[Dshield] Mandatory Disclosure of Data Loss Laws

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Aug 16 00:10:42 GMT 2006


On Mon, 14 Aug 2006 14:32:54 CDT, Shawn Cox said:
> Is California still the only State to have laws on the books which require
> companies who lose private data to notify the owners of said data?

I think they've cropped up elsewhere.  The big gotcha in the California
statute is that you can get nailed by it even if you're not based in
California, and the disclosure didn't happen on a server there - as long
as the *customer* is in California, you have a problem.

> I thought there was some discussion of federal level laws on this subject,
> but I am unable to find the data at this time.

Read Senator Reid's open letter to the President in the most current
comp.risks, and ask yourself what the likelihood of anything *serious*
actually being done.  Oh, and review the CAN-SPAM act to see what
happens when the guys in DC try to legislate this stuff...

http://catless.ncl.ac.uk/Risks/24.37.html

> We are currently in the process of updating our internal security policies
> and need to know if we stay with our current voluntary policy or shift gears
> to anticipate required notification which require more or less of our
> current policy.

I would recommend that you start building the infrastructure needed if
you *do* get hit with mandatory notification requirements.  Whether you should
do voluntary notification is for you, your legal team, and your risk
management team to decide.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.dshield.org/pipermail/list/attachments/20060815/5efd9240/attachment.bin 


More information about the list mailing list