Enterprise data (decentralized control, data

security and privacy)

Incident Response: State and Federal Law

Rodney Petersen

Security Task Force Coordinator

EDUCAUSE

Notification of Security Breach Risk

The following is based upon proposed S. 1408: Identity Theft Protection Act (109th Congress)

Reporting the Breach to the Federal Trade Commission!!!

Notification of Consumers

Consumer Notification

. . . Use due diligence to investigate any suspected breach of security affecting sensitive personal information [that you] maintain. If, after the exercise of such due diligence, [you] discover a breach of security and determine that the breach of security creates a reasonable risk of identity theft, [you] shall notify each such individual.

Reasonable Risk of ID Theft

In determining whether a reasonable risk of identity theft exists, [you] shall consider such factors as whether the data containing sensitive personal information is usable by an unauthorized third party and whether the data is in the possession and control of an unauthorized third party who is likely to commit identity theft.

Methods of Notification

Written notice

Electronic notice

Substitute notice Cost of notice exceeds $250,000 The individuals to be notified exceeds 500,000 You do not have sufficient contact information

Substitute Notice

Notice by electronic mail when you have an email address for affected individuals

Conspicuous posting of such notice on your Internet website

Notification to major State-wide media

Content of the Notice

Name of the individual whose information was the subject of the breach of securityThe name of the “covered entity” that was the subject of the breach of securityA description of the categories of sensitive personal information of the individual that were the subject of the breach of securityThe specific dates between the breach of security of the sensitive personal information of the individual and discoveryThe toll-free numbers necessary to contact: Each entity that was the subject of the breach of security Each nationwide credit reporting agency The Federal Trade Commission

Timing of Notification

Most expedient manner practicable, but not later than 45 days after the date on which the breach of security was discovered by the covered entity

In a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system

There is a provision for law enforcement and homeland security related delays

Implications

Application of state laws Conflicting requirements Potential for Federal preemption

Congressional record may prove important

Absence of case law

Unfunded mandate