tag:consumerist.com,2010:/1/tag:64.14.177.195,2008://1.359489- 2010-01-09T04:01:27Z Comments for CSO Maps State-By-State Data Breach Disclosure Laws Shoppers bite back. Movable Type 4.32-en tag:64.14.177.195,2008://1.359489 2008-02-22T07:37:24Z 2008-02-22T07:38:22Z CSO Maps State-By-State Data Breach Disclosure Laws CSO has produced an interactive U.S. map that shows what's required of companies that suffer a data breach in the 38 states that care enough about consumer rights to have passed disclosure laws. Most are modeled after California's strict SB1386 anti-ID theft law, but now you can tell at a glance what your state is doing about the issue—and in most cases you can click on the icon in the pop-up info box to see a copy of the actual law.]]> Chris Walters CSO has produced an interactive U.S. map that shows what's required of companies that suffer a data breach in the 38 states that care enough about consumer rights to have passed disclosure laws. Most are modeled after California's strict SB1386 anti-ID theft law, but now you can tell at a glance what your state is doing about the issue—and in most cases you can click on the icon in the pop-up info box to see a copy of the actual law.

In a related article, CSO talks to a data breach disclosure law expert about what's going on at the federal level, where there are at least eight different proposed laws bouncing around D.C.

Forsheit: I really can't tell you why it's taking so long. There was a sense with the new Congress that there was a greater likelihood something would pass. It's just not clear why it hasn't. Clearly people are concerned with ID theft. It's mostly a bipartisan issue, so you see a lot of consensus. There are some disputed aspects, like whether notification should be mandated--as it is in many states--with any unauthorized acquisition [of data], as opposed to there being a higher threshold trigger. But those can be worked out.

SO: What about the 11 states that don't yet have laws? Are they waiting for a federal bill?

Forsheit: In some of those states, there have been proposals that just haven't made their way through. If we don't see federal legislation soon, those remaining states will likely enact some law


con_screengrabofdatabreachmap.jpg
 
"Data Breach Notification Laws, State By State" [CSOonline]

RELATED
"CSO Disclosure Series | What's Next with Disclosure Legislation?" [CSOonline]

]]> tag:64.14.177.195,2008://1.359489-comment:4371681 Comment from xtc46 - thinksmarter on twitter on 2008-02-24 xtc46 - thinksmarter on twitter http://think-smarter.blogspot.com @Imhotep: I'm in Hawaii and work as a computer tech with a specialty in information and data security. I just quit a company on art because they refused to take the recommended steps to protect confidential medical data and I didn't want to be in a position where civil and criminal charges could be brought against a company where I was responsible, in part, for the protection of that data. It is great for consumers and people in general, because laws like this force companies to take responsibility for the data they hold.

]]> 2008-02-25T03:49:11Z tag:64.14.177.195,2008://1.359489-comment:4357520 Comment from rhombopteryx on 2008-02-22 rhombopteryx

Awesome, according to the map, every single federal law would preempt stronger state laws and prevent identity theft victims from suing the person who leaked the data!
That means every Senator or Congressperson who sponsored one of the bills thinks their own state legislature is too stupid to pass a good law, so they're stopping them.


Congress cares! (about their banking and data mining corporate contributors who have sloppy data protection....)

]]> 2008-02-23T03:10:59Z tag:64.14.177.195,2008://1.359489-comment:4350797 Comment from Barry Zuckerkorn, Esq. on 2008-02-22 Barry Zuckerkorn, Esq.

@Anitra: Yes, "private right of action" means that the person whose data was stolen can sue the company for failing to inform him or her as required by the statute. In the states that do not have a private right of action, usually the company can still be found liable in a lawsuit brought by the state attorney general.

]]> 2008-02-22T23:16:06Z tag:64.14.177.195,2008://1.359489-comment:4346302 Comment from Anitra on 2008-02-22 Anitra I looked through the page but couldn't find this - what is "private right of action"? Is that saying that people whose data have been stolen can sue?

]]> 2008-02-22T20:21:00Z tag:64.14.177.195,2008://1.359489-comment:4344673 Comment from phripley on 2008-02-22 phripley What law pertains:

Are the companies bound by the laws of the state(s) ...where they have operations?

...where they are headquartered?

...or where their customers are located?

]]> 2008-02-22T18:08:57Z tag:64.14.177.195,2008://1.359489-comment:4343549 Comment from Imhotep on 2008-02-22 Imhotep California is strict? There's NO civil or criminal penalty for failure to disclose. Hawaii's looking real good right about now.

]]> 2008-02-22T11:55:50Z tag:64.14.177.195,2008://1.359489-comment:4343130 Comment from darkclawsofchaos on 2008-02-22 darkclawsofchaos

@azntg: Not to mention having the best Highway Patrol around.

]]> 2008-02-22T10:47:09Z tag:64.14.177.195,2008://1.359489-comment:4341629 Comment from azntg on 2008-02-22 azntg Rhode Islanders seem to have it best, having private right of action plus a civil/criminal penalty for failure to disclose!

]]> 2008-02-22T08:05:47Z