As promised to the good folks at Washington University’s Center for the Application of Information Technology, I have collected and posted the various documents and state breach notification laws that we referenced in the discussion yesterday (March 24). Here they are with a few other relevant statutes and comments thrown in:
The Connecticut Department of Insurance Regulations (5 days & Unencrypted)
Massachusetts Standards for the Protection of Personal Information
Proposed Amendment to the Hawaii Data Breach Notification Statute
A few additional notes:
1. What Law Applies in the Event of a Breach: Massachusetts has certainly set the tone for this discussion by repeatedly making the claim that ANY business that maintains the personal information of a Massachusetts resident is subject to Massachusetts data protection laws — regardless of where the business operates or is organized. That claim of jurisdiction extends to both the breach notification as well as the requirement for businesses to implement a comprehensive, written information security program (as noted in the link above).
2. Other “Short” Timelines for Breach Notification: Many participants asked about other states, agencies, or regulators that have compressed time requirements for notification. Here are a few others:
California Health and Safety Code
Puerto Rico Breach Notification Law
Florida Data Breach Notification Law
Note that the Florida law has a 45 day requirement for entities that maintain personal information on their system (Data Owners) but it has a 10 day notice requirement for those that maintain the personal information on behalf of others (Data Licensees). Thus, the compressed time allows for the Owner to get the notice from the Licensee in enough time to comply with its 45 day requirement.
3. Third Man In: And by far the most requested piece of information — the clip of the Dancing Man from the Sasquatch Music Festival. Or try it this way: http://www.youtube.com/watch?v=Frd0CPYuZgU
Thanks again to the facilitators and participants from the CAIT Security Roundtable. It was my pleasure and honor to join you in the discussion. I will post a few more of the specific reports, laws, surveys, and studies shortly.
**UPDATE: I also learned that one of the participants at the Security Roundtable received a breach notification from TripAdvisor WHILE we were discussing breach notification. Glitch in the Matrix. Here is more on the TripAdvisor issue.
Anthony Martin from RedPoint Privacy Advisors will be on a panel of lawyers and experts to discuss the privacy, security, and legal challenges that Social Media and Social Networking create for users, companies, ad agencies, and employers. The event was trending toward SOLD OUT a few days ago. (RedPoint would LOVE to claim some credit for that rush for tickets, but the last St. Louis Social Media Club event was also sold out and featured Happy Hour prices on drinks rather than a panel.) Regardless, RedPoint is excited about the growth and enthusiasm of the St. Louis Social Media scene. It is a pleasure and an honor.
For more information on the event. Click HERE.
What: Monthly SMCSTL Meetup and a Panel on Privacy, Security and Legal Protection in Social Media
When: Wednesday, March 23rd at 6:00 pm
Where: Moulin Events Center, 2017 Chouteau Avenue
Join us for a panel about privacy, security and legal issues companies should be aware of when engaging in social media. The evening begins with drinks and networking at 6 pm, and a panel discussion from 6:30 -7:30 pm to discuss current concerns, risks and issues related to content sharing and participatin in the social networking space. We will also open up for questions from the audience.
This is a free event but we ask that you please register on this page. A cash bar will be available throughout the evening.
Panelists:
Pete Salsich
Intellectual Property Litigator and Counselor, Entrepreneur, Founding Principal of The BrickHouse Law
@PeteSalsich | LinkedIn | Blog
Craig Moore
Litigation Attorney at Armstrong Teasdale LLP, Co-Chair of Social Media Practice Group
@CraigGMoore | @AT_Law | LinkedIn
Anthony Martin
Privacy Lawyer, Professor and Founder of RedPoint Privacy Advisors, a data protection firm
@AMPrivacy | LinkedIn | Blog