arise in connection with, and have a significant effect upon, interstate or foreign commerce. (Frackman, Martin and Ray, 2002).”
Congress of the U.S.
People were prohibited from accessing computers without authorization.
Timeframe
Law
Author(s)
Comments
1986
“Electronic Communications Privacy Act of 1986 – the most comprehensive piece of federal legislation dealing with the interception of and access to electronic communications such as e-mail and voice mail (Frackman, Martin and Ray, 2002).”
Congress of the U.S.
“Enacted to amend Title III of the Omnibus Crime Control and Safe Streets Act of 1968. This act provided protection from traditional means of communication, such as the telephone, by placing restrictions on the wiretapping and eavesdropping of these means of communication. The ECPA modernized the 1968 Act to expand upon all forms of electronic communication. It exposes violators to civil penalties and sets out specific exceptions. However, employers have been able to circumvent any constraints imposed by the ECPA by obtaining consent of employees. Courts have uniformly upheld such consent of employees. (Frackman, Martin and Ray, 2002).”
1987
The Computer Security Act of 1987
101 STAT. 1724, Public Law 100-235, 100th Congress
This was the first federal law that was exclusively related to computer security.
1996
“Health Insurance Portability and Accountability Act (HIPAA) of 1996 – required the Department of Health and Human Services to promulgate regulations governing the disclosure of health information (Frackman, Martin and Ray, 2002).”
Congress of the U.S.
Purpose was to safeguard PII and NPPI data in transit, and in storage, whether it is used for financial transactions or a patient’s medical records.
1999
“Gramm-Leach-Bliley Act – for the purpose of implementing the congressional policy that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers to protect the security and confidentiality of those customers’ nonpublic personal information… (Frackman, Martin and Ray, 2002).”
Senators Gramm, Leach and Bliley
President Clinton was on record as being reluctant to sign this into law, because he didn’t believe it was a good law.
Purpose was to safeguard PII and NPPI data in transit, and in storage, whether it is used for financial transactions or a patient’s medical records.
Timeframe
Law
Author(s)
Comments
2001
USA PATRIOT Act, H.R. 3162
Frank James Sensenbrenner, Jr.
(EPIC, 2011)
The USA PATRIOT ACT essentially nullified 5 of the first 10 Amendments to the U.S. Constitution.
Many citizens feel strongly that the powers now granted to the Executive branch of government and its agents are in direct conflict with the 1st, 4th, 5th, 6th and 8th Amendments in the Bill of Rights to the U.S. Constitution (see Bill of Rights, below.). In other words, we now live in such times that many of the rights to privacy that we thought we were guaranteed under the U.S. Constitution, are now preempted, at least temporarily by the PATRIOT Act. In fact, the only way that the PATRIOT Act could be successfully passed in both chambers of Congress was to include a “Sunset Clause,” which caused many of the more far-reaching provisions of the Act to expire automatically, unless they were again reviewed and approved by both chambers of Congress. Though there was a “Sunset Clause" the PATRIOT Act has now been renewed TWICE, once under President Bush and once under President Obama.
Timeframe
Law
Author(s)
Comments
2005
H.R. 4127 – Data Acountability and Trust Act (DATA)
House of Representatives - By Rep. Clifford Stearns [R-FL
Never passed by the Senate. The goal of this legislation was to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information and to provide for nationwide notice in the event of a security breach.
2005 - 2011
Breach Notification Act(s)
Various State Legislatures
As of 2011, over 42 states in the U.S. have laws that protect the privacy of NPPI and PII.
Purpose was to safeguard PII and NPPI data in transit, and in storage, whether it is used for financial transactions or a patient’s medical records.
On May 12, 2011, President Obama’s   administration submitted a legislative proposal to Congress to request the creation of laws to provide greater security for Federal government entities under the Department of Homeland Security as well as mandating Federal legislation that will require all organizations that experience privacy data breaches to notify those that are affected.
2009
HITECH Act
U.S. Congress
Passed as a provision of the American Recovery and Reinvestment Act of 2009. It imposes stiff penalties for HIPAA violations.
The ARRA is a bill to create jobs, restore economic growth, and strengthen America's middle class through measures that modernize the nation's infrastructure, enhance America's energy independence, expand educational opportunities, preserve and improve affordable health care, provide tax relief, and protect those in greatest need, and for other purposes. (U.S. Congress, 2009)


