1 00:00:00,004 --> 00:00:01,005 - [Narrator] In the unfortunate event 2 00:00:01,005 --> 00:00:04,003 of a known or suspected data breach 3 00:00:04,003 --> 00:00:06,002 information security professionals 4 00:00:06,002 --> 00:00:08,003 have a range of responsibilities dictated 5 00:00:08,003 --> 00:00:10,004 by laws and regulations. 6 00:00:10,004 --> 00:00:13,008 Like many other security regulations in the United States, 7 00:00:13,008 --> 00:00:16,008 data breach laws are a patchwork of regulations 8 00:00:16,008 --> 00:00:18,009 that apply in different ways. 9 00:00:18,009 --> 00:00:22,001 Some rules apply to specific industries 10 00:00:22,001 --> 00:00:24,007 such as HIPPA for the healthcare industry 11 00:00:24,007 --> 00:00:27,004 or PCI DSS for the credit card industry. 12 00:00:27,004 --> 00:00:29,003 Other data breach regulations 13 00:00:29,003 --> 00:00:32,000 apply to specific jurisdictions. 14 00:00:32,000 --> 00:00:35,006 Such as the state by state data breach notification laws. 15 00:00:35,006 --> 00:00:38,005 Generally speaking these laws apply 16 00:00:38,005 --> 00:00:41,003 when an organization knows or suspects 17 00:00:41,003 --> 00:00:42,009 that it has suffered a breach 18 00:00:42,009 --> 00:00:47,000 of personally identifiable information or PII. 19 00:00:47,000 --> 00:00:49,005 The specific definition of PII 20 00:00:49,005 --> 00:00:51,001 varies from state to state. 21 00:00:51,001 --> 00:00:54,002 But there are several common elements found in these laws. 22 00:00:54,002 --> 00:00:57,007 They often include social security numbers, 23 00:00:57,007 --> 00:01:01,006 drivers license numbers and bank account numbers 24 00:01:01,006 --> 00:01:04,007 but they may extend to other information as well. 25 00:01:04,007 --> 00:01:06,005 Some of common requirements 26 00:01:06,005 --> 00:01:09,002 when an organization suspects a breach 27 00:01:09,002 --> 00:01:11,009 include notifying affected individuals 28 00:01:11,009 --> 00:01:14,005 and potentially notifying government agencies 29 00:01:14,005 --> 00:01:16,003 or law enforcement. 30 00:01:16,003 --> 00:01:20,002 Often organizations also offer credit monitoring services 31 00:01:20,002 --> 00:01:23,005 or other compensation to the victims of the data breach. 32 00:01:23,005 --> 00:01:26,002 As a security professional you will need to remain 33 00:01:26,002 --> 00:01:28,008 aware of the laws that apply in the jurisdictions 34 00:01:28,008 --> 00:01:30,007 where you do business. 35 00:01:30,007 --> 00:01:33,002 The National Conference of State Legislatures 36 00:01:33,002 --> 00:01:34,009 maintains a website that links to the 37 00:01:34,009 --> 00:01:37,001 data breach notification laws 38 00:01:37,001 --> 00:01:39,006 of the states that have one in place. 39 00:01:39,006 --> 00:01:42,003 It also lists the states that do not have a current 40 00:01:42,003 --> 00:01:44,008 data breach notification law. 41 00:01:44,008 --> 00:01:46,002 Currently that list includes 42 00:01:46,002 --> 00:01:49,007 Alabama, New Mexico and South Dakota. 43 00:01:49,007 --> 00:01:53,007 Every other state has a data breach notification law. 44 00:01:53,007 --> 00:01:55,006 One quick exam tip for you, 45 00:01:55,006 --> 00:01:59,002 encryption is an easy way to protect your organization 46 00:01:59,002 --> 00:02:00,009 against data breaches. 47 00:02:00,009 --> 00:02:04,004 In fact, many data breach notification laws 48 00:02:04,004 --> 00:02:08,000 includes specific exemptions for encrypted data.