I have to say it was the email, organization charts, PowerPoint as well as the db requirements that got me. It rather looks to me as if the law is so broadly drafted its unenforceable. Jurisdiction would likely be relevant as well. Niall Litchfield On Apr 28, 2010 9:14 PM, "Bill Ferguson" <wbfergus@xxxxxxxxx> wrote: This "personally identifiable information" (PII) part has really caused me lots of heartburn. According to NIST Special Publication 800-122 (Draft), section 2.2 (Examples of PII Data): (these are just the ones that cause me heartburn) Name, such as full name, maiden name, mother's name, or alias. Address information, such as street address or email address. Telephone numbers, including mobile, business, and personl numbers. Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, or employment, medical, education, or financial information). So, by these flaky definitions, the phone book is chock full of PII. Every email is PII. About the only thing that isn't PII is a blank file. So, even though the folks in my office do nothing except gather publically available information, analyze it and make some assumptions and maybe make a few graphs, etc., and then regurgitate out into another publication, everything still needs to be treated as if it contained national security secrets since parts of it will certainly contain some of the above types of data. -- -- Bill Ferguson > -----Original Message----- > From: oracle-l-bounce@xxxxxxxxxxxxx > [mailto:oracle-l-bounce@xxxxxxxx //www.freelists.org/webpage/oracle-l