Appendix B – State Privacy Laws as of 2010

State
Legislation or State Law
Requires
Alaska
A.S. 45.48.010 (July 1, 2009)
Notice to consumers of breach in the security of unencrypted, unredacted personal information in physical or electronic form, or encrypted information where the encryption key may also have been compromised. No notice if a reasonable investigation determines there is no reasonable likelihood of harm to consumers. Written documentation of the investigation must be kept for 5 years. Entities subject to compliance with the Gramm-Leach-Bliley Act are exempt.
Arizona
A.R.S. 44-7501 (December 31, 2006)
Notice to consumers of breach in the security of unencrypted, unredacted computerized personal information. No notice if a reasonable investigation determines there is no reasonable likelihood of harm to consumers. If entity complies with federal rules, then it is deemed to be in compliance with Arizona law.
Arkansas
Ark. Code Ann. 4-110-101 to 108 (March 31, 2005)
Notice to consumers of breach in the security of unencrypted, computerized personal information and medical information in electronic or physical form. Notice is not required if no reasonable likelihood of harm to consumers. If entity complies with state or federal law that provides greater protection, and at least as thorough disclosure and in compliance with the state or federal law, then it is deemed in compliance.
California
Civil Code Sec. 1798.80-1798.82 (July 1, 2003)
Notice to consumers of breach in the security, confidentiality, or integrity of unencrypted, computerized personal information held by a business or a government agency. If the person or business has own notification procedures consistent with timing requirements and provides notice in accordance with its policies or if the person or business abides by state or federal law provides greater protection and disclosure, then it is deemed in compliance.
Colorado
Co. Rev. Stat. 6-1-716(1)(a) (September 1, 2006)
Notice to consumers of breach in the security of unencrypted, unredacted computerized personal information. Notice given unless investigation determines misuse of information has not occurred or is not reasonably likely to occur. If entity is regulated by state or federal law and maintains procedures pursuant to laws, rules, regulations or guidelines, it is deemed in compliance.
Connecticut
699 Gen. Stat. Conn. 36a-701 (January 1, 2006)
Notice of security breach by persons who conduct business in the state and have a breach of the security of unencrypted computerized data, electronic media or electronic files, containing personal information. Notice is not required if the breached entity determines in consultation with federal, state, and local law enforcement agencies that the breach will not likely result in harm to the individuals. Governmental entities not required to provide notice under this section. Entities are also deemed compliant if notification is in compliance with rules or guidelines established by the primary function of the regulator under the Gramm-Leach Bliley Act.
Delaware
Del. Code Ann. Title 6 Section 12B-101 to 12-B-106 (June 28, 2005)
Notice to consumers of breach in the security of unencrypted computerized personal information if the investigation determines that misuse of information about a Delaware resident has occurred or is reasonably likely to occur. If the entity is regulated by state or federal law and maintains procedures for a breach pursuant to the laws, rules, regulations, guidances or guidelines established by its primary or functional state or federal regulator, then it is deemed in compliance with this chapter provided it notifies affected residents in accordance with the maintained procedures when a breach occurs.
District of Columbia
DC Code Sec 28-3851 et seq. (January 1, 2007)
Notice to consumers of breach in the security, confidentiality, or integrity of unencrypted computerized or other electronic personal information held by a business or a government agency. This section does not pertain to person or entity subject to the Gramm-Leach Bliley Act. This section also does not apply to a person or business with its own notification procedures with consistent timing requirements in compliance with notification requirements of this section and the person or business provides notice in accordance with its policies and which is reasonably calculated to give actual notice.
Florida
Fla. Stat. Ann. 817.5681 et seq. (July 1, 2005)
Notice to consumers of breach in the security, confidentiality or integrity of computerized, unencrypted personal information held by a person who conducts business in the state. Notice not required if, after appropriate investigation or consultation with law enforcement, person reasonably determines breach has not and will not likely result in harm to individuals. Determination must be documented in writing and maintained for five years. Deemed in compliance if person’s own notification procedure is otherwise consistent with the timing requirements of this section, or “maintaining” notification procedures established by person’s primary or functional federal regulator.
Georgia
Ga. Code Ann. 10-1-910 et seq. (May 24, 2007. Covers “information brokers and data collectors”)
