Large Hacked Hosting Companies Violating California Law and New York Law

Discussion in 'Hosting Talk & Reviews' started by drmike, Oct 10, 2013.

  1. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    Another heads up for any VPS / hosting company or those selling products to such.  When you are hacked, some States in the United States require that you document and record the event with offices like the State Attorney Generals Office.  You are likely subject to regulations in many States since you sell to their citizens.

    California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a))

    Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) and California Civ. Code s. 1798.82(f))In the case of California:

    Not to be outdone,  the State of New York (a state where a certain company is based who was hacked TWICE) has a similar law:

    http://www.dhses.ny.gov/ocs/breach-notification/

    Did someone actually do their paperwork and file with the authorities like good little boys?  Shall I inquire?
     
    Last edited by a moderator: Oct 10, 2013
  2. texteditor

    texteditor Premium Buffalo-based Hosting

    593
    365
    May 19, 2013
    Deep down in the black pit that is your heart, you know the answer to this (lol no)
     
  3. jarland

    jarland The ocean is digital

    873
    562
    Apr 4, 2013
    This isn't where I parked my car.


    So glad someone deleted that out of line comment. It's called a joke, in this case expressing how I'm so impressed by this post that I have nothing to say. That context work for you guys? I'll submit a request next time before I post a comment.
     
    Last edited by a moderator: Oct 11, 2013
  4. DomainBop

    DomainBop Dormant VPSB Pathogen

    2,260
    2,190
    Oct 11, 2013
    The exact definition of "some states" is 46 out of 50 U.S. states have databreach notification laws that must be followed if  residents of the state are victims of a databreach.

    A handy guide to the laws of all states:

    http://www.perkinscoie.com/statebreachchart/

    The laws vary by state on whether companies also need to notify the State AG and/or consumer reporting agencies, and/or State/Local law enforcement agencies.  Factors that determine whether notification of consumer reporting agencies or the AG is necessary include things like number of state residents affected, type of information compromised.  In many states the compromise of a person's first and last name and password (as occured in the SolusVM breaches) would be enough to trigger the breach notification laws. 

    All states with breach notification laws also have hefty fines if the notification procedure isn't followed exactly.  The statute of limitation for filing a complaint against a company that failed to follow the procedures in most states varies from 1-2 years.

    edited for typo :p
     
    Last edited by a moderator: Oct 13, 2013
    drmike likes this.
  5. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013