From: Chris Walsh (chriscwalsh.org)
Date: Wed Mar 12 2008 - 15:00:50 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Mar 12, 2008 at 04:30:23AM -0800, Rob Shavell wrote:
>
> following from this: what is the importance to an organization of
> reading through particulars of state by state legislation when they
> can just follow California, notify everyone, and be in compliance?

There are substantial differences among the state laws.

In NC, the data needn't be computerized. In several (not CA) states, a report must be made
to the state as well as to impacted parties. In some states, encryption gets you off the hook,
in others, redaction is good enough. In others, even a password(!) is good enough.

I understand the "meet the strictest requirement" philosophy, but California isn't it.

Until there is consistency across states, a la the uniform commercial code, it behooves you
to be up on what each state requires.

That said, "somebody" should just offer this as a service. IANAL, but it seems like the kind
of thing that would be quite easy to do.

cw
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]