47
Lab #6 - Assessment Worksheet
Identifying the Scope of Your State’s Data and Security Breach
Notification Law
Course Name and Number: _____________________________________________________
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you reviewed the data security breach notification laws for your state and you
assessed the scope and depth of the privacy protection rights of a citizen in your state.
Lab Assessment Questions & Answers
1. Were you successful in finding your state’s data and security breach notification law? Specify the
name of the law. If you were unable to download your state’s law, use the state of Virginia to
complete the question.
2. What is the purpose of state governments imposing a breach notification law on organizations to
protect their citizens?
3. Explain how state government data security breach notification laws relate to individual privacy.
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
48 | LAB #6 Identifying the Scope of Your State’s Data and Security Breach
Notification Law
4. Assess the scope and depth of privacy protection rights that a citizen has by being a resident of a
state. Write down the name of your state, and then identify the following for your state’s breach
notification law:
• Who or what does the law in your state protect?
• Does the law include both for profit and nonprofit organizations?
• Does the law have a financial penalty assessed to the negligent party if proven guilty?
• Does your state require the organization to publicly announce a breach to the media?
• Does your state notification law take into account encrypted data or doesn’t it matter whether
the data is encrypted or not encrypted?
• Does your state’s law define the amount of time an organization has to publicly announce that
a breach has occurred? If yes, specify the time. If no, describe how your state handles this.
5. True or false: If you are a citizen in one state but the company that had a data and security breach
with your privacy data resides in another, the company must adhere to the data and security
breach notification law of your home state.
6. Because most states have data and security breach notification laws related to their citizens’
privacy, what is the number one reason for having these laws from a citizen protection
perspective?
7. Some states define a data and security breach as the loss and exposure of citizen privacy data in
an unencrypted manner. If a state encountered a data and security breach, but no citizen’s privacy
data was compromised given that it was encrypted in a steady-state within a database, does the
company or organization have to abide by the data and security breach notification law?
8. True or false: Unauthorized access to a system must occur for the data and security breach
notification law to take precedence.
Lab #6 Identifying the Scope of Your State’s Data and
Security Breach Notification Law
Introduction
The United States does not have a unified data privacy law at the national level as, for example,
many countries in Europe do. Laws such as the Health Insurance Portability and Accountability
Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA) are comprehensive and effective, but only
protect consumers in a single industry.
So, what if an individual’s private data is subjected to a security breach not covered by HIPAA
or GLBA? Without an overarching federal mandate in effect, a company that discovered its data
had been compromised is not compelled to notify all the affected individuals. Notification, and
possible liability to provide identity theft protection, comes only in laws including mandated
security breach notifications. To bridge the gap in privacy protection, most states have enacted
their own privacy laws.
With the help of the Internet, you can research these gaps and find out what your state does to
protect your privacy. For instance, the purpose of the National Conference of State Legislatures
(NCSL) is, according to its Web site, to provide “access to current state and federal legislation
and a comprehensive list of state documents, including state statutes, constitutions, legislative
audits, and research reports.”
In this lab, you will review the data security breach notification laws for your state and you will
assess the scope and depth of the privacy protection rights of a citizen in your state.
Learning Objectives
Upon completing this lab, you will be able to:
Relate state government data security breach notification laws to individual privacy.
Explain why state governments have data security breach notification laws.
Find a specific state’s data and security breach notification law.
Download a copy of a specific state’s data and security breach notification law.
Assess the scope and depth of the privacy protection rights of a citizen of any particular state.
42
43
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. Lab Report file;
2. Lab Assessments file.
Instructor Demo
The Instructor will present the instructions for this lab. This will start with a general discussion
about privacy law and how state governments implement data and security breach notification
laws to inform their citizens that their privacy data has been compromised. The Instructor will
then demonstrate the National Conference of State Legislatures (NCSL) Web site where a
complete listing of data and security breach notification laws for 47 states as well as the District
of Columbia, Guam, Puerto Rico, and the Virgin Islands are listed (three states have not passed
legislation as of April 2014):
http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreach
NotificationLaws/tabid/13489/Default.aspx
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
44 | LAB #6 Identifying the Scope of Your State’s Data and Security Breach
Notification Law
Hands-On Steps
Note:
This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft®
Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing
application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab
deliverable files.
1. On your local computer, create the lab deliverable files.
2. Review the Lab Assessment Worksheet. You will find answers to these questions as you
proceed through the lab steps.
3. Currently, 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands
have data and security breach notification laws that define what organizations must do if
they have had data or security breached that impact citizen privacy data. The National
Conference of State Legislatures (NCSL) Web site tracks and organizes
telecommunication and information technology state legislation. Review the NCSL Web
site and data and security breach notification laws for each state listed at
http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBr
eachNotificationLaws/tabid/13489/Default.aspx.
4. Scroll down the list of states and find the state of Virginia.
5. Click the Va. Code § 18.2-186.6 link.
6. Review the “Breach of personal information notification” law.
Reading Codified Law
If reading law text makes your eyes hurt, you are not alone. Legal text is jokingly known to be challenging to read,
let alone understand. Statutory law is rarely written in a narrative form. Instead, it is very structured, if not
formulaic. To make matters worse, a whole section might exist simply to explain a single prior word, for example,
“redact” in the case of Va. Code § 18.2-186.6.
This codified law is very structured and organized, laid out logically in nested divisions just as a software
developer would develop “code.” The increasingly narrow divisions start from the top as Titles, Chapters, Parts,
Sections, Paragraphs, and down to Clauses. Each of those divisions can be broken into subdivisions, for example,
a Paragraph of three Subparagraphs, with one Subparagraph containing 10 Clauses.
