in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based data and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based data and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Ohio Data Breach Notification Law Does Not Apply To Paper Documents

Many states have passed laws regarding data breaches.  In fact, there are 44 such states laws to date.  Most, but not all, offer safe harbor if the lost or stolen data was protected with some kind of data security measure, such as full disk encryption software like AlertBoot.  But what about the other type of data?  The type that comes on printed paper?

In Ohio, Breached Paper Data Does Not Require Disclosure

Ohio is one of the 44 states that passed legislation that requires breach notification letters to be sent out when a company (or the government) has an information security breach.  Ohio is also part of the majority of states that provides safe harbor if a data encryption program is used.

But the legislation does not apply, at least not in Ohio, if the breached data comes in the format known as paper:

"(The law) applies to data in a computer system, security breaches,” said Ted Hart, spokesman for the Attorney General’s Office, which is responsible for enforcing the provision. “The law is specific to data theft and hacking and security systems." [oxfordpress.com, my emphasis]

Which explains why a 2008 paper-based breach involving 10,600 people was never reported.  Had it been a missing computer, the state would have required disclosure in 45 days or less, and most likely followed up on it, too.

Why Is A Paper-Based Breach Not Important?

It is important.  However, the law is clear that it's all about electronic data.  Indeed, that's the reason why certain states have reflected this loophole in their breach notification laws and made breach notifications a requirement when data is breached regardless of the "format."

In other words, we've got a badly written law here.  It's like making it a crime to kill anyone with a gun only, meaning it's not a crime if you run over them, stab them, gouge their eyes, come after them with a katana (a la Bruce Willis in Pulp Fiction), burn them at the stake, etc.

What this also shows, however, is the necessity of laws such as forced breach notifications.  I mean, people say that it doesn't accomplish anything.  But look at what happens when the law doesn't require it: people literally hide this stuff.

At least, if people are notified, they can take individual action.  If only we could pass something similar that required encryption for sensitive data, as opposed to making it conditional to something else...


Related Articles and Sites:
http://www.oxfordpress.com/news/oxford-news/disclosure-law-doesnt-cover-misplaced-documents-759690.html

 
<Previous Next>

Laptop Encryption Software For Social Security Administration Telecommuters?

CD Disc Encryption: Interior Department Loses Encrypted CD, Notifies 7500 Employees

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.