Notice of breach that compromises the security, confidentiality, or integrity of computerized personal information held by an info broker or data collector.
Hawaii
HRS Sec 487N-1 et seq. (January 1, 2007)
Notice when unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person. Notice under this section not required by a financial institution subject to Federal Interagency Guidance on Response Programs for Unauthorized Access to Consumer Information and Consumer Notice or by any health plan or healthcare provider under HIPAA.
Idaho
Id. Code Ann. 28-51-104 (July 1, 2006)
Notice to consumers of breach in the security of unencrypted, computerized personal information if after a reasonable investigation, the agency, individual or entity determines that misuse of information of Idaho resident has occurred or is reasonably likely to occur. Notice under this section not required by a person regulated by state or federal law and who complies with procedures under that law.
Illinois
ILCS Sec. 530/1 et seq. (January 1, 2006)
Notice to consumers of breach in the security, confidentiality, or integrity of personal information of the system data held by a person or a government agency. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this Act.
Indiana
Ind. Code Sec. 4-1-11 et seq. (June 30, 2006)
Notice to consumers of breach in the security, confidentiality, or integrity of computerized personal information held by a government agency.
Indiana
Ind. Code Sec. 24-2-9 et seq). (June 30, 2006)
Notice when a data collector knows, should know, or should have known that the unauthorized acquisition of computerized data, including computerized data that has been transferred to another medium, constituting the breach has resulted in or could result in identity deception, ID theft or fraud. Notice not required under this section if entity maintains own disclosure procedures, is under federal USA Patriot Act, Exec. Order 13224, FCRA, Financial Modernization Act, HIPAA or financial institutions that comply with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice.
Iowa
Iowa Code Chapter 2007-1154 (July 1, 2008)
Notice to consumers of breach in the security of unencrypted, unredacted personal information electronic form. No notice if a reasonable investigation determines there is no reasonable likelihood of harm to consumers. Written documentation of the investigation must be kept for 5 years. Exempted are those with own notification procedures or procedures under state or federal   law providing at least greater protection to personal information and at least as thorough disclosure requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by primary regulator, or state or federal laws. Entities subject to compliance with the Gramm-Leach-Bliley Act are exempt.
Kansas
Kansas Stat. 50-7a01, 50-7a02 (January 1, 2007)
Notice to consumers about a breach in the security of unencrypted, unredacted computerized personal information if investigation determines misuse has occurred or is reasonably likely occur.
Louisiana
La. Rev. State. Ann. Sec. 51 3071-3077 (January 1, 2006)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. No notice if, after a reasonable investigation, the data holder determines that there is no reasonable likelihood of harm to customers. Notice not required by financial institutions in compliance with federal guidance.
Maine
Me. Rev. Stat. Ann. 10-21-B-1346 to 1349 (January 31, 2006. Covers only information brokers)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information if the personal information has been or is reasonably believed to have been acquired by an unauthorized person. Notice under this section is not required by persons regulated by state or federal law and which complies with procedures under that law.
Massachusetts
201 CMR 17.00 (March 1, 2010)
Notice of a breach unauthorized acquisition of unencrypted data, or encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality or integrity of the personal information that creates a significant risk of identity theft or fraud.
Michigan
2006-PA-0566 (July 2, 2007)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. Notice under this section required unless person/agency determines security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft. Does not apply to financial institutions or HIPAA entities.
Minnesota
Minn. Stat. 324E.61 et seq. (January 1, 2006)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. Does not apply to financial institutions or HIPAA entities.
Montana
Mont. Code Ann.   31-3-115 (March 1, 2006)
Notice to consumers of breach in security, confidentiality, or integrity of computerized personal information held by a person or business if the breach causes or is reasonably believed to have caused loss or injury to a Montana resident. Notice under this section is not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
Nebraska
Neb. Rev. Stat.   87-801 et seq. (July 16, 2006)
Notice to consumers of a breach in the security of unencrypted, computerized personal information if an investigation determines use of information has occurred or is reasonably likely to occur. Deemed in compliance if person’s own notification procedure is otherwise consistent with the timing requirements of this section, or if notification procedures established by person’s primary or functional federal regulator.
