M. E. Kabay reviews a resource previously mentioned on this site:
Until recently, information assurance (IA) personnel and attorneys specializing in this area of the law have had to search for the appropriate governing laws for each jurisdiction. In this column, I review a valuable resource for locating the laws that apply to disclosure of personally identifiable information (PII) in each state in the United States and internationally.
[…]
The National Conference of State Legislatures (NCSL) has prepared a list (updated Dec 9, 2009 as of this writing) of all of the laws with links to all of them. The table adds, “States with no security breach law: Alabama, Kentucky, Mississippi, New Mexico and South Dakota.”
The law firms of Foley & Lardner LLP and Eversheds LLP have gone far beyond the simple list from the NCSL.
…[T]he International Association of Privacy Professionals (IAPP) revealed the “International Security Breach Notification Survey” at its Data Protection and Privacy Workshop in Madrid, Spain [in November 2009]. The survey was developed through a collaborative effort between Foley [& Lardner LLP] and the international law firm Eversheds LLP.
Considered to be the most comprehensive summary to date, the survey provides in-depth coverage of all major aspects of U.S. and international security breach laws. Organized by region, the survey indicates where laws and standards have been established as they relate to particular categories. These categories include: notice requirements; timing of disclosure; form of disclosure; entities that maintain data; existing policies; exemptions from disclosure; damages/enforcement; and preemption.
The authors have kindly allowed me to post a copy of their report for free download on my Web site.
Read more on Network World.