1. Sensitive Data Exposure Risks & Response at Indiana University
Jonny Sweeny
IT Incident Response Manager
Indiana University
IHETS Tech Summit
30 March 2007
Describe where ITSPO fits in IU
- Ask how many folks are involved in IR
- Ask how many are *not* state agencies
Copyright 2007, The Trustees of Indiana University. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2. Overview Indiana’s New State Data Protection Laws
(and a few other data protection laws and regulations)
Indiana University’s Preparation
Indiana University’s Incident Response
What We’ve Learned
Questions

3. Indiana’s New State Data Protection Laws

4. Three Data Protection Laws I’ll Review
Release of SSN
Disposal of Sensitive Data
Notice of Security Breach

5. #1 - Release of Social Security Number Law Indiana Code (IC) 4-1-10
Effective July 1, 2006, it is a crime for an Indiana state agency to disclose an individual’s Social Security Number to a party outside of the agency, unless the disclosure is authorized under Indiana state law
Covers State Agencies only

6. What is a State Agency?
For the purposes of this law, a “state agency” includes the following:
A state elected official’s office
A state educational institution
A body corporate and politic of the state created by state statute
The Indiana lobby registration commission

7. Types of Disclosures Covered
Any individual’s SSN (doesn’t have to be a “customer”), in any format:
Electronic
Paper
Oral

8. What SSN Disclosures are Authorized?
Disclosures for which we have the individual’s express written consent
Disclosures of only the last four (4) digits of the SSN
Disclosures for the purpose of administering health benefits of an employee or the employee’s dependent(s)
Except where prohibited by state or federal law or a court order:
Disclosures to a local, state, or federal agency
Disclosures by our Police Department to an individual, entity, or local, state or federal agency, for the purpose of furthering an investigation
Disclosures that are expressly required (not just permitted) by state or federal law or a court order
Disclosures made in the context of certain counterterrorism investigations
Disclosures to commercial entities for use in certain activities authorized under 3 federal laws

9. Penalties for Unauthorized Disclosures – State Agency
Enforced by the State Attorney General who can bring action against Agency
Possibility of civil suit filed by affected individual(s)
Costs associated
Constituent trust, time and other resources needed to notify as required by the third law we are going to discuss

10. Penalties for Unauthorized Disclosures – Employees
Knowing, intentional, or reckless violations are felonies:
Up to 3 years’ jail time
Up to $10,000 fines
Negligent violations are “infractions” are misdemeanors:
Up to 1 year jail time
Up to $5,000 fines
Possibility of civil suit filed by affected individual(s)

11. What Constitutes “Negligence”?
It is not clear whether “negligent” disclosure under the law covers only affirmative transfer of an SSN… or also covers inadvertent exposure of SSNs to unauthorized access due to inadequate security measures.

12. #2--Personal Information Secure Disposal Law Indiana Code (IC) 24-4-14
Effective July 1, 2006, it is a crime for a person to dispose of certain personal information of a “customer” in a non-secure manner
The "dumpster diving" law is not limited to state agencies; it covers companies too.

13. What is a Person? For the purposes of this law, a "person" means:
an individual
a partnership
a corporation
a limited liability company
or another organization

14. What Does “Dispose of” Mean?
Discarding or abandoning the “personal information” of a “customer” in an area accessible to the public
Includes placing the personal information in a container for trash collection
Don’t forget about disposal of computer drives and disks…

15. What Types of “Personal Information” are Covered?
Social Security Numbers, OR
First initial or name PLUS last name AND:
Credit card number
Financial account number or debit card number in combination with a security code, password, or access code that permits account access
Driver’s license number
State identification number

16. When is PI Not Covered?
The law only applies to personal information that is neither “encrypted” nor “redacted”
“Encrypted”:
transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key; or
secured by another method that renders the personal information unreadable or unusable
“Redacted”: information is altered or truncated so no more than the last 5 digits of SSN or last 4 of other personal information are accessible

17. Who are “Customers”?
Anyone who has received or contracted for the direct or indirect provision of goods or services and whose personal information you store, and
Anyone who has given you their personal information in connection with a transaction with you
For IU:
Includes students, parents, employees, bookstore and theater customers, vendors who give us personal information, etc….

