 Um, for those of you who are here this morning, I'm still only functioning about 50%, but my PowerPoint works. So we're way ahead of the game. It's amazing when you're used to using audio visuals and they don't work how they hold. The rhythm gets shot, the timing gets shot, the whole routine. Any event, my name is Don Blumenthal. I'm a consultant in Ann Arbor, teach at three universities. Used to be with the Federal Trade Commission, where most recently I ran the Internet Lab, which was our center for Internet investigations, the network operation side of it. Part of what I do in consulting is work data breach response, which is obviously how this presentation came about. Now, just to clarify, because of some conversations I've had the last couple of days, I want to go into what this is and what this isn't. I'm not going to be talking about consumer protection, what you as an individual do when your data disappears. I'm not going to be talking about forensic responses, closing the holes, anything like that except a very high level briefly. What I am going to talk about are the laws involved. I'm going to talk about certain policies and procedures that I'd suggest people think about. And I'm going to toss out what I think are some useful practical suggestions. Should your data or more accurately data that your company is holding disappears. It's an evolving area, obviously. You read more and more in the way of data breaches, just another one two days ago, major league. Same day there was a story about how the Secret Service is bringing indictments, criminal charges against some companies. And it looks like some of those charges are based on data that might have been stolen as long as four years ago, which gives you an idea of how this field is changing, how murky it's getting, how for different reasons companies are not companies, the bad guys, the thieves are in a position to sit on data and not even use it for a while so that you may not know the extent of the problem for a long ways down the road. I've got no good solutions for that part. You've got to take certain measures, but there's not much you can do about controlling how it's used wherever it's disappeared to. I have a piece of paper that says I'm a geek and I also have a piece of paper that says I'm a lawyer. It's obvious what's driving this slide. Very briefly it's the standard disclaimer. I'll just pass that on by. There's a lot of questions here, a lot of definitions to be raised and there are no good answers yet. Fundamentally the things you need to address when you're looking at breaches is what is PII? Personally identifiable information. The definitions vary. What is a security breach? What level of disappearance? Is it internal? Is it external? Is it both? Is it data that's stolen or it's data that's put in the dumpster? Who needs to worry about some of the data breach laws? If you need to worry about them, you need to notify when and how if so. Who needs to get notified? What do you offer to consumers to at least try to keep them at bay, keep them mollified happy? Beyond that how do you plan ahead? Now the title of the talk is what to do when my data's disappeared, post. I need to get into some of the earlier issues, things like laws just to put things in context. I'm hardly going to deal with how to plan ahead. This is not a discussion of data breach response planning. I don't know if anybody here remembers John Moschita. FedEx commercials about 10, 15 years ago, the mile a minute. Beth Fest is talking understandable human. I'm going to try to avoid getting into that mode. There's a lot to cover here. I'm going to be probably doing a workshop on this in a few months that takes an entire day. I'm going to hit the high points, but sometimes it's hard to identify exactly what the high points are. This is one of the fundamental definitions of PII and almost all of the laws that apply to data breach focus on PII, the personally identifiable information. Its information related to an identified or identifiable individual could be any of these elements. In some cases together, some require all, some require enough to make the link. Name, address, credit card numbers, personal information, medical information is a growing area. These laws at the state level started with credit information, financial information, the state of California added medical and one other, I forget which one, I think it may be Rhode Island has also done that. So the whole issue is definitely branching out into new areas. A sensitive PII is also another piece of the puzzle that's not quite as common, but you're starting to see regulations that talk about it. Good medical conditions, racial background, opinions might help identify, you'll believe it or not, if they can be synchronized or correlated rather with other pieces of data. Religion obviously, trade union membership, sexual preferences, marital status. All these things go into the equation of determining what's sensitive information, what's information that needs to be protected, what's information that if it disappears is problematic. Let's start with a legal framework