Nevada
Nev. Rev. Stat. 607A.010 et seq. (January 1, 2006)
Notice of breach of the security, confidentiality, or integrity of unencrypted computerized personal information by data collectors, which are defined to include government, business entities and associations who handle, collect, disseminate or otherwise deal with nonpublic personal information. Notice under this section is not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, or is subject to compliance with the Gramm-Leach-Bliley Act.
New Hampshire
NH RS 359-C: 19 et seq. (January 1, 2007)
Notice of unauthorized acquisition if determined likelihood information has been or will be misused. Notice must be given if there is a determination that misuse of information has occurred or is reasonably likely to occur or if a determination cannot be made. Notice under this section not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section or if the entity is a person engaged in trade or commerce under RSA 358-A:3 and maintains notification procedures established by its primary or functional regulator.
New Jersey
NJ Stat 56:8-163 (July 2, 2006)
Notice of breach of security of unencrypted computerized personal information held by a business or public entity. No notice if a thorough investigation finds misuse of the information is not reasonably possible. Written documentation of the investigation must be kept for 5 years. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
New York
NY Bus. Law Sec. 899-aa. (December 8, 2005)
Notice of breach of security of computerized unencrypted, or encrypted with acquired encryption key, personal information held by both public and private entities.
North Carolina
N.C. Gen. Stat. 75-65 (December 1, 2005)
Notice of breach of security of unencrypted and unredacted written, drawn, spoken, visual or electromagnetic personal information, and encrypted personal information with the confidential process or key held by a private business if the breach causes, is reasonably likely to cause, or creates a material   risk of harm to residents of North Carolina. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
North Dakota
N.D. Cent. Code 51-30 (June 1, 2005)
Notice of a breach of the security of unencrypted, computerized, personal information by persons doing business in the state. Includes an expanded list of sensitive personal information, including date of birth, mother’s maiden name, employee ID number, and electronic signature. Exception for those financial institutions which are in compliance with federal guidance.
Ohio
O.R.C. Ann. 1349.19 et seq. (February 17, 2006)
Notice of breach of the security or confidentiality of computerized personal information, held by a state agency, political subdivision or business where reasonably believed it will cause a material risk of identity theft or fraud to a person or property of a resident of Ohio. Notice under this section is not required by financial institutions, trust companies or credit unions or any affiliate required by federal law to notify customers of information security breach and who is in compliance with federal law.
Oklahoma
Okla. Stat. 74-3113.1 (June 8, 2006)
Requires state government agencies to give notice of breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of Oklahoma whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Notice is not required under this section by a state agency, board, commission, or unit or subdivision of government if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
Oregon
O.R.S. 646A.604 (October 1, 2007)
Notice when unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person. Notice not required if after an appropriate investigation or after consultation with federal, state or local agencies responsible for law enforcement, the person determines no reasonable likelihood of harm to consumers whose personal info has been acquired has resulted or will result from the breach. Determination must be in writing and kept for 5 years. Exempted are those with own notification procedures under state or federal law providing at least greater protection to personal information and at least as thorough disclosure requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by primary regulator, or state or federal laws, and financial institutions which are in compliance with federal guidance.
Pennsylvania
73 Pa. Cons. Stat. 2303 (June 30, 2006)
Notice of breach of the security or confidentiality of computerized personal information, held by a state agency, political subdivision or business and is reasonably believed to have been accessed or acquired by an unauthorized person. Notice under this section not required if entity maintains its own   notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
Puerto Rico
10 L.P.R.A. 4051 et seq. (January 5, 2006)
Notice of breach of the security, confidentiality and integrity of unencrypted personal information, where access has been permitted to unauthorized persons or it is known or reasonably suspected that authorized persons have accessed the information with intent to use it for illegal purposes.
Rhode Island
RI Gen. Law 11-49.2-3 to 11.49.2-7 (March 1, 2006)
