Question

As the textbook says, there is no general federal law that requires businesses to disclose to customers when their personal information has been compromised in a cybersecurity breach. Instead, there are different laws in every state. For this assignment, you'll look at Washington's disclosure law:

http://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010 (Links to an external site.)Links to an external site.

If you've never read a law before, this is actually a great one to start with. Like most, the language is rather convoluted, but at least it is short. In comparison, the CISA that was passed last fall is 136 pages out of a longer bill that is over 2000 pages long.

Answer the following ten questions about Washington's disclosure law referenced above. Each question is worth 10 points. Be sure to read the law carefully, not all answers are straightforward.

When a question asks for a “section number”, it means the number in parentheses before the statement where you find the answer to the question. If there's a letter in parentheses before the statement, then that's just a subsection to the previous number. For instance, the statement “Notification to major statewide media.” is really subsection 8(c)(iii), so you would just refer to that as section 8 in your answer.

For some of these questions, the appropriate answer is to simply copy a statement from the law. When you do that, be sure to use quotation marks.

Question 1. What two elements of the CIA triad are referenced in this law, and in what section number(s)?

Question 2. When a disclosure notification is required, in what three methods may notification be provided, and in what section number do you find the answer?

Question 3. If only one Washington resident is affected by the breach, is the business still required to notify that one person?

Question 4. If 1000 Washington residents are affected by the breach, who besides the people affected must be notified, and in what section number do you find the answer?

Question 5. If the only information that is stolen in a breach is a mailing address, is notification required, and in what section number do you find the answer?

Question 6. Is a credit card number considered personal information, and in what section do you find the answer? NOTE: THE ANSWER TO THIS QUESTION IS NOT SIMPLY YES OR NO, IT IS MORE COMPLICATED THAN THAT.

Question 7. Which one of the following three laws are referenced in this law, and in what section number? HIPAA, PCI-DSS, or CISA.

Question 8. How soon after the breach is discovered must the affected individuals be notified, and in what section number do you find the answer?

Question 9. What does “secured” mean in this law, and in what section number do you find the answer.

Question 10. Is notification required if the information stolen is “secured” during the breach, and in what section number do you find the answer?

Answer 1

Please find the answers below:

Question 1. What two elements of the CIA triad are referenced in this law, and in what section number(s)?

Answer:
Confidentiality and integrity are the two elements of the CIA triad are referenced in this law. They are referenced in section number 4.

--------------------

Question 2. When a disclosure notification is required, in what three methods may notification be provided, and in what section number do you find the answer?

Answer:
Three methods of notification are:
"(a) Written notice;"
"(b) Electronic notice"
"(c) Substitute notice"
We can find the answer under section 8 of this law.

----------------------

Question 3. If only one Washington resident is affected by the breach, is the business still required to notify that one person?

Answer:
Yes, it is required to notify that one person affected by the breach.

--------------------

Question 4. If 1000 Washington residents are affected by the breach, who besides the people affected must be notified, and in what section number do you find the answer?

Answer:
Attorney general must be notified besides the Washington residents. We can find the answer under section 15.

---------------------------

Question 5. If the only information that is stolen in a breach is a mailing address, is notification required, and in what section number do you find the answer?

Answer:
No notification is required if only the mailing address is stolen by an unauthorized person. Mailing address alone is not personally identifiable. Section 5 of the law has the data elements of the personal information. There is no mention of mailing address as personal information. For example, mailing address can be further broken down as Business or Home etc. Many people or colleagues who work for the same company share the same Business mailing address!

---------------------------

Question 6. Is a credit card number considered personal information, and in what section do you find the answer? NOTE: THE ANSWER TO THIS QUESTION IS NOT SIMPLY YES OR NO, IT IS MORE COMPLICATED THAN THAT.

Answer:
Credit card number in combination of any other details like security code, access code , password that allows access to an individual's financial account is considered as personal information. Under section 5(c) we can find the answer.
"credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account."

----------------------------

Question 7. Which one of the following three laws are referenced in this law, and in what section number? HIPAA, PCI-DSS, or CISA.

Answer:
HIPAA : health insurance portability and accountability act is referenced by this law in section 10

---------------------

Question 8. How soon after the breach is discovered must the affected individuals be notified, and in what section number do you find the answer?

Answer:
Forty-five calendar days. We can find the answer under section 16.
"(16) Notification to affected consumers and to the attorney general under this section must be made in the most expedient time possible and without unreasonable delay, no more than forty-five calendar days after the breach was discovered, unless at the request of law enforcement as provided in subsection (3) of this section, or due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."

-----------------------

Question 9. What does “secured” mean in this law, and in what section number do you find the answer.

Answer:
We can find the answer in Section 7.""secured" means encrypted in a manner that meets or exceeds the national institute of standards and technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person."

--------------------------

Question 10. Is notification required if the information stolen is “secured” during the breach, and in what section number do you find the answer?

Answer:
Section 1 has the answer. No notification is required for secured information unless the confidential process, encryption key, or other means to decipher the secured information is acquired by an unauthorized person . "Any person or business that conducts business in this state and that owns or licenses data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured. Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm. The breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a security breach or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person."

-----------------------------------

Hope this is helpful. Let me know if you need more information on this.