overview. I'm going to really focus on U.S. law, but I think it's fair to mention non-U.S. law because there's a lot of back and forth these days, because there's a lot of misconceptions these days, particularly when it comes to Europe. Basically, the U.S. takes a sectoral approach. It's a patchwork set of laws, there are laws for financial services, there are laws for health, you know, Graham Leach-Bliley, HIPAA. The EU model is more societal. The European Data Protection Directive is, I think, the best known. That covers everything. It covers all areas where privacy is a potential issue. It's not just the EU, it's some other countries have taken that model. There's the hybrid, Japan, Chile. APEC is interesting. It's European rim countries. The U.S. is part of APEC, European rim, Pacific rim. The U.S. is part of APEC. APEC itself is developing a hybrid model, although it's got a ways to go. It's not finalized by a long shot. And then many countries, including some real hot button possibilities, the first two come to mind right off, have no laws concerning data protection. Now, the first thing you really need to do to start this whole process, and this is what I said about understanding things in context, you need to know the relevant data security and privacy laws. The U.S., it's quite sectored. You've got Graham Leach-Bliley that covers financial institutions, and that uses a very broad definition of financial institutions. If you're with a university, you're covered by GLB because you process student loans. I mean, it's not just banks, it's not just credit unions. It's essentially any organization that processes financial data for the process of extending credit, managing your money, anything like that. There's the FTC, Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, FACTA. Probably the best-known thing in FACTA is annualcreditreport.com. Let me give that a plug here. I mean, that's the website you go to if you want your free credit reports. It's annualcreditreports.com. There's HIPAA, there's again Education, the Family Educational Rights and Privacy Act, and others. These are all part of the picture. There's also FTC Act, Section 5. Any unfair or deceptive act or practice in or affecting commerce. That's a fun statute. There wasn't a whole lot we couldn't muck around in if we put our minds to it. But as a result, I worked data breach cases that had nothing to do with the financial services industry. BJ's wholesale, for example. Microsoft passport. We did spam cases before canned spam. There's the Sarbanes-Oxley Act going to corporate governance that now has some implicit requirements concerning solid IT practices, which include data security practices. We need to know the regulators, what they want, who they are, how they act, how they behave, what they expect. Graham Leach-Bliley, believe it or not, has eight different agencies enforcing it. That's because they have different jurisdictions. The FTC has explicitly no jurisdiction over banks, which means the Federal Reserve has to have a piece of this game. FCRA Fact is the FTC. Sarbanes-Oxley is SEC, HIPAA, HHS, FERPA, DOE. The Justice Department is lurking in the background because under some of these laws they have to do the actual enforcing to get a number of rules to be aware of. These slides are the ones that are on your CD, so I'm not going to go into a lot of details on them. GLB is the most enforced. It may be the only enforced of the data breach laws. Be aware of it. Be aware of the FTC and how it's approached these cases. That will be your best indicator when it comes time to dealing with the regulators. The other thing I'd really recommend checking is the FFIEC guidelines. They take a little different approach, but they're critical. HIPAA, read the rules. Maybe someday HHS is going to get serious about enforcing HIPAA. They've brought one case. Until they bring more cases, nobody's going to really know how they interpret the statute, how they interpret the regulations, whether they follow the FTC's model of closely scrutinizing security plans, or just say, you looked at it, you made this decision, it's sufficient, bye-bye. In this international world, you can't forget international laws and directives. You can't forget common law, basic stuff. The government may come after you, but your stockholders may come after you. Your consumers who are ripped off may bring suit. Don't just focus on the government, whether federal or state, and then there are the private standards. I kind of covered this just a second ago. Contracts, tort, didn't mention privacy issues. Those are growing, it's becoming a growing area of law, just common law privacy. It was my data, you should not have let it go. This is going to grow as class actions get more heavily involved. TJX is a good example. PCI DSS, which I know you've heard if you've been at some of these other presentations. I'm not a big fan of it, but it's in place. The audit standards, the feds, FISMA, all part of the game. But for all of that, there's really only two sets of national requirements that deal with data breach response planning. They all say what you