Notice of a breach of the security, confidentiality or integrity of unencrypted, computerized, personal information by persons and by state agencies if breach poses significant risk of identity theft when unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. No notice is required if after an appropriate investigation or after consultation with relevant federal, state, and local law enforcement agencies, determine the breach has not and will not likely result in harm to individuals. Does not apply to HIPAA entities or financial institutions in compliance with Federal Interagency Guidelines. Entities covered by another state or federal law are exempt only if that other law provides greater protection to consumers.
South Carolina
SC Code §1-11-490 et seq. (January 1, 2009)
Notice of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a "material risk of harm" to the consumer. Notice under this section is not required if entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise   consistent with the timing requirements of this section.
Tennessee
Tenn. Code. Ann. 47-18-21 (July 1, 2005)
Notice of the unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information. Does not apply to persons subject to Title V of the Gramm-Leach-Bliley Act.
Texas
Tex. Bus & Com. Code Ann. 4-48-103 (September 1, 2005)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons who conduct businesses in the state. Notice under this section not required if the entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
Utah
Utah Code 13-44-101 et seq. (January 1, 2007)
Notice of a breach of the security of computerized personal information that is not protected by a method that makes the information unusable. Entities covered by another state or federal law are exempt if the person notifies each affected Utah   resident in accordance with law.
Vermont
Vt. Stat. Tit 9 Sec. 2435 (January 1, 2007)
Notice if investigation reveals misuse of personal information for identity theft or fraud has occurred, or is reasonably likely to occur. Notice is not required if the data collector establishes that misuse of personal information is not reasonably possible. Must provide notice and explanation to the Attorney General or department of banking, insurance, securities and health care administration in the event data collector is a person/entity licensed with that department. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
Virgin Islands
14 V.I.C. 2208 et seq. (October 17, 2005)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information reasonably believed to have been acquired by unauthorized persons. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
Virginia
VA Code 18.2-186.6 (July 1, 2008)
Notice of any breach of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, if an individual or entity reasonably believes such information has been accessed and acquired by an unauthorized person and has caused or will cause identity theft or other fraud. Notice under this section is not required if an entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, or if the entity has notification procedures established by a federal regulator. This section does not apply to any entity that is subject to compliance with the Gramm-Leach-Bliley Act.
Washington
RCW 42.17 et seq. (July 24, 2005)
Notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons, businesses and government agencies. Notice is not required when there is a technical breach of the security of the system which does not seem reasonably likely to subject customers to a risk of criminal activity. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.
West Virginia
WV Code 46A-2A-101 et seq. (June 26, 2008)
Notice of any breach of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, reasonably believed to have been accessed and acquired by an unauthorized person and has caused, or will cause, identity theft or other fraud. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.
Wisconsin
Wis. Stat. 895.507 (March 16, 2006)
Notice to the consumer when personal information is taken in a security breach that is not encrypted, redacted or altered in any manner rendering the information unreadable. This includes DNA and biometric data. Notice not required if the acquisition of personal information does not create a material risk of ID theft or fraud.
Wyoming
W.S. 40-12-501 to 509 (July 1, 2007)
Notice of the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal identifying information of an investigation determines misuse of the personal identifying information has occurred or is reasonably likely to occur. Financial institutions subject to the Gramm-Leach-Bliley Act or credit unions under 12 USC §1752 are exempt from providing notice under this section.

(Jacobs, 2011)


= = = = = = = = = = = = = = = = = = = = = = =
= = = = = = = = = = = = = = = = = = = = = = =
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager

M.S. in Cybersecurity Program at Bellevue University

CIS 537 Introduction to Cyber Ethics

CIS 608 Information Security Management

CYBR 515 - Security Architecture and Design

CYBR 510 Physical, Operations, and Personnel Security

Career

Certifications

Credentials

ISO 27001

Chicago, IL
United States of America

No comments:

Post a Comment