18. What Types of Disposal are Secure Enough?
Shredding
Incinerating
Mutilating
Erasing
Methods that otherwise render the information illegible or unusable

19. Relationship to Other Data Security Laws…
State disposal law EXEMPTS persons who are already maintaining and complying with disposal program under:
HIPAA
Gramm-Leach-Bliley
Fair Credit Reporting Act
Driver’s Privacy Protection Act
USA Patriot Act/Executive Order 13224

20. #3 – Notice of Security Breach Law Indiana Code (IC) 4-1-11
Effective July 1, 2006, a State Agency must notify individuals whose “unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person” as a result of a system security breach
While (IC) only applies to state agencies, there is a separate similar law that covers private companies (and individuals too if I recall correctly).

21. What Types of “Personal Information” are Covered?
First initial or name PLUS last name AND at least one of the following:
SSN (> last 4 digits)
Driver’s license number
State identification card number
Credit card number
Debit card number
Financial Account number
Security code, access code, or password of financial account

22. What Does “Unencrypted” Mean?
It’s not defined in this law – best to assume the definition in the disposal law would apply

23. Some Exceptions
This law only addresses computerized (electronic) data, not paper data
Also, the law doesn’t cover theft of portable electronic devices with personal information stored on them, if access is protected by a password that has not been disclosed
Of course, IU can still give notice as a policy matter if we had these types of disclosures…

24. When Does Notice Have to be Given?
“without unreasonable delay”
Consistent with
legitimate needs of law enforcement, and
measures needed to determine scope of breach and restore system integrity
Notice may be delayed if law enforcement determines notice will impede criminal investigation

25. How May Notice Be Given? In writing By email
By conspicuous posting on IU website and notice to major statewide media, if
Cost of notice to individuals is $250K or more,
More than 500,000 people must be notified, or
We have insufficient contact information for personal notice

26. Who Else Must Be Notified?
The Indiana Attorney General
If more than 1,000 individuals’ information involved, must notify all consumer reporting agencies
Equifax, TransUnion, Experian
Heads up to them that individuals may be requesting credit reports to monitor for attempted identity theft

27. Review and Compare: Release of SSN Disposal of Sensitive Data
Notice of Security Breach

28. Other Regulations
Many other privacy/security rules and regulations dealing with specific categories of data to be protected:
FERPA: student education records
GLB: nonpublic customer information of “financial institutions”
HIPAA: personal health information
FACTA: consumer report data
PCI DSS: credit card transaction information
GLB==Gramm-Leach-Bliley

29. Payment Card Industry Data Security Standards (PCI DSS)
Merchant bank agreements impose payment card data security standards
Extensive and rigorous requirements that apply to all components of IT system involved with cardholder data access, retention and processing
Requires immediate notice to payment card company in case of security breach
Noncompliance may lead to fines, revocation of right to accept cards for payment
Mention because “sensitive data” involved and need for coordinated incident response

30. Indiana University’s Preparation

31. Indiana University Indiana University has eight campuses:
the original campus in Bloomington;
an urban campus in Indianapolis, which also includes the IU Medical Center;
and six regional campuses in the cities of Gary, South Bend, Fort Wayne, Kokomo, Richmond, and New Albany.
Total students: ~ 98,000
Total faculty and staff: ~22,000

32. Decentralized Environment
“Data Stewards” responsible for policy and practice concerning their data
Including granting access to their systems, and training about use of their data
Colleges, departments, & units are responsible for local technology and security of that technology
Individuals responsible for following policy

33. Strategy
IT Security & Policy Office partnered with University Counsel and Internal Audit to devise plan:
Composed a letter, sent by President to all faculty and staff
Gave presentations on new laws and what to do, to the Chancellors, to departmental staff, and everyone in between!
Created web page to compile information and resources in one place
Ensured Incident Response was ready
Advise as needed

34. Indiana University’s Incident Response

35. Prior Preparation
Already had procedures and “Kit” in place prior to the law being passed, due to existing industry best practice of notifying individuals
Revised “Kit” to include new requirements of the Indiana law
Presentations and Letter educated about how to report these incidents

36. Incident Response Overview
Unit takes immediate action to report incident to IT Security & Policy Office (ITSPO)
An Incident Team is immediately assembled to advise and assist in :
containing and limiting the exposure
investigating the attack
ensuring appropriate approvals
handling notification to the affected individuals and agencies
Incident “belongs” to the unit that caused it, but is “coordinated” by the ITSPO
Post mortem held 2-6 weeks afterwards
In the event of a security incident concerning a computer hosting sensitive institutional or personal data, the unit must take immediate action to report the incident to the University Information Technology Security and Policy Office (ITSPO). ITSPO is charged with investigation into incidents where sensitive institutional or personal data is suspected to have been exposed, and it has experienced and licensed forensic engineers on staff.
An Incident Team will immediately be assembled to advise and assist in containing and limiting the exposure, in investigating the attack, in ensuring appropriate approvals are obtained at various steps in the process, and in handling notification to the affected individuals and agencies.
This coordination has worked out great, because we can pass on work already done for previous incidents.

