Jody Westby (center), CEO Global Cyber Risk is the author of the ISAlliance Security Breach Notification report.

Here she is meeting with ISAlliance Board member Steve Christensen, Ceridian (left) and John Denning (right), Counsel to Senator Coburn (R-OK) discussing the policy and business considerations of security breaches.  

Twenty-eight states have enacted some form of security breach notification law and similar legislation is pending in Congress.  Compliance with various jurisdictional requirements can be difficult and burdensome.  Technological solutions can help detect breaches and assist in investigations, but they are dependent upon organizational policies and procedures that impact operations and mitigate liability. 

Breach Disclosure Laws Vary from State to State. Although California's data breach notification law has probably garnered more attention than any other data breach legislation in the country, 32 other states have their own versions of such laws.  The variety of requirements creates a legal morass for organizations conducting interstate business, as the requirements for notification and data handling vary from state to state.  One provision that appears in virtually all data breach notification laws is that even if an organization outsources customer data management, the organization is liable for data breach fallout.  In most states, if the customer data are encrypted, the organizations are not required to notify customers. One notable exception is Pennsylvania, where the bill says "an entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption keys."  Eighteen states allow notification exemptions if the investigation of the breach indicates that the data are unlikely to be misused.  Other states allow notification exemptions if the customer data are redacted; for example, credit card numbers can be truncated so that they are no longer usable by someone who views them.  Several states also have laws governing the secure disposal of paper documents containing customer data.  Of the 33 states with data breach notification laws, just 22 hold their governments to the same level of responsibility to which businesses are subject.

The EIP on breach notification will focus on the array of notification laws and differences in requirements, technical solutions that can help mitigate risk, and policy and operational considerations. 

A series of four electronic conferences on Security Breach Notification has now been scheduled. Please mark your calendar now and join us on the following dates:

July 25, 2007: Security Breach Notification: A Legal Patchwork
August 1, 2007: Security Breach Notification: Managing the Crisis
August 8, 2007: Security Breach Notification: Technical Controls
August 15, 2007: Security Breach Notification: Management Policies

The archived presentations on Security Breach Notification and written report are available to members in the member only section: Click Here to Access

The written report is also available to ISAlliance members by email at This email address is being protected from spam bots, you need Javascript enabled to view it to request your copy.