need to do to secure your systems, but they don't say what, if anything, you need to do if you lose your data. One is a Fed document, interagency guidance on response programs. Again, it's in the CD. You can find it easily enough if you run Lexus or a search engine. And FISMA, which is a NIST standard that applies to federal agencies with one caveat that I'll get to in a minute, we're unique. As far as I know, there is no government or government alliance outside the U.S. that has anything to do with anything in place concerning breach notification, which really surprised me when I did the research. Even Europe, with its data protection standard, has nothing on breach notification currently. Focus your attention here to really learn what might come somewhere else. The interagency guidance I mentioned is issued by four of the HGLB agencies, and they have this definition, sensitive consumer information. A little different from PII. PII is your name and your address and all these other possible elements. Sensitive consumer information is, to me, a more legitimate set of tests. Because it says, if the information is there and somebody can put little pieces of this, that, and the other thing together, figure out who you are, you can be hurt. You can be ripped off. So a username and a password is sufficient to trigger this, if it's leaked. A password and an account number, no name, is sufficient to trigger the Fed definition. Again, much more, much more reasonable. I think it's a definition to keep in mind, regardless of what your breach may be. As you'll see later, I'm a firm believer in overreacting, providing too much protection, erring on the side of notifying, even if you're not sure you have to. Because the long-range liability is going to be much less, I believe. The breach response under the guidance, I think, is a good solid set of elements. I'm also a big fan of Graham Leach-Bliley, which is really very general, when it comes to security plans and what should be in them. Leaves it up to the individual situation, knowing you've got to justify what you've done, if things get ugly. But the Fed requires that a plan be in place to determine the nature, the scope, figure out what's disappeared, what's been misused. And this may not be a very easy task. I worked a project recently where a hard drive was stolen. If your database is breached, you know it's gone. You know the data elements or you should. If a hard drive disappears, you may not know it's on there. If that hard drive contains email, you definitely have no clue it's there. We were astonished, disgusted, depressed, whatever term you want to use, after doing the forensics on the disk and finding out how many people were emailing work files with sensitive information home so they could work at night, emailing through Yahoo Mail, Hotmail. Even a more protected or non-webmail interface. If the email is just brutal, if that's what you've lost. The Fed also requires you notify the primary GLB regulator. You tell law enforcement so they can be on top of it quickly. But the other thing is so they can tell you keep your mouth shut. There's an instinct, there are notification laws. We've got to talk. We've got to tell people. Well, law enforcement may not want you to tell people yet. If there's a delay, they may be able to get on top of things. So informing law enforcement is, that exemption I think is very important. It's one that we'll see is in other laws. The Fed also requires customer notification. You have to describe what happened, how you handle it, and provide consumer education and services. This is the only law that requires services. You must provide credit assistance. You must provide credit protection. Again, it's something I think you would consider no matter what. But if you're balancing what you have to do and what you might want to do, the Fed's the only one that enforces it. FISMA has procedures for detecting, reporting, responding. So they have something in place that says you've got to have breach response. What's interesting is that there is no notification piece to this. The VA was under absolutely no requirement to tell veterans when their data disappeared. Now, there's an ongoing legal battle. As a matter of fact, the last I read, two people within a given agency disagree as to whether if you're a federal contractor holding sensitive information, whether you're covered by this piece of FISMA or not. Obviously, if you are, you've got to worry about having these procedures in place. It's not settled right now. The other place to look for possible ways that you're going to be expected to react to a data loss? The FTC has a business education pamphlet and video. What happens if you're breached? A response plan is one element of what the FTC recommends. This tracks, to some extent, Graham Leach-Bliley, a designated coordinator having a plan. Check this publication out for purposes of knowing what an FTC regulator, an FTC lawyer might expect from you if you get breached. I think most of it is solid. I think one element really doesn't make a whole lot of sense as a flat rule. This came out after I left