enterprise data (decentralized control, data security and privacy) incident response: state and...
TRANSCRIPT
Enterprise data (decentralized control, data
security and privacy)
Incident Response: State and Federal Law
Rodney Petersen
Security Task Force Coordinator
EDUCAUSE
Notification of Security Breach Risk
The following is based upon proposed S. 1408: Identity Theft Protection Act (109th Congress)
Reporting the Breach to the Federal Trade Commission!!!
Notification of Consumers
Consumer Notification
. . . Use due diligence to investigate any suspected breach of security affecting sensitive personal information [that you] maintain. If, after the exercise of such due diligence, [you] discover a breach of security and determine that the breach of security creates a reasonable risk of identity theft, [you] shall notify each such individual.
Reasonable Risk of ID Theft
In determining whether a reasonable risk of identity theft exists, [you] shall consider such factors as whether the data containing sensitive personal information is usable by an unauthorized third party and whether the data is in the possession and control of an unauthorized third party who is likely to commit identity theft.
Methods of Notification
Written notice
Electronic notice
Substitute notice Cost of notice exceeds $250,000 The individuals to be notified exceeds 500,000 You do not have sufficient contact information
Substitute Notice
Notice by electronic mail when you have an email address for affected individuals
Conspicuous posting of such notice on your Internet website
Notification to major State-wide media
Content of the Notice
Name of the individual whose information was the subject of the breach of securityThe name of the “covered entity” that was the subject of the breach of securityA description of the categories of sensitive personal information of the individual that were the subject of the breach of securityThe specific dates between the breach of security of the sensitive personal information of the individual and discoveryThe toll-free numbers necessary to contact: Each entity that was the subject of the breach of security Each nationwide credit reporting agency The Federal Trade Commission
Timing of Notification
Most expedient manner practicable, but not later than 45 days after the date on which the breach of security was discovered by the covered entity
In a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system
There is a provision for law enforcement and homeland security related delays
Implications
Application of state laws Conflicting requirements Potential for Federal preemption
Congressional record may prove important
Absence of case law
Unfunded mandate