As the textbook says, there is no general federal law that requires businesses to disclose to customers when their personal information has been compromised in a cybersecurity breach. Instead, there are different laws in every state. For this assignment, you'll look at Washington's disclosure law:

http://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010 (Links to an external site.)Links to an external site.

If you've never read a law before, this is actually a great one to start with. Like most, the language is rather convoluted, but at least it is short. In comparison, the CISA that was passed last fall is 136 pages out of a longer bill that is over 2000 pages long.

Answer the following ten questions about Washington's disclosure law referenced above. Each question is worth 10 points. Be sure to read the law carefully, not all answers are straightforward.

When a question asks for a section number, it means the number in parentheses before the statement where you find the answer to the question. If there's a letter in parentheses before the statement, then that's just a subsection to the previous number. For instance, the statement Notification to major statewide media. is really subsection 8(c)(iii), so you would just refer to that as section 8 in your answer.

For some of these questions, the appropriate answer is to simply copy a statement from the law. When you do that, be sure to use quotation marks.

Question 1. What two elements of the CIA triad are referenced in this law, and in what section number(s)?

Question 2. When a disclosure notification is required, in what three methods may notification be provided, and in what section number do you find the answer?

Question 3. If only one Washington resident is affected by the breach, is the business still required to notify that one person?

Question 4. If 1000 Washington residents are affected by the breach, who besides the people affected must be notified, and in what section number do you find the answer?

Question 5. If the only information that is stolen in a breach is a mailing address, is notification required, and in what section number do you find the answer?

Question 6. Is a credit card number considered personal information, and in what section do you find the answer? NOTE: THE ANSWER TO THIS QUESTION IS NOT SIMPLY YES OR NO, IT IS MORE COMPLICATED THAN THAT.

Question 7. Which one of the following three laws are referenced in this law, and in what section number? HIPAA, PCI-DSS, or CISA.

Question 8. How soon after the breach is discovered must the affected individuals be notified, and in what section number do you find the answer?

Question 9. What does secured mean in this law, and in what section number do you find the answer.

Question 10. Is notification required if the information stolen is secured during the breach, and in what section number do you find the answer?