the FTC. I won't take responsibility. I'm going to let you guess which one I think is, to put it politely, not such a wise blanket piece of advice. This is really more for, I think, consumers to understand what a company should be doing. It's much more useful in that respect. But if you're under FTC scrutiny, they are going to look, to the extent to which you look at these elements. So be aware of them. Regulators are going to look for these items, pretty much. They're going to look for a risk-based plan. This is straight out of GLB. And again, this is the only security statute, privacy statute, but data security statute that's really been enforced. The plan's got to be appropriate to the size and complexity of your business. They're going to look to what your response was when the data disappeared. How you address the nature, how you address the scope, what was breached, what systems were breached, what data was compromised. They're going to see if you inform law enforcement, the extent to which you contained and controlled the breach. If you notified, we're appropriate. And that's kind of curious because the Feds don't require notification except in a limited sense. There's no hard and fast rules about which of these are the most important. Should the regulators come knocking? So it's just a guessing game. It's probably not a good way to put it. Lawyers don't like it to talk that way. But at least these are the factors to consider and apply. And again, I'd suggest applying them in general, not just if you're a covered industry. Even if the regulators can't come after you, your customers and shareholders can. Even if they can't and your management can, and even if they're not going to, it's to me just good solid business practice to have a good solid security plan in place, including what you're going to do if things blow up. Now you need to be proactive. You know, have the plan, know the regs, apply to your environment, and react well. It's not enough just to have this plan sitting on a shelf, sitting in a notebook. Got to show you used it. Got to show the notebook is where somebody can get to it, not in somebody's backseat of somebody's car. True story. Some of the stories are bizarre. The company that transferred sensitive data through unsecured wireless network to sit on a server unencrypted. And by the way, the server had anonymous FTP going. And, gee, the data got stolen. Got stolen through the air, got stolen off the server. That was one of the true slam dunks of my career. That's when I was with the lab, so I was kind of advising rather than bringing the case. The real enforcement factors are going to be what you represented to the public. That's part of it too. Microsoft passport was, and there was no breach in passport. Let me explain that. But, you know, there were affirmative representations on the security of the system that weren't true. The enforcement factors are your practices to protect practices. The data to detect if it's flown. How reasonable are the measures? Now, there is no cut and dried rule. And when I worked cases, we would look at what companies did and we did our best through internal people, hired consultants to say, was this reasonable? I mean, we brought cases where there were breaches and the cases were dropped because what they did was reasonable. Data still disappeared. There's no perfect system. There's an issue of demonstrable harm and there's also the issue of how to direct. What was your breach notification? Right there, okay. Once we get away from the feds, we've got the states, which are far ahead in notification. As of April, there were 39 states that had breach notification. The district has a rule. New York City and Puerto Rico both have statutes on the books. The usual state PII is what I've kind of talked about. First name, last name, source, driver's license, all the standard stuff that might be in a database. Most of the laws have exemptions for encrypted data, for whether the PIN is, say, for an account is included or not. If you've got the account number and there's no PIN, well, maybe it's not triggered. A lot of variations, as you would expect, from 39 different states. You need to be aware of all of them, though. There are a lot of good matrices out there on the web that catalog them. I'm working on another one now. The elements are PII, like I said. They generally exempt if data is encrypted. A lot of variations on what encryptions to find. Rhode Island, I believe, specifically says 128 or 256-bit. Some states don't say anything, which suggests that if you've got a Microsoft password on your Microsoft Excel file, that's okay, too. I don't know which is better. I really don't. Keeping it general gives the flexibility to look at a situation and say it's reasonable, but you can run into some real problems. On the other hand, do you really want to put specific technical standards in the law? Because if those standards changed, if 256 gets hacked, we all know how easy it is to change a law and bring it up to speed. Most of them have exemptions if the business involved is covered by Graham Leach-Bliley. They vary on