Laws are broken down this way on purpose, to provide the reader clear, and clearer, definitions of a narrow topic.
The best approach is to be aware of the numbering to know when you going deeper into a definition, or rising back
out of one.
7. In your Lab Report file, explain how state government data security breach notification
laws relate to individual privacy.
45
Note:
Virginia has two breach notification laws, the first being the general statute you explained in lab step 7. Its second
law is specific to health care information. Virginia’s law 32.1-127.1:05 was signed in 2010. It is different from
HIPAA in that the state law is relevant to those entities that aren’t already covered by HIPAA. Virginia law 32.1127.1:05 also provides a detailed definition of “medical information.”
8. Click the Back button on your browser (or, if the Va. Code link opened a new window,
close that window).
9. After you have returned to the list of states, scroll to find your state.
10. Click and download the security breach notification laws for your state. If you cannot
download your state’s security breach laws, return to the state of Virginia and use that
information to complete this lab.
11. In your Lab Report file, describe the privacy protection rights that a citizen in your state
has.
Note:
This completes the lab. Close the Web browser, if you have not already done so.
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
46 | LAB #6 Identifying the Scope of Your State’s Data and Security Breach
Notification Law
Evaluation Criteria and Rubrics
The following are the evaluation criteria for this lab that students must perform:
1. Relate state government data security breach notification laws to individual privacy. –
[20%]
2. Explain why state governments have data security breach notification laws. – [20%]
3. Find a specific state’s data and security breach notification law. – [20%]
4. Download a copy of a specific state’s data and security breach notification law. – [20%]
5. Assess the scope and depth of the privacy protection rights of a citizen of any particular
state. – [20%]
ISOL 633
Legal, Regulations, Investigations, and Compliance
UNIVERSITY OF THE CUMBERLANDS
School of Computer and Information Sciences
HOUSEKEEPING
➢ Midterm Exam
➢ Course Paper
➢ Homework Assignments
➢ Week Five Lecture
CHAPTER NINE: STATE LAWS PROTECTING CITIZEN
INFORMATION AND BREACH NOTIFICATION LAWS
The Breached that Spurred the Laws
California’s Notification Laws
Decision Making: Notify or Not?
Encryption Regulations
Disposal of Sensitive Consumer Data
CHAPTER NINE: STATE LAWS PROTECTING CITIZEN
INFORMATION AND BREACH NOTIFICATION LAWS
State governments have created data protection laws.
In some ways, many states are more aggressive in trying
to protect their citizens’ personal information than the
federal government.
Many state laws apply to businesses that aren’t actually in
the particular state.
California Breach Notification Act - This law applies to
anyone who owns or uses data that contains the
unencrypted personal information of California residents.
CHAPTER NINE SUMMARY
This chapter reviewed state laws that protect data. States
have been very active in trying to protect the personal data
of their residents. They’ve created many different laws to
protect the security and privacy of this information. They’ve
created these laws because there’s no one comprehensive
federal data privacy or security law. When reviewing state
laws that protect certain types of data, it’s important for you
to think about what other state or federal laws might also
protect the data.
CHAPTER TEN: INTELLECTUAL PROPERTY LAW
GENERAL CONSIDERATIONS
Black’s Law Definition
1. A category of intangible rights protecting commercially valuable
products of human intellect.
2. A commercially valuable product of the human intellect, in a concrete
or abstract form, such as a copyrightable work, a protectable
trademark, a patentable invention, or a trade secret.
➢
➢
➢
➢
➢
Why Are We Examining IP?
Prevalence of electronic data
Easy to steal, misuse, delete, edit
File-sharing of media
Protect company, employees,
self
Many IP Classifications
CHAPTER TEN: INTELLECTUAL PROPERTY LAW
PATENTS
Protectable = (novel) +
(useful) + (non-obvious)
Strongest of IP protection
Prevent others’ use typically
for 20 years
Publishing the patent
stimulates further invention
CHAPTER TEN: INTELLECTUAL PROPERTY LAW
TRADEMARKS
Projects the “good will” that
merchants or vendors invest in
the recognition of their
products
Gives the owner of the
markings exclusive rights over
the item for which the
trademark was granted
Trademarks are registered
with a government registrar
CHAPTER TEN: INTELLECTUAL PROPERTY LAW
TRADE SECRETS
Proprietary business or
technical information,
processes, designs,
practices, etc., that are
confidential and critical
to the business.
CHAPTER TEN: INTELLECTUAL PROPERTY LAW
COPYRIGHTS
Protects expression of ideas,
not the ideas themselves.
Work for Hire
Programs, Writings,
Recordings
Original work of authorship
CHAPTER TEN SUMMARY
Intellectual property protection is broad. It protects a person’s
ownership rights in their creative ideas. It gives them the right to
protect their ideas and profit from them. These rights are exclusive to
the owners of intellectual property. They can take action against
people who violate their IP rights.
Intellectual property protection is particularly important to think
about as more content becomes available on the Internet. Intellectual
property law protects ideas once they’re in a physical form. When
materials are published on the web, they’re in a physical form.
Traditional legal concepts about IP ownership are used to protect
materials published on the Internet.
HOMEWORK ASSIGNMENTS
Make real progress on the Course Paper
Lab #6 – Identifying the Scope of Your State’s Data and Security
Breach Notification Law
Lab #7 – Case Study on Digital Millennium Record Act: Napster
Read Chapters Eleven and Twelve
Purchase answer to see full
attachment