Jackson County Case Study

Messaging Architects E-mail Policy Workshop

Wright's Online SANS Education

Wright's Public Appearances

My Photo

Moderator

  • Attorney Benjamin Wright is an advisor to Messaging Architects, specialists in email compliance and risk management controls and services. He is the author of numerous books on technology law, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). He often serves as featured speaker at industry conferences and professional meetings, and he teaches data security and e-discovery law at the SANS Institute. Mr. Wright recently delivered SANS Onsite to the e-discovery team of a major corporation. His telephone is 1.214.403.6642. His e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

  • Professional Education
    "The best guy in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

What Sets This Blog Apart?

  • Most law blogs simply describe the latest cases and laws. But Wright’s Legal Beagle tells the best stories in data records law, often pulling several cases or developments into a single story for public dialogue. Sometimes those stories are several years old. Mr. Wright explains how those stories teach practical, even timeless general lessons.

Important!

  • No public statement by Mr. Wright (blog, comment, book, article, video, speech) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog is public discussion, not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. The information here is offered as-is, with no warranty of accuracy or reliability. Mr. Wright from time to time revises the ideas published here. If you use the ideas, you do so at your own risk.

    This blog serves as the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a major reference for lawyers, published by Aspen Publishers.

    Mr. Wright identifies his association with quality organizations like Messaging Architects and SANS Institute. However, the only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright’s policy is to comply with all applicable laws. If any person ever has any information or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642.

About

Search

Environmental Responsibility

  • Dallas, Texas. Mr. Wright is a green professional.

« E-Discovery Strategy, Search & Artificial Intelligence | Main | E-mail Litigation Hold in Local Government »

September 01, 2008

Private Data (or Personally Identifiable Information) Defined

Data Leakage Law

The key to avoiding liability for data leakage is due diligence. As a broad generalization, the law of data security rewards those who are diligent, who exercise due care to prevent a compromise of privacy. Hence, if a data holder is diligent, but still suffers a mishap, it is less likely to be held legally liable.  

For example, Guin v. Brazos Higher Education held a loan processor was not liable for a compromise of data security, in part because the processor had taken reasonable steps to protect the data.

Reasonable steps, or due diligence, can include application of latest technology, such as filters that inspect outgoing data transmissions and block those that appear suspicious.  An e-mail filter would have been helpful to the Palm Beach County health department when an employee inadvertently broadcast a list of HIV/AIDS patients to 800 county employees.

When employing such filters, however, an issue is to know what to filter.

Obvious targets for filtering are Social Security Numbers and credit card numbers. But privacy is a context-specific abstraction. To understand which data are and are not private, organizations have to be sensitive. For example, a person’s name plus postal address are normally not considered private. That information is commonly published in directories like telephone books. However, as one of my SANS students taught me, a public housing authority is wise to consider the name plus postal address of its residents to be private. The reason is that some residents are sensitive about living in public housing, and consider their postal address (at a public housing location) to be private!

Posted at 11:45 AM in data break-in, data leakage law, data security, filter, social security numbers |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e553eadb27883400e554d7b1d18833

Listed below are links to weblogs that reference Private Data (or Personally Identifiable Information) Defined :

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

E-Investigation Posts

E-Discovery Posts

Government Agency & School Records

Healthcare Records

Records Policy Posts

Data Security Law Posts

Other Highlights Here

Categories

Subscribe to this blog's feed

Archives

More...

E-mail Mr. Wright

  • Contact Form