allowable forms of notice, email, phone mail, phone, snail mail, whatever. They have different triggers with the data accessed. Was it accessed and used? Was it disclosed? They vary on who makes that determination. Does a company decide if it's likely or unlikely to have been used? Some statutes, yeah. Some statutes let the company decide whether it's harm is likely or unlikely. There's variations on if the statutes apply outside the jurisdiction. There are some states that say, I don't care if you're doing business in my state. If my citizens are nailed, you have to provide notifications to them. There are other states that say, if you're in my state, you'll provide notification. I don't care where the customers are. I believe all of them have provisions for third-party data holders. If you farmed your data out, are they covered by these laws? They all have provisions. They vary significantly in how they apply. They will vary. I keep using this term, but it's an unfortunate reality. I wish there were a uniform law. How long can you wait to notify? What state and local agencies do you have to notify? Some non, some attorney general, some consumer protection. Some require that you notify credit reporting agencies. Some say you've got to notify credit reporting agencies or the state AG or whatever it is, only if more than 5,000, more than 10,000, more than whatever thousand customers' data has disappeared. Now the real trick there is you may not know for a long time. And you may want to respond, get your notification going long before you really do know. Some state statutes allow penalties by state government. Some have nothing. Some allow private rights of action. It's a hodgepodge, obviously. Like I said, there are spreadsheets out there, word documents, all sorts of things. All have tables that are really good references. If you want to get on top of what you've got to do if your data disappears in terms of consumer notification. From a legal standpoint, that's probably the biggest issue is consumer notification, customer notification. And the advice here, obviously, is know the stuff. If you've got, as part of developing your breach notification plan, have all this stuff tabulated. Have it ready to check. I don't care if you've got outside counsel to ask after the fact. Make sure you've had your in-house people or outside counsel prepare something like this for you. So you've got it. Probably it'd be a good idea to also know where your customers are. Keep a running tab. Know that if something happens, I've got to worry about this seven states. I've got to worry about this 12 states and Puerto Rico and New York City. All part of being ready to move quickly. But laws and guidelines and regulations go just so far. The real world is where it meets its test. It's the real world that's what provides solid examples of what to do and what not to do and what to think about. Now, basically, even before this mess does or doesn't happen, you need to have, and this is standard enterprise security stuff. I teach that at UMichigan. You need a management commitment to privacy and to compliance with the necessary laws. And you need management to be willing, ready, and able to give you the funds necessary to have things in place to keep your system secure, to keep your data secure. That's more, you know, I'm worried about data security here. The rest of the systems, well, that's another issue, just as important. You need a good solid structure so that different divisions can talk to each other. The business folks know what the tech people need. The tech people know what the business people need, and management has a handle on everything. You need targeted training so that people know how to protect data. They know what to keep on top of. And this can be basic stuff like passwords for folks who just use PCs all the way up to good solid systems. Security training for the people who are maintaining the systems. And you need a response plan, obviously. Now, the breach response can't be done in a vacuum. And this is a common issue that I run into with enterprise security. Too often, things are stovepiped. You've got this bunch of folks working PCI. You've got that bunch of folks working HIPAA. Somebody else is doing GLB. And maybe different machines are involved. Different terminals are involved. Different databases are involved. But it makes no sense to do these separately. I mean, even if there isn't cross-connection of system, the concepts are the same, and you're going to waste money and time and effort by doing all these things separately. All this to make sure you've got a comprehensive approach. Your approach is efficient. It's cost-effective. And everybody knows what's relevant. If you do all of these things, let's take a university because there's not much that they couldn't get hit with. The GLB people know what's important to protect. It's useful for the people who process credit cards to know that. They're covered by PCI, non-government. And the HIPAA folks, well, there's some cross-connection there, too. So not only do you have, say, a common systems approach, everybody's got an