in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Louisiana Personal Information Data Privacy Notification And Encryption Laws: SB 205 Act 499

Louisiana passed a data breach notification law which went into effect on January 1, 2006.  The law is called the "Database Security Breach Notification Law" (Senate Bill 205 Act 499), and requires any people or companies that lose sensitive, personal data to notify those that are affected.  If the information was protected using encryption software, the breach notification is not necessary.

I must warn at this point that I'm not a lawyer, and this is not legal advice.  At the same time, I should note the contents are lifted directly from the senate bill that was ratified.

Personal Information Defined According To Louisiana Encryption Law - SB 205 Act 499

Personal information is defined under the law as any of the following, but it must be in combination with an individual’s first name or first initial and last name (otherwise, the loss of the following does not require notification, it looks like):

  • Social Security number,
  • Driver’s license number,
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

As stated before, if data encryption was used to protect the data, notification is not required.

I don't think that I also need to lay out what constitutes a "data breach."  I mean, if you truly didn't know, you'd assume you didn't have one, and you wouldn't be reading this right now.

Disclosure Steps

Disclosure of a data breach must be made "in the most expedient time possible" barring delays requested by law enforcement.  Notification can be made via:

  • Written notification
  • Electronic notification
  • Substitute notification (including email, posting of notification on the web site of the agency or person with breached data, or notification to major statewide media)

Substitute notifications are only possible if:

  • The cost of providing notification exceeds $250,000; or
  • Over 500,000 people must be notified; or
  • The notifying agency does not have sufficient contact information
There is a clause in there that kind of blows all of the above out of the water.  Subsection G notes that,
Notification under this title is not required if after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers.

In other words, the fox is in charge of the henhouse....

Louisiana Personal Information Encryption Law Penalties

A civil action (which, apparently, is just lawyer-speak for "lawsuit") can be started to recover any damages a person experienced due to a delay in timely disclosure of a data breach.

I'm not a lawyer, but the way it's worded, it almost sounds as if there is no legal remedy for the actual breach itself.  That is, a person falls victim to identity theft because of a data breach but, because the company notified the person in a timely manner, it has fulfilled its duties and is in good legal standing.

Hmph.  Between this and subsection G, it almost sounds as if there's very little incentive for a company to invest in encryption.  That just doesn't sound right, meaning you should consult with your legal representative.


Related Articles and Sites:
http://www.legis.state.la.us/billdata/streamdocument.asp?did=317617

 
<Previous Next>

Data Security Stats: Only 7% of Chinese Firms Don't Know Whether They Had A Breach?

Disk Encryption Software: Pitt County Memorial Hospital Loses USB Disk

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.