37. What Kind of Breaches? Prior to new law: Since July, 2006:
Faculty member kept old computer when new ones were distributed, patches were not kept up to date, had grade rosters on it
Outsourced server not properly secured
Since July, 2006:
Secretary mistakenly ed to wrong address, with spreadsheet attached
Laptop of faculty member stolen from his locked car in his garage, had grade rosters on it
Library posted archive data on web
Flash drive lost, with programmer’s data on it
No damages yet reported – but we err on the side of caution

38. IU’s Sensitive Data Exposure Incident Kit
I. Checklist
II. Sample Notification Letters
III. Template for Web Page and FAQ
IV. Sample Press Releases
Dealing with Contacts from Press
(with Sample Talking Points)
VI. Dealing with Contacts from Individuals
Depending on the size of the exposure…
***DO NOT TAKE ACTION until advised by the ITSPO. Do not access or alter the compromised system. Do not power it off. ***
***DO NOT TALK about the incident with any other parties until you are authorized as part of the process outlined in this document.***
This kit contains the information needed by your unit, in cooperation with the other individuals on your Incident Team, to coordinate the incident. The University Information Technology Security and Policy Office (ITSPO), in the Office of the Vice President for Information Technology (OVPIT), has oversight responsibility to assist the unit in taking all necessary steps and in obtaining all necessary approvals. It is the responsibility of the unit to identify the resources needed to lead and accomplish an appropriate and timely resolution to the incident.
TIME IS CRITICAL. Immediately containing and limiting the exposure is first priority. Also, individuals involved in such incidents expect expeditious notification to them so that they can monitor their accounts. The most common complaints after an incident are about how long it took the organization to contain the exposure and to send notifications. IU’S GOAL IS TO NOTIFY WITHIN ONE WEEK!

41. What We’ve Learned

42. Experience Tells Us… TIME IS CRITICAL
Unit will not have experience to handle on their own
Important to have coordination by one unit, sharing materials and knowledge gained
Focus should be on the individuals affected, not the press
The Attorney General has given us an A+!
Not sure if that is good or bad… 
But the AG's office said it believes more data privacy and security bills are on their way, without specifying what that meant. One thing they said was that the breach notification law may be expanded to require notice of more than just SSNs (the AG's office wrote a rule that covers disclosure of credit card numbers etc. too, but the statute actually only provides for notice of SSNs, and the AG's office has concluded its rule only applies to them now too. But they foreshadowed an expansion of the underlying notice law in the future to cover those other data elements).

43. Issues
Can we proactively look for this data, or will we get in trouble with the AG?
How to ensure every employee is trained appropriately, regardless of whether they have access to a data repository or not
Staying up to date with legislation both at state and federal levels…

44. Issues (cont.)
In proactively looking for this data, we are considering approaches that are:
Systematic
Manageable
Relatively Thorough
Systematic: we need a plan; what are the best methods to do these searches? how frequently should we perform them? How can we manage the scope of our searches?
Manageable: we need to be able to control the number of exposures we are handling at any one time. we all know coordinating the response to data exposures are a significant time sink, plus we want to be able to maintain our practice of notifying individuals within seven days of becoming aware of the incident. how do we limit the scope of our searches as to not exceed our capacity to efficiently handle them?
Relatively Thorough: whatever approach we use to discover data exposures, we need to make sure they are as good at finding the data as we can make them. we will most likely run into capacity problems (e.g., sniffer load), but those should be identified and then handled if we can fund them within reason. the whole point is that it's much better if *we* discover the exposure than it is if one of the victims finds their own personal data being exposed.

45. Questions?

46. Jonny Sweeny jsweeny@iu
Jonny Sweeny Indiana University IT Security & Policy Office Data Protection Web Page dataprotection.html