understanding of everybody else's requirements, and that is very valuable in the planning process. Okay, you've got the loss. You need to have documents, diagrams, plans, and I'm not going to throw out buzzwords because they're antiquated the day you hear them. Data maps, for example. You need to know where the data is. You need to know what's in it. What's in that database? What kinds of data do you have? Whose data do you have? Is it all customer or is it cross-connected with other stuff? You need to know who the stakeholders are. Are they just your employees? Are they your retirees? Are they customers? You need to know the lines of authority in the enterprise. Who do you talk to if something happens? Who do you talk to if you need to plan for something happening? Who do you talk to if you've got a question? If something's ready to go. And it all comes down to just making sure everybody who needs to coordinate can do it. Everybody who needs to coordinate gets it done. Everybody's on the same page. To me, the poor critical pieces of the response plan are preserving evidence. And that's writ large. That's in a broad sense. Determining what's been lost. Determining how it was lost. Saving audits. Saving logs. If you're talking about a break-in breach. Saving logs. If you're talking about an internal transfer out. Internal crisis communications. Who are you going to notify? When are you going to notify them? How are you going to notify them? Who has to be notified? Customers, employees, like I said, retirees. And this last one is really important. Got to have communication structure waiting for dealing with investors and employees. They're the ones who probably, particularly if it's private data, they're the ones who probably couldn't create a lot more problems for you than customers can. It's going to be much easier to demonstrate their losses than if a credit card is stolen on the outside. One of the reasons TJX really hasn't been subjected to much in the way of penalties is it's almost impossible to prove that a stolen credit card came from that breach. If the worst happens, notify. Include the business, the legal, PR, human resources, you know, law enforcement. Talk to your subject matter folks and document every step because the regulators will want to see it. It'll be important in a lawsuit. Identify what's lost. You know, if you need to bring line of business people in, they know your systems. They're going to be able to spot what's gone a lot quicker. They're going to be able to spot how the data fits together to figure out is it really PII or not. They're going to want to tell you what's that abbreviation mean. You may not know if it's PII. Have a lawyer, have business people around to guide every step of the process. So you've covered all your bases. You've looked at everything. You've considered all possible ramifications. Where we're talking sensitive data, don't forget things like trade secrets. Those can folly up worse than anything if some of that gets leaked. You need to engage outside counsel. It's unlikely your in-house people will have sufficient expertise if you've got them. But vet your outside counsel choice. Just because somebody says, I work for the Federal Trade Commission, doesn't that mean that person knows a plaster thing about Graham Leach-Bliley? She may have left the agency two years before Graham Leach-Bliley was passed. And if necessary, if that means going with a different law firm than your usual counsel, do it. I would suggest, I have a definite bias against going with the law firm that your general counsel used to be with in general. But it can really bite you. When you're dealing with something that's potentially damaging as a data loss. If you need to, use your own law firm and then also hire somebody who really has applied demonstrable security and privacy experience. Because that firm may not be able to litigate, to be fair. So your litigation counsel is fine, but have other folks who know this field. You know, be ready to engage forensics to help you determine what's lost. A crisis management company? There's a skill to this. Identify a crisis management company who has experience, who knows how to handle the PR, who knows how to handle the required notifications. Can just roll them out, not have to worry about them. And be ready to help individuals whose data is lost. Lawyers should be lawyers. You know, be careful about the good old boy. You identify your forensics people. Your lawyer may not know, except, well, this firm's good. My ex-partner's there. Check out, you know, very often you want outside people to review the lost data to determine what's PII. Do you really need a contract lawyer doing that at lawyer rates, as opposed to a paralegal? Things to look into just to protect your own pocketbook. Fundamentally, I believe in going on above and beyond. Do the right thing. You know, the law requires notification. Maybe it does. Maybe it doesn't do it. The PR value is going to outweigh the cost. You know, public perception can be everything. And, you know, if the data holders expect notification and they don't get it, they're