So about this security law, what are the proper procedures for reporting a breach and who do we report it to? Last I knew, I think we had to report a breach of security to the Attorney General's Office. I've spent weeks writing a WISP for a company, but that section stumps me. These are my index headers for the section I'm writing: 11. BREACHES a. Physical breach vs Data breach b. Lock down measures to prevent further loss c. Procedure to document actions taken in connection with a security breach d. Determining what was stolen e. Reporting to the proper agencies f Post incident review to improve security Thanks in advance for any help! David -- =========================================== David Korpiewski Software Specialist I CSCF - Computer Science Computing Facility Department of Computer Science Phone: 413-545-4319 Fax: 413-577-2285 ===========================================