Many states have passed laws regarding data breaches. In fact, there are 44 such states laws to date. Most, but not all, offer safe harbor if the lost or stolen data was protected with some kind of data security measure, such as full disk encryption software like AlertBoot. But what about the other type of data? The type that comes on printed paper?
Ohio is one of the 44 states that passed legislation that requires breach notification letters to be sent out when a company (or the government) has an information security breach. Ohio is also part of the majority of states that provides safe harbor if a data encryption program is used. But the legislation does not apply, at least not in Ohio, if the breached data comes in the format known as paper: "(The law) applies to data in a computer system, security breaches,” said Ted Hart, spokesman for the Attorney General’s Office, which is responsible for enforcing the provision. “The law is specific to data theft and hacking and security systems." [oxfordpress.com, my emphasis] Which explains why a 2008 paper-based breach involving 10,600 people was never reported. Had it been a missing computer, the state would have required disclosure in 45 days or less, and most likely followed up on it, too.
Ohio is one of the 44 states that passed legislation that requires breach notification letters to be sent out when a company (or the government) has an information security breach. Ohio is also part of the majority of states that provides safe harbor if a data encryption program is used.
But the legislation does not apply, at least not in Ohio, if the breached data comes in the format known as paper:
"(The law) applies to data in a computer system, security breaches,” said Ted Hart, spokesman for the Attorney General’s Office, which is responsible for enforcing the provision. “The law is specific to data theft and hacking and security systems." [oxfordpress.com, my emphasis]
Which explains why a 2008 paper-based breach involving 10,600 people was never reported. Had it been a missing computer, the state would have required disclosure in 45 days or less, and most likely followed up on it, too.
It is important. However, the law is clear that it's all about electronic data. Indeed, that's the reason why certain states have reflected this loophole in their breach notification laws and made breach notifications a requirement when data is breached regardless of the "format." In other words, we've got a badly written law here. It's like making it a crime to kill anyone with a gun only, meaning it's not a crime if you run over them, stab them, gouge their eyes, come after them with a katana (a la Bruce Willis in Pulp Fiction), burn them at the stake, etc. What this also shows, however, is the necessity of laws such as forced breach notifications. I mean, people say that it doesn't accomplish anything. But look at what happens when the law doesn't require it: people literally hide this stuff. At least, if people are notified, they can take individual action. If only we could pass something similar that required encryption for sensitive data, as opposed to making it conditional to something else...
It is important. However, the law is clear that it's all about electronic data. Indeed, that's the reason why certain states have reflected this loophole in their breach notification laws and made breach notifications a requirement when data is breached regardless of the "format."
In other words, we've got a badly written law here. It's like making it a crime to kill anyone with a gun only, meaning it's not a crime if you run over them, stab them, gouge their eyes, come after them with a katana (a la Bruce Willis in Pulp Fiction), burn them at the stake, etc.
What this also shows, however, is the necessity of laws such as forced breach notifications. I mean, people say that it doesn't accomplish anything. But look at what happens when the law doesn't require it: people literally hide this stuff.
At least, if people are notified, they can take individual action. If only we could pass something similar that required encryption for sensitive data, as opposed to making it conditional to something else...
Related Articles and Sites:http://www.oxfordpress.com/news/oxford-news/disclosure-law-doesnt-cover-misplaced-documents-759690.html