Valuable resource from Foley & Lardner and Eversheds Security Strategies Alert By M. E. Kabay, Network World January 25, 2010 12:00 AM ET Source Until recently, information assurance (IA) personnel and attorneys specializing in this area of the law have had to search for the appropriate governing laws for each jurisdiction. In this column, I review a valuable resource for locating the laws that apply to disclosure of personally identifiable information (PII) in each state in the United States and internationally. The first victim-notification law in the U.S. that required organizations to notify data subjects when PII records were compromised was State Bill (SB) 1386, the California Database Breach Act that came into force in 2003 and which was under review in 2009. The 30-page document "Recommended Practices on Notice of Security Breach Involving Personal Information" from the Office of Privacy Protection of the California Department of Consumer Affairs offers "recommendations …[that] are neither regulations, nor mandates, nor legal opinions. Rather, they are a contribution to the development of 'best practices' for businesses and other organizations to follow in managing personal information in ways that promote and protect individual privacy interests." One of the most significant aspects of the California law is that it requires that "Notice must be given to any data subjects who are California residents," as the "Recommended Practices" document cited above puts it. In the years since California's law was enacted, "[45] states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information." The National Conference of State Legislatures (NCSL) has prepared a list (updated Dec 9, 2009 as of this writing) of all of the laws with links to all of them. The table adds, "States with no security breach law: Alabama, Kentucky, Mississippi, New Mexico and South Dakota." The law firms of Foley & Lardner LLP and Eversheds LLP have gone far beyond the simple list from the NCSL. …[T]he International Association of Privacy Professionals (IAPP) revealed the "International Security Breach Notification Survey" at its Data Protection and Privacy Workshop in Madrid, Spain [in November 2009]. The survey was developed through a collaborative effort between Foley [& Lardner LLP] and the international law firm Eversheds LLP. Considered to be the most comprehensive summary to date, the survey provides in-depth coverage of all major aspects of U.S. and international security breach laws. Organized by region, the survey indicates where laws and standards have been established as they relate to particular categories. These categories include: notice requirements; timing of disclosure; form of disclosure; entities that maintain data; existing policies; exemptions from disclosure; damages/enforcement; and preemption. The authors have kindly allowed me to post a copy of their report for free download on my Web site. This well-organized resource is useful for every organization doing business today. Almost every business may end up with customers residing in locations outside the jurisdiction of the office where an order is placed, yet many of the laws require notification of the data subjects based on where they reside, not where the vendor or supplier is located. Readers should make a point of supplying this document to their corporate counsel and to the IA professionals responsible for setting and enforcing policies and procedures relating to data security breaches and legal compliance. In particular, every computer security incident response team, for example, should use the "International Security Breach Notification Survey" in its planning. We owe a vote of thanks to the experts at Foley & Lardner and at Eversheds for their excellent work.