not necessarily going to care. You know, you don't notify, but word gets out of the breach. They know it happened. They expect to hear from you. Respond to the press. Respond positively. You know, be realistic here. Spin the hell out of it. And I worked a project where I looked at the press release, and I know it happened, and I just depressed at how little came out that customers should know. But what they did was legit, and they weren't pressed, at least so far. Who knows what's going to happen next. You know, if the regulators do call, know what the laws require. And for those of you who were here this morning, I repeat my mantra. Show respect. Don't play games. That's the worst thing you can do when law enforcement comes knocking on your door. Protect your rights. Protect your interests. But work with the folks, not against them. Just in the future, things to keep in mind, things to look for. The identity theft task force report has recommendations. There's laws to extend GLB to all entities. There are laws for federal breach notification. There may be clarification of how FISMA relies to private contractors or states that hold federal data. There is a breach notification law that passed a House, a federal level one, which might be a good thing. It has not passed a Senate, given where we are in the election cycle. I doubt it will pass this year, wait until next year when it's reintroduced. EU does have a breach notification proposal in the works. Maybe they will start requiring notification. The Canadian Privacy Commissioner has a voluntary notification set of guidelines in place. Be aware of it if you do business in Canada. Even if it's not formal, it's not nice necessarily to aggravate people in high places. You never know when something informal is going to become formal. Any questions, please don't hesitate to contact me later on. But in the short run, are there any questions here? Yeah, I'm not sure what you mean about exposure to client. The laws and the regulations are going to apply regardless except when you get into issues such as notifying credit reporting agencies. Certainly the scale of your response, your response plan, your security plan may not have the same level of requirement in it and still satisfactorily passed a regulator's muster. I mean that to me is one of the beauties of Graham Lee Splyly, the beauties of HIPAA. They are worried to take into account the realities of the business situation. They don't have anything really strong and firm. The idea is have a plan in place and be ready to document your reasoning behind it. No, it's more of the lights not. Part of it would depend, I mean are we assuming here that HIPAA is covered? I mean that you are covered by HIPAA? Okay, because there are some areas where they're gray. I approach HIPAA on the basis of following all the required guidelines, using another presentation covering all the R's and A's and thoroughly documenting every step you did on both the R's and A's and why you did or didn't do them. And if it's a smaller company you're going to, I think, and again HHS hasn't really enforced, if it were an FTC case they would take the size of the company and the resources into account in how you addressed each element. But I would address each element. I don't care if it's addressable or required. At least have that documented. Thank you. Yeah. It could. Yeah. The question was whether it relates to offshore data havens. The cross jurisdictional pieces are very difficult. For the most part, it could in theory. I'm not aware of any cases that apply. And certainly none of the U.S. laws apply directly. But if you're a company that deliberately outsources your data overseas and they get hit, the regulators are going to look at it. As a matter of fact, Graham Leach-Bliley specifically requires that if you do outsource your data, you require them to follow Graham Leach-Bliley requirements. Certainly. Now there's nothing, state laws may not because these folks are not U.S. citizens, or state citizens, state residents. But there's nothing like, and think of, that says if the data is housed here and it's a non-U.S. person, then it wouldn't cover. Boy, this got convoluted. Yes, I believe that a non-U.S. resident would be protected. I think there was another one. These lights are killing me. Yeah. Oh no. Yeah. FERPA? It's one of the lesser known privacy laws. Certainly it applies to higher education, student records, student information. I'm not aware of any enforcement cases under it. I mention it because the data elements to me are things that need to be considered when you're looking at the data that should be protected. You know, FERPA lets students decide whether their directory information is going to be published on the web. Now, if a student says no, and students do, there's no question about that. Given that there's that, ha, quickly. Given there's the element of privacy there, a regulator is going to look to see how those specific pieces of data were protected. I just got the you're done sign. I'll be going over to media room if I can find it this time. I'm glad